Ultimate magazine theme for WordPress.

Top 15 guidelines to be implemented against Ransomware


The WannaCry ransomware has brought the enterprise, government agencies to their toes and organisations have swung into action to manage and prevent the threat. There is speculation that more is yet to come. Sharad Sadadekar, CISO, HDFC Life suggests a comprehensive guide on the best practices to shield organisations against such threats and even, for those who are affected, what are the steps to be taken. “The Information Security community has got into a huddle to take on the WannaCry swamp and we have been able to do in a matter of two-three days, something that could have taken weeks”, a CISO said on the condition on anonymity. This guide can prove to be a step in that direction.

Reports of ransomware attacks in Spain, UK and US began early morning on 12 May 2017 and later it started spreading like wildfire in other countries including India. Shortly thereafter, it was confirmed to be WannaCry ransomware using an Microsoft SMB vulnerability exploit techniques. Once this malware/ransomware gets installed, it encrypts the files (using AES and RSA encryption) and prompts for ransom.


The ransomware cyber-attack targeted tens of thousands of computers in 150+ countries including India. It has crippled leading healthcare services, financial and logistic service systems and has been creating havoc across the globe.

Affected Software:

This ransomware appears to have exploited Windows vulnerability for which Microsoft released a patch in March called MS17-010. The flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks.

WannaDecryptoris ransomware has multiple names like WannaCry, WCry, WanaCrypt and WanaCrypt0r – with encrypted files extensions wnry, .wcry, .wncry and .wncrypt.

This ransomware leverages the AES-128 cryptosystem to lock data down, therefore any further manipulations are only efficient as long as the secret AES key is at the victim’s disposal.

Microsoft Windows systems using Samba (SMB) and Unpatched or End of Life Microsoft Windows systems like windows 2003, XP are at higher risk of infection.

Top 15 controls and measures which should be considered and implemented:

1. Newly released Intrusion Prevention signature should be configured on Firewall / IPS which will block any internet based attacks.

2. Disable uPNP on all your gateways, firewalls, routers and proxy servers.

3 Blacklist malicious IP addresses and website URLs received as part of multiple threat intelligence alerts and advisory groups.

4. Update the signature and block suspicious keyword patterns and emails at SPAM gateway. Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.

5 Download latest antivirus signature to detect and prevent such attacks. Roll out across all end point systems and servers.

6 Download the latest operating system patches to address the vulnerability (Microsoft vulnerability MS17-010). Roll out of patches across all applicable endpoints and servers.

7 SMB port access and RDP (Remote Desktop Protocol) to all computers from the internet. Port  445 and 139 for SMB and 3389 for RDP should be blocked.

8 Strictly adhere to the NAC policy to restrict devices on network. Ensure updated AV and patch before connecting to the network.

9 Block domains which are high risk at gateway level. Refer Annexure1.

10 Disable SMB on end of life systems and harden the same before connecting on network.

11 Disable office macros through a group policy.

12 Backup all critical data or data of critical users on centralized system

13 Stop granting any privilege access to users who want to run an unknown program as an administrator.

14 SOC (Security Operation center) team to be on high alert and monitor and block all suspicious activities.

15 Ransomware Attack – Advisory awareness mailer to all users and Leadership.

What if you are already infected?

If you notice that you are a victim of this ransomware. Follow these steps immediately to

reduce the impact:

  1. Disconnect all network connections and external storage immediately.
  2. Inform your IT Or Infosec team
  3. Do not pay any ransom to the hacker as this will fuel the illegal ecosystem and there is no guarantee that you will get the data back.
  4. Safeguard and keep your backups ready before experts assist you.


  • Indicators of compromise (IOCs)

File names

d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa b.wnry

055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622 c.wnry

402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry

e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 taskdl.exe

2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d taskse.exe

97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 t.wnry

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 u.wnry

  • Domain to be blocked or watched.

domain – 57g7spgrzlojinas.onion
domain – 76jdd2ir2embyv47.onion
domain – cwwnhwhlz52maqm7.onion
domain – gx7ekbenv2riucmf.onion
domain – sqjolphimrr7jqw6.onion
domain – xxlvbrloxvriy2c5.onion)

  • CnC IP addresses be blocked or watched

  • Known hash values
























Excellent reference and advisory:

  1. CERT‐In is constantly updating its webpage, please refer for latest update: http://www.cyberswachhtakendra.gov.in/alerts/wannacry_ransomware.html
  2. Windows OS Update: In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17‐ 010. https://technet.microsoft.com/library/security/MS17‐010/

Microsoft has released SMB patch update for unsupported Windows Versions  ‐  XP, Vista, 8, Server 2003, 2008, etc. http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

  1. If you are not infected then try out NoMoreCry CCN-CERT’s tool to prevent the execution of the ransomware WannaCry

This tool is available to all organisations that need to use it. It creates a mutex (mutual exclusion algorithm) on the computer that prevents the execution of the malicious code WannaCry 2.0. It is important to note that this tool is Not intended to clean compromised machines.

CCN-CERT indicates that the tool should be run after each restart. This process can be automated by modifying the Windows registry or through the implementation of the proper policies in the domain

This tool works on all versions of Windows.

CCN-CERT NoMoreCry Tool is located in CCN-CERT’s cloud, LORETO. In this location there is also available a complementary Script that prevents the execution of the malware on Windows computers in English and Spanish.

Further information on:

CCN-CERT NoMoreCry and script


CCN-CERT Press Release


Generic Prevention Tools (As Recommended by Cert‐In) :  Sophos: Hitman.Pro∙ https://www.hitmanpro.com/en‐us/surfright/alert.aspx  Trendmicro Ransomware Screen Unlocker tool:∙ https://esupport.trendmicro.com/en‐us/home/pages/technical‐support/1105975.aspx  Microsoft  Enhanced mitigation and experience toolkit(EMET)∙ https://www.microsoft.com/en‐us/download/details.aspx?id=50766

If you have a viewpoint, best practice guide, guideline against Ransomware, this is the right time. reach out to us. Send in your writeup to [email protected]

If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]

Get real time updates directly on you device, subscribe now.


Subscribe to our newsletter
Sign up here to get the latest news, updates delivered directly to your inbox.
You can unsubscribe at any time

Join Our Newsletter Today!

Stay updated with all latest updates from the world of Business Technology, get exclusive invites to our upcoming events & much more.
Subscribe Now!