Helping Protect Against Todays Cyber Threats

WannaCrypt (WannaCry) Decryption Tool Now Available!

In May 2017, a large cyber attack was launched, infecting over 230,000 computers in 99 countries, demanding ransom payments in 28 languages. The attack has been described by Europol as “unprecedented in scale”.

Yeah, whatever. Blah, blah, blah… You just got pwned!

Had this site been infected with a file-less “drive-by” ransomware, your system would have likely fallen victim by now. Allow me to explain…
First, phishing schemes tend to play on the human factor by using crafty messages that play on the emotions of fear, excitement or the need to please others. In this scenario, you were likely excited to see that a decryption tool had been made available for the “WannaCry” ransomware variant. I can’t say I blame you. I’m sure many of the 200K+ victims worldwide feel quite the same! However, malicious actors will use these types of social trends as a means of enticing folks into falling for their tricks.

Now, combine this with the more recent introduction of JScript file-less malware with legitimate website advertising networks and you have a recipe for disaster. Well known sites, such as YouTube or Reuters, have been targeted by attackers preying on users’ implicit trust of the sites to inject their malwares into the advertisements. Using such methods, visitors don’t even have to hover over or click on the ads to become infected. All they have to do is visit a site that has had its ad network compromised. This is the method known as “drive-by”. No user interaction is required.

Such could have been the case here.

Lastly, with advancements that the hackers have implemented of late, the malware can be injected into memory and, as a result, avoid detection by most antivirus programs since they tend to only read the input/output of whatever is being written to or read from the hard disk.

So, how can this be avoided?

Well, ask yourself what you did prior to clicking on the link that brought you here.

  1. Did you know and trust the source from which you received the link?
  2. Did you know the full path of the website address (URL) that the link was directing you to? (i.e. your web browsers status bar)
  3. Were you excited about the potential of a decryption tool?

All of these are behaviour patterns that we must educate our end users about.

Now, from a defensive approach, what can we do to help protect & defend our organisations against these threats?
  1. Application Whitelisting – If it can’t run, it can’t infect. Need I say more?
  2. Device Control – Such solutions may be able to prevent auxiliary connections from also being encrypted during land & expand process. These include UNC shares, connected USB devices & NAS-based storage.
  3. Validated Backups – Those that have recovered from a ransomware infection without paying up have only been able to do so through weak encryption methods defeated by the decryption tools that brought you here to begin with or through good backups. Use the 3-2-1 rule and test them regularly.
  4. Incident Response Plan – Let me just say that having a bitcoin wallet loaded and ready to go is NOT an incident response plan!
  5. Next Generation Firewalls– NGFWs and their inherent stateful packet inspection can help shut down ransomware attacks before they happen. If you’re not up on this tech yet, you should seriously look into it. Write it down!
  6. Threat Detection – Assume you’ve been breached! Failure to do so and respond accordingly proves one thing only: you deserve to be breached and you’ve been warned!
  7. Known Tor Entry/Exit Blacklist – Refer to:
  8. Anti-Virus Software – Yes, sadly it’s still a tickbox requirement.
  9. End-user Awareness Campaigns – They are our greatest inside threat. Educate. Educate. Educate. Conduct regular phishing tests using a reputable third-party like
  10. Firings – I fully believe that we’ve come to the point that we have to take more drastic measures to emphasise the point that end-users are the greatest, single inside threat to the organisation. Fire one or two (maybe a few!) after a second infraction and the point will get across: this will not be tolerated!
Bonus tip:Change default file file associations.
Perhaps the simplest approach of all… if an end-user invokes an action that would result in launching the malware through the Windows Scripting Host, PowerShell or the Command Shell and those file extensions are also associated with those scripting environments, then infection will ensue.
However, if those file extensions (i.e. .js, .ps1, .cmd, etc.) are re-associated with, say, notepad.exe, what will be the result? An infection or a confused end-user looking at a script within Notepad.exe? Think about it for a second… Pretty ingenious, right? Sometimes the simplest solution is the one most easily overlooked.
Do you know a fellow SysAdmin that could benefit from this exercise? Perhaps you’re a member of a Facebook group or Twitter list that includes like-minded professionals? Please consider sharing this post with them in hopes of bringing about a meaningful awareness of what we as IT/InfoSec professionals are charged with on a daily basis. We have a job to do here, y’all. Let’s get it done!
P.S. Aren’t you glad I’m an ethical hacker? Tick, tock… Tick tock… Time is running out. What are you still doing here?

About the Author

As a nearly 20-year veteran of Information Technology with a laser focus on Systems & Security Management, Duncan McAlynn, is a driven and passionate IT professional. He is a contributing author/editor to several books, magazine publications, and websites as well as a popular presenter at many Microsoft events. These activities have led to him receiving the Microsoft Most Valuable Professional award for six consecutive years and being named a member of the FBI InfraGard division.

Duncan has held a number of certifications and awards including 6x Microsoft MVP, MCITP, MCSA, MCSE, & CISSP.

Today, Duncan is a Principal Security Engineer & Evangelist for Ivanti, ISSA Gulf Coast TX chapter president & author of Advanced Windows Security

Please follow and like us:

5 thoughts on “WannaCrypt (WannaCry) Decryption Tool Now Available!”

  • Great article, but you assume that the person arriving at your site is running Windows. If a visitor was on a Mac or an iOS device, your article, especially the first part, would be largely incorrect.

      • Fair enough, but I just read the one article by way of a FB link — first time at your site — and the story said that if the site had been infected with drive-by ransomware, my system would likely have been infected already. And I was reading it on an Android phone. So . . . But thanks anyway for the great article.

Leave a Reply

Your email address will not be published. Required fields are marked *