WannaCry, Separating Fact From Fiction

Josh Lemon
Article by Josh Lemon

Digital Forensics and Incident Response Managing Director & Certified SANS Instructor

In the aftermath of the WannaCry ransomware outbreak, what are the real lessons we should have all learned? Or even better, what should we be telling those not in the Cyber Security industry, so they don't fall victim to media hype or vendor spin. My hope is this information is also useful in clearing up any misinformation that's spread about WannaCry.

  • This whole attack was not the result of a phishing email. No email type protections would have saved you from getting infected with WannaCry.

  • The malware was spread via other users on the internet directly connecting to your network/computer. Everyone should regularly review what inbound traffic rules are on your router or perimeter firewall (that's the thing that connects you to the internet). Actually getting infected with WannaCry is the result of allowing internet traffic to connect into your network. It is similar to leaving a window open in your house to let the bad guys in - not a big opening but enough to still get in.

  • You do not get infected with WannaCry by simply visiting a website. Anyone trying to tell you their web proxy or web filtering service would protect you from initially getting infected with the malware is selling you a lemon.

  • A "Cyber Intelligence Feed" would not have helped you when the initial infection started to spread. Once WannaCry started spreading across the internet, it could have come from trusted and untrusted sources. A threat intel feed would not have helped you prevent the initial infection.

  • Organisations that did not patch their computers quick enough are not at fault for getting infected. Trying to patch Windows systems in a large organisation is not fast and not usually easy. Patching usually breaks things, especially legacy or custom applications, it can take one to two months for large or complex organisations to run a new patch through a full development and test cycle, fix anything that breaks, before Windows patching is rolled out to all systems. And that's assuming the patch passes the testing cycle without breaking anything.

  • If you did not patch your personal computer, that's not part of a corporate network, learn from this mistake and ensure you patch more often.

  • Anti-Virus should have protected you, to some degree. The technique that WannaCry used to spread was unlikely to be detected by the majority of Anti-Virus companies. This means the initial infection would have occurred and dropped a malicious process on your system. However, Anti-Virus should be capable of detecting a malicious process trying to search and write over multiple files on your system. That a lot of Anti-Virus companies didn't detect this malicious activity is, unfortunately, a failing in how Anti-Virus works. That said, most Anti-Virus companies were quick to respond and update their Anti-Virus signatures.

  • Having current backups is your best line of defence if you end up with compromised systems.

  • Not testing or practising how to restore from a backup is not a good excuse to give to management. If you have backups, but you've never tested them or tried to restore files from them, then this is a very poor oversight.

  • Windows 10, macOS, Linux and Mobile phones are not susceptible to WannaCry. Don't spin your wheels trying to protect these systems from this malware, focus on your older Windows systems.

  • Paying the ransom will likely not help in getting your data restored. So far there have been no public reports, or any non-public that I've been made aware of, where a victim has paid the ransom and received a decryption key to recover their files. Spend your money on restoring systems and preventing future attacks.

  • There are some tools starting to emerge that may be able to restore your data, however this relies on a lot of luck to actually work successfully. You also need to have left your machine running (i.e. not rebooted) since it was infected and hope that nothing has overwritten the memory space used for recreating the decryption key. Don't bet the bank on these methods, start to pull out your backups if you have them.

  • Knowing who developed and distributed WannaCry is unlikely to help. Speculating who created the WannaCry malware is interesting from a research perspective, however for the general public it's not useful in responded or prevent this threat. Sure, if you're a three or four letter government agency this may be highly useful, but for the general public it's not going to help you really.

I'll try and update this post as I read or hear of more false rumours about WannaCry, or as this information changes. For example, when I started drafting this post there weren't any decryption tools available, so it's possible that other information within this post may change over time. If I've missed anything or this information changes quicker than I discover it feel free to DM me on Twitter.

Good luck defending your networks and systems.