Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

WannaCry/Wcry Ransomware: What Your IT/Sysadmins Need to Do

Trend Micro | May 17, 2017
Here's how to check if your systems and networks were affected by the ransomware attacks during the weekend.

Cloudsec Banner Singapore 2017

Stay up to date about the latest cybersecurity threats and best practices at
CLOUDSEC 2017, 22nd August 2017, Singapore. Click here to attend

WannaCry's Ransom Note

WannaCry/Wcry ransomware's impact may be pervasive, but there is a silver lining: a "kill switch" in the ransomware that, when triggered, prevents it from executing in the affected system. 

If your system was in sleep mode during WannaCry's attacks last weekend, there's a good chance that your machine escaped WannaCry's slew of attacks last weekend. But what happens when you wake the system up? The short answer: the kill switch will still prevent the ransomware's encryption routine. This is a window of opportunity IT/system administrators and information security (InfoSec) professionals can take advantage of to patch or update vulnerable systems, preventing threats like WannaCry from affecting them in the future. 

Here are actionable things you can do to check if your systems and networks were affected by the ransomware's attacks during the weekend.  


Machines in sleep mode will not be infected, so patch them immediately.


WannaCry Computers in Sleep Mode


Based on Trend Micro's analysis and simulations of WannaCry, the ransomware attack will not be successful if the machines are in sleep mode-even with Transmission Control Protocol (TCP) port 445 open and unpatched. 

Part of WannaCry ransomware's attack chain involves connecting to and infecting more systems. If it tries to connect to a machine in sleep mode, it will receive a "socket error" and fail to access it. Consequently, the malware will move to the next IP and attempt to access machines connected to it. 

This presents a window of opportunity for the IT/system administrators to mitigate, if not prevent a WannaCry infection by immediately patching the vulnerability that the ransomware leverages to infect systems. 


What happens when you "wake up" the machine?


Waking up a computer potentially affected by WannaCry


WannaCry scans the system's Local Area Network (LAN) upon initial infection and enumerate all IPs in the LAN.  If the infected machine's LAN was already enumerated during the weekend (during the height of the malware's outbreak) and a vulnerable machine in the network happened to be in sleep mode, WannaCry will skip it. Accordingly, when the user wakes up a non-infected machine within an infected network, it will not be infected. This is an opportunity for IT/system administrators to apply the necessary patches and updates to the system. 


1  2  Next Page 

Sign up for MIS Asia eNewsletters.