Mitigating 'WannaCry': Turn On the Lights and Secure from Within

WannaCry can hit hard if it gains a foothold. Find out how Corvil provides early warning of infection, accelerated triage and even file recovery, should a worst case scenario play out.

Mitigating 'WannaCry': Turn On the Lights and Secure from WithinBy Graham Ahearne    May 14, 2017      Product

Remain calm and batten down the hatches

You’ve likely heard of the “WannaCry” ransomware, which has already caused mayhem since it appeared in the wild recently. Ransomware is not a new phenomenon and here at Corvil, we’ve been helping clients tackle Ransomware infections for some time, but this particular WannaCry strain has a unique combination of capabilities that make it extremely dangerous. Most significantly, this strain combines the common capabilities of ransomware (file encryption, bitcoin as payment method, Tor usage for anonymization) with the capabilities of a worm (rapid, continuous, automated spread of infection from host to host). This means if an organization is unfortunate enough to have an infected host appear on their network, the end result could be as severe as an organization-wide take down of all connected Windows hosts on the network and more critically, significant loss of invaluable and sensitive data.

Prevention is always better than cure so firstly verify that firewalls are blocking off external traffic over SMB ports 139 and 445 to help mitigate the risk of this ransomware strain getting a foothold. Also, with urgency, ensure Windows-based hosts are patched, or even consider disabling their usage of SMB v1, if it is not needed.

Turn on the lights and secure from within

Effective cyber security is all about layered defense since we know there is a high likelihood that threats such as WannaCry will manage to find their way past the first lines of defense eventually. A good example of how this can occur is an unmanaged (no IT deployed anti-malware software and missing latest windows patches), infected laptop connecting directly to the corporate network.

For this reason, it is essential to continuously monitor for early warning indicators of malicious activity on internal networks. This way, if it does appear, Security and IT teams will be in a position to respond fast, minimizing the disastrous impact this threat is capable of.

So what WannaCry tell-tale signs can be monitored for?

  • Transfer of files known to be associated with WannaCry (such as the Dropper) to internal hosts
  • Connections from internal hosts to domains associated with WannaCry (command and control)
  • Sudden spikes in number of other unique hosts a specific host connects to (target discovery)
  • Files with certain file extensions being read/written between internal hosts (worm-like lateral spread)

It is essential that if such signs are detected, Security and IT teams are capable of responding rapidly to understand the bigger picture of which hosts are infected, what other malicious activity may be occurring on those hosts and what data has been encrypted. Lastly, in the worst case scenario of critical files being encrypted and backups are not available, IT teams may need a last lifeline way to recover them.

How Corvil can help

Within minutes of deployment, Corvil performs comprehensive automated real-time decoding and analytics of internal network traffic, which gives Security and IT teams unique benefits when it comes to mitigating the risks associated with WannaCry:

Challenge How Corvil Helps
Find unpatched/unmanaged Windows hosts that are vulnerable to compromise. Automatic discovery and traffic analysis for all hosts on the network that are involved in SMB-based conversations. This enables swift identification of misconfigured or rogue hosts which become an entry point for this threat.
Early warning of malicious activity on the network. Corvil can detect and alert on any host attempting to:
  1. Downloading malicious files via HTTP (file hash matching)
  2. Connect to related domains, including via Tor (domain matching)
  3. Scan for other hosts to target on the network (baseline deviation analysis of per-host connectivity patterns)
  4. Encrypt files on remote hosts (file name pattern matching)
If infections occur, rapid investigation is critical, so the full extent of impact can be understood. With a real time view into activity happening on the network and a record of past activity, Corvil quickly provides insights into which other hosts on the network the infected hosts have communicated with and are currently communicating with.
Critical files were encrypted and we have no backups, help! Corvil can automatically capture and store a copy of the original files (in packet form) from just before they were encrypted across the network. This enables file recovery should other recovery options fail.


The sudden emergence, rapid evolution and hard-hitting impact of the WannaCry ransomware strain underscores the fact that real-time visibility and effective early detection of lateral attack movement on internal networks is essential.

Here at Corvil, we’re committed to helping our clients stay one step ahead of threats such as WannaCry, to ensure they can effectively secure from within. If you are a Corvil client and would like to inquire about of these detection capabilities, please contact your local Corvil representative.

Mitigating 'WannaCry': Turn On the Lights and Secure from Within

Graham Ahearne, Director, Product Management, Corvil
Corvil is the leader in performance monitoring and analytics for electronic financial markets. The world’s financial markets companies turn to Corvil analytics for the unique visibility and intelligence we provide to assure the speed, transparency, and compliance of their businesses globally. Corvil watches over and assures the outcome of electronic transactions with a value in excess of $1 trillion, every day.