Company News

Ward Solutions Update II- Security Advisory Notice: Ransomware Wannacry

Categories: Insights

Ward Solutions Update II- Security Advisory Notice: Ransomware Wannacry


Security Advisory Notice – Ransomware Wannacry –Ward Solutions Update II

Issued by Ward Solutions Security Operations Centre

May 15, 2017


Following on from our Security Advisory Notice – Ransomware 12th May 2017 we have additional vendor specific recommendations that may be applicable to your environment as listed below.



Ensure patched on MS17-010 and disable outdated protocol SMBv1.

Microsoft have taken the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.


Relevant links to patches via:

Customer Guidance for WannaCrypt attacks



Create a custom access rule in AV to block *.wcry, *.wnry, *.wncryt and  *.wncry. extensions or create it on your email gateway/IPS so it quarantines all attachments with the *.wcry, *.wnry, *.wncryt and  *.wncry extension.


Firewalls / IPS

We recommend blocking the following IP addresses in / out on perimeter firewalls (recommendation from eGov Networks):                                                                                        


We recommend blocking the following IP addresses in / out on perimeter firewalls (recommendation from various sources ie McAfee, Payload Security, Cisco Talos etc.):                                                                                                                                                                                                                                                                                        


Key Reminders:


As recent news indicates WannaCry may potentially change variant and continue to breach organisations defences so key reminders on the basics of protecting against ransomware:


  • New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
  • Keep operating systems and other software updated.
  • Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments. Ensure all staff are reminded to be extra vigilant.
  • Be extremely wary of any Microsoft Office email attachment that advises to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating and recovering from a ransomware infection. Ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
  • Isolate unpatched systems from the larger network.
  • Ensure that access to files and fileshares is on a least privilege basis


What Makes WannaCry Notable


While WannaCry (WanaCrypt or Wcry) is ransomware that works like other malware of its type it has a few additional intricacies that highlight just how sophisticated Ransomware is becoming:

  • Technically the WannaCry ransomware behaves like many other similar malwares but with the additional ability to leverage an SMB exploit to worm its way through a network and infect numerous users
  • The Malware was a leaked exploit which often gives rise to malicious actors utilising them for ill gain as on this occasion
  • The Malware uses strong symmetric encryption employing RSA 2048-bt cipher to encrypt files.
  • The malwares architecture is modular so more than likely this malware is generated by a group rather than an individual actor.


Further information on the WannaCry Ransomware and how it works can be found at:


If you would like additional information or would like support in implementing preventative measures in your environment, please call us at +353 1 642 0100 or +44 (0) 28 9073 0188 e-mail us at or, as appropriate.