WannaCry Ransomware: Lessons Learned

Until last Friday, ransomware needed a user to be convinced to open a malicious file or visit an attacker-controlled website. WannaCrypt0r moved the goalposts with the use of a known SMB vulnerability that allowed it to propagate without user interaction. In fact, while there are many rumors about a version… Read More

Until last Friday, ransomware needed a user to be convinced to open a malicious file or visit an attacker-controlled website. WannaCrypt0r moved the goalposts with the use of a known SMB vulnerability that allowed it to propagate without user interaction. In fact, while there are many rumors about a version being spread through email, nobody has shared samples of this and we must assume that it is just that : a rumor.

Remote code execution (RCE) vulnerabilities like the MS17-010 (CVE-2017-0146) vulnerability are more and more rare but ultimately they have the highest potential to wreak havoc when they fall in the hands of criminals. On May 12th this was confirmed once again. WannaCrypt0r impacted train stations, communications providers, transport companies, banks, etc. around the world without discrimination.

Security specialists around the world have spent countless hours analyzing the malware, it’s related indicators of compromise, and the techniques used. At AttackIQ we focus on helping our clients with building better defenses. Therefore this blog post is meant to help you managing your attack surface and reduce risk.

WannaCrypt0r Timeline

March 14, 2017:
MS17-010 published. This security update addresses the CVE-2017-0146 remote code execution vulnerability, later used by WannaCrypt0r.

April 14, 2017:
Shadow Brokers release a number of alleged NSA exploits leveraging the CVE-2017-0146 vulnerability.

May 12, 2017:
First version of WannaCrypt0r is detected in the wild.

As you can see, there are almost 2 months between the release of a patch by Microsoft and the first detection of WannaCrypt0r in the wild. The initial reaction is often that organizations have had more than enough time to patch their systems so getting infected is their own fault. In fact, compliance frameworks often state relatively strict patching requirements. As an example, the latest version of PCI-DSS (v3.2) states “Installation of applicable critical vendor-supplied security patches within one month of release.” under clause 6.2.a.

The reality is that organizations, around the world and across verticals, carry a substantial amount of technical debt that prevents them from reaching a 100% patch level. While a discussion about the reasons for this has some merit, the purpose of this blog post is to share information about what organizations actually can do to manage their risk appropriately.

Attack Surface Identification

You need to be aware of the attack surface your infrastructure leaves exposed to adversaries at any moment. This means any hardware component, software component, and open ports that could be used by an attacker to gain control over a system. In the context of WannaCrypt0r, SMB is the service that you want to have visibility on. It runs on TCP port 445.

From a process point of view, any organization should maintain an inventory of its IT estate. Specifically for open network ports, this can fairly easily be done using tools such as NMAP or Masscan. The results of regular scanning provide a full inventory of what ports are open on your network.

As a matter of course, closing those ports that are not needed is the first priority for attack surface reduction but obviously any network needs certain ports to be open in order to be functional. Process-wise, this is how you would go about using this data in your day to day security management :

  • A – Regular scanning takes place and data is periodically verified.
  • B – When a vulnerability is announced, identify services and ports impacted.
  • C – Based on the scan data, identify the exposed attack surface.
  • D – Identify and implement countermeasures to mitigate risk.

AttackIQ FireDrill provides you with several scenarios that can contribute to the basic data set gathered with standard scanning tools. Amongst others, our “Host Discovery”, “Internal Network Reconnaissance”, and “Ingress Open Ports Checker” are scenarios that FireDrill customers use to continuously assess their attack surface. Additionally scenarios can be built to verify that certain hardening measures like disabling SMBv1 on critical hosts are fully implemented. This, again, increases visibility into the remaining attack surface.


The adage “it is not a question of if but when…” reads particularly sour when you are hit with ransomware but preparation is still the key to effective incident management. Again it all depends on the data available to your incident responders, their ability to react in a timely and decisive manner, and as limited an impact on business processes as possible.

When it comes to a vulnerability like CVE-2017-0146, the focus once again is on the network as it spreads to any host it can reach over SMB (TCP port 445). Network segmentation, which is the practice of creating separate network zones for assets with a similar risk profile, allows an organization to control propagation in case of a network-bourne threat. Many organizations have deployed firewalls, network access control, and intrusion detection/prevention solutions across their network. Unfortunately these solutions are often subject to increasing technical debt over time. As an example, network ports are opened on firewalls for a variety of emergency reasons (performance improvement, troubleshooting, urgent deployment of new systems, etc. etc.). These changes are not often properly tracked and documented. As such it is very difficult for incident responders to assess how they can mitigate the impact of an imminent threat.

One process that organizations rely upon is regular configuration reviews but these are error prone and require a lot of resources so in most organizations they happen yearly or every six months at best.

Again, we should look at automating this process as much as possible. AttackIQ FireDrill assist customers in verifying which ports are open or closed on their firewalls through its “Check for Open Ports”, “Egress Open Ports Checker”, “Ingress Open Ports Checker”, and “Lateral Movement Through Remote Service” scenarios. These allow organizations to identify and prevent firewall rule creep and give incident the necessary information to make containment decisions when they need it.
With a better controlled network and an understanding of what is exactly needed to keep your critical business processes running, taking decisive action while limiting business impact becomes so much easier.

Testing Against Known Threats

Ransomware is nothing new, unfortunately. While WannaCrypt0r breaks the mould with its extraordinary propagation techniques, the practice of encrypting files and asking money for the decryption keys is fairly common and new variants of known ransomware pop up regularly.

It is essential that organizations test their security controls against this type of threats as much as possible in order to identify gaps in controls coverage, identification capabilities, and response capabilities.

There is no value in waiting until a real ransomware hits to count on your controls and capabilities. With AttackIQ FireDrill’s ransomware scenarios, which cover a breadth of platforms and ransomware techniques, our customers test their controls continuously. This includes the download of such ransomware, how it interacts with the host system, and how it interacts with command and control infrastructure on the internet or on the dark web.

In conclusion, organizations that know their infrastructure, understand their capabilities, and are aware of their strengths and weaknesses are better equipped when a real threat hits. We are passionate about helping our customers to achieve that goal and in times like these we are convinced that FireDrill can help you be more than one step ahead of your adversaries.