Guidance

Ransomware: 'WannaCry' guidance for enterprise administrators

Created:  14 May 2017
Updated:  19 May 2017
Ransomware
Guidance for enterprise administrators who want to reduce the likelihood of being held to ransom by WannaCry (or other types of ransomware).

The NCSC is currently working with organisations and partners in the UK affected by the ransomware 'WannaCry'. This page contains guidance for enterprise administrators who want to reduce the likelihood of being held to ransom by WannaCry (or other types of ransomware).

  • This guidance will be updated as more information becomes available.
  • There is more general advice and guidance on protecting enterprise IT on the NCSC's guidance site.



What is WannaCry?

WannaCry is a type of malicious software known as ransomware. Ransomware makes your data or systems unusable until the victim makes a payment.

What can I do to protect my organisation?

Deploy the patch for MS17-010 on Windows systems

If you are running a supported version of Windows and have been applying patches automatically from Windows Update as recommended by the NCSC, then you should already be protected against this malware.

If updates have not been applied automatically, the patch for this specific vulnerability can be found at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx or via Windows Update for currently supported operating systems.

For legacy platforms such as Windows XP, Server 2003 and Windows 8, an out-of-band patch has been made available by Microsoft. This patch cannot be applied via Windows Update, and must be installed specifically in this case. This patch is available from https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

If it is not possible to apply this patch, disable SMBv1

As SMBv1 is a vector by which the malware spreads, this can be disabled to prevent further infection if specific systems within an organisation become affected. Guidance for Windows systems is available at https://support.microsoft.com/en-us/help/2696547

If the above is not possible, you may be able to block SMBv1 ports on network devices and host-based firewalls on workstations. These ports are:

  • UDP: 137 and 138
  • TCP 139 and 445

If this is not possible, isolate the use of legacy technology as much as possible within your organisation

If it is not possible to completely disable SMBv1 or apply the necessary patches, then the devices still vulnerable to MS17-010 should be isolated within your enterprise network to the maximum extent possible. The use of network segregation techniques, other approaches for minimising the chances of compromise, and limiting the subsequent harm, are described in the NCSC's guidance for obsolete technologies.

Ensure antivirus products are updated

Antivirus vendors are increasingly able to detect and remediate this malware, therefore ensuring that any on-host and boundary antivirus products in use within your organisation are up-to-date with will likely provide additional protection.

Further Information

Work done in the security research community has prevented a number of potential compromises. To benefit, ensure that your systems can resolve and connect on TCP port 80 to the following domains:

www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Unlike most malware infections, you should not block these domains. Note that the malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to any accessible server which will accept connections on TCP port 80.

As variants of WannaCry emerge, additional domains and alternative command-and-control mechanisms are being observed. Additional information can be found on the Cyber Security Information Sharing Partnership (CiSP) platform. 

The NCSC have previously published broader guidance on protecting your organisation from ransomware, which is available here. You should also consider the Cyber Essentials standard and certification scheme as a way of addressing these concerns. 


What to do if your organisation has been infected with ransomware

If you believe you have been infected by ransomware, there are a number of sources of further advice and guidance:

  • The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at www.actionfraud.police.uk.  It is a matter for the victim whether to pay the ransom, but the NCA encourages industry and the public not to pay.
  • The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organisations.
  • The Cyber Security Information Sharing Partnership (CiSP) offers organisations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK's cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced. 

Was this guidance helpful?

We need your feedback to improve this content.

Yes No