Skip to content

WannaCry: Cyber Attack on NHS Hospitals May 2017


Well, the Cyber Attack against the NHS has certainly caused a storm of protest. Monday we are told to expect a second wave of attacks.  So how did researchers manage to stop this attack so quickly?  The answer is that the coders made some very simple errors. They hardcoded in a kill switch, which UK researchers registered and triggered.

Step 1 – Hit the kill switch – if there is one

MalwareTech registered the domain that acted as a kill switch.

This stops the infection of new devices.  Jump to step 4 for more information on finding the command and control servers.

wcry code

Step 2 – Danger: Are you running SMB v1?

Each version of Windows uses a different SMB version.

This is a general overview by operating system

SMB versions used in Windows

Powershell Commands to find SMB version

Use the Get-SmbConnection command – look at the “Dialect” used.

powershell for smb version

Check Windows Features for SMB 1.0

Search “Windows Features”,

Is there a tick against SMB 1.0/CIFS File Sharing?  If there is, we’re in trouble.

Where SMB 1.0 CIFS File sharing is enabled, untick the box to disable it.

smb disable instructions

Step 3 – Patch the flaw

1. The National Cyber Security Centre guidance on how to patch (see below).


2. Microsoft have issued a patch – apply this.

We have around 24 hours before copycats create a 2nd wave of attacks.


National Cyber Security Centre Advice:

The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.

The NCSC advise the following steps be performed in order to contain the propagation of this malware:

  • Deploy patch MS17-010:

  • A new patch has been made available for legacy platforms, and is available here:

  • If it is not possible to apply this patch, disable SMBv1. There is guidance here:

  • and/or block SMBv1 ports on network devices [UDP 137, 138 and TCP 139, 445]

If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.

Work done in the security research community has prevented a number of potential compromises.

To benefit from this, a system must be able to resolve and connect to the domain below at the point of compromise.


Unlike most malware infections, your IT department should not block this domain.

Anti-virus vendors are increasingly becoming able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).

Step 4 – Look for unregistered Malware control server domains – as a Procedure

Now one thing that’s important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.

Our standard model goes something like this.

  1. Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
  2. Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.
  3. Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.

That’s the model for locating and stopping Malware control server domains.


One Comment
  1. Reblogged this on Floating-voter.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: