_CORE
Services
AI & Agentic Systems Core Information Systems Cloud & Platform Engineering Data Platform & Integration Security & Compliance QA, Testing & Observability IoT, Automation & Robotics Mobile & Digital
Industries
Banking & Finance Insurance Public Administration Defense & Security Healthcare Energy & Utilities Telco & Media Manufacturing Logistics & E-commerce Retail & Loyalty
References Technologies
Lab
Blog Know-how Tools
About Collaboration Careers
Language
CS EN
Let's talk

WannaCry and Ransomware Defense — What We Learned

15. 06. 2017 5 min read CORE SYSTEMSai
WannaCry and Ransomware Defense — What We Learned

On May 12, 2017, WannaCry spread to more than 150 countries and hit over 200,000 computers. The British NHS healthcare system was paralyzed, Renault production lines stopped. We were lucky — but luck isn’t a strategy. Here’s what we did to not rely on chance next time.

How WannaCry Worked

WannaCry wasn’t sophisticated malware. It was effective due to a combination of two things: the EternalBlue exploit (a vulnerability in Windows SMBv1 protocol, MS17-010) and a worm mechanism that enabled automatic network propagation without any user interaction.

EternalBlue was originally developed by the NSA and was leaked by the Shadow Brokers group in April 2017. Microsoft released a patch (MS17-010) back in March — a month before the leak and two months before the attack. Yet hundreds of thousands of systems remained unpatched.

The infection process was brutally simple: WannaCry scanned the network on port 445 (SMB), exploited the vulnerability, encrypted files using AES-128 and RSA-2048, and displayed a ransom demand of $300 in Bitcoin. After three days, the ransom doubled.

Why It (Almost) Didn’t Affect Us

We had two advantages: most of our servers run on Linux and internal Windows workstations had current patches. But “almost” is the key word. One test server with Windows Server 2008 R2 in an isolated VLAN didn’t have the patch. Fortunately, it was truly isolated — network segmentation worked exactly as it should.

This incident, however, forced us to reconsider our entire security approach. We relied on “our admins patch on time.” That’s not a system, that’s hope.

Patch Management — The Foundation Companies Ignore

The statistics are alarming: the average time between critical patch release and its application in enterprise environments is 100–120 days. WannaCry showed that attackers actively exploit this gap.

What we implemented:

  • Automatic patching for workstations — WSUS with automatic approval of critical and security updates. No waiting for manual review.
  • Patch window for servers — every Wednesday night automatic deployment of approved patches to staging, after validation on Friday to production. Maximum 7 days from release.
  • Vulnerability scanning — Nessus scans the entire network once a week. Results go directly to the ticketing system. Critical vulnerabilities have a 48-hour SLA.
  • Inventory — we know what’s running on the network. No “forgotten” test servers. Asset management in CMDB, regular audits.

Network Segmentation — First Line of Defense

WannaCry spread through networks like wildfire. Flat network = total devastation. Segmented network = limited impact. Our test server with Windows 2008 survived precisely due to segmentation.

Basic principles we follow:

  • VLANs by function: servers, workstations, management, DMZ, IoT — each segment in a separate VLAN.
  • Firewall between segments: a workstation doesn’t need SMB access to another workstation. We only allow what’s explicitly needed.
  • Micro-segmentation: for critical systems (databases, backup servers) we approach even more granularly. Access only from defined IP addresses to defined ports.
  • SMB blocking: port 445 is blocked on the perimeter and between segments where it’s not needed. Internally we allow SMBv3 with encryption.

Backup Strategy — Last Resort

If ransomware gets through all defense layers, backups are the only hope. But beware — WannaCry and its successors actively search for and encrypt backups too. Shadow copies? Deleted. Network drives? Encrypted. NAS connected via SMB? Encrypted.

The 3-2-1 rule is the minimum:

  • 3 copies of data (original + 2 backups)
  • 2 different media (disk + tape / cloud)
  • 1 offline / offsite copy (not connected to network)

We added a fourth rule: regularly test restore. A backup you can’t restore data from is worthless. Every month we do a restore test of a randomly selected system. We measure RTO (Recovery Time Objective) and compare against SLA.

# Automatic backup test - every 1st of the month
0 3 1 * * /opt/scripts/backup-restore-test.sh \
  --random-system \
  --verify-checksums \
  --report-to [email protected]

Endpoint Protection — Antivirus Isn’t Enough

Traditional signature-based antivirus caught WannaCry only after several hours — until then, no signature was available. That’s why we’re moving to EDR (Endpoint Detection and Response) solutions that detect suspicious behavior independently of signatures.

What EDR can do that antivirus can’t:

  • Detection of mass file encryption (behavioral analysis)
  • Blocking communication with C2 servers
  • Real-time isolation of infected endpoint from network
  • Forensic data for post-incident analysis

We deployed CrowdStrike Falcon on all endpoints. It’s not cheap, but one ransomware incident costs orders of magnitude more — the average cost of breach in 2017 is $3.62 million according to Ponemon Institute.

Incident Response Plan

Before WannaCry we had a “plan” — three paragraphs in internal wiki that nobody read. Now we have a real runbook:

  1. Detection: alert from EDR, SIEM, or user report. Escalation within 15 minutes.
  2. Containment: isolation of affected segment. Network team has authority to disconnect VLAN without management approval.
  3. Analysis: identification of attack vector, scope of compromise, malware type.
  4. Eradication: malware removal, vulnerability patching, reset of compromised credentials.
  5. Recovery: restore from backups, data integrity verification, gradual service activation.
  6. Lessons learned: post-mortem within 5 business days. What failed, what worked, what we’ll change.

Key point: don’t pay the ransom. There’s no guarantee you’ll get the key. You’re financing criminal activity. And you’ll become known as “a company that pays” — and become a target again.

Human Factor

WannaCry spread automatically, but most ransomware comes through phishing. An employee opens an attachment, clicks a link, and it’s done. That’s why we do regular phishing simulations — once a quarter we send a test phishing email and measure how many people click.

After the first test, 34% of employees clicked. After a year of training and regular simulations, we’re at 8%. The goal is under 5%. Security awareness isn’t a one-time training — it’s a continuous process.

Ransomware Isn’t a Question of “If” but “When”

WannaCry was a wake-up call. For us and for the entire industry. Patch, segment, backup, test recovery, train people. None of these things are new or surprising. But WannaCry showed that most companies don’t do them. Don’t be most companies.

securityransomwarewannacryincident response
Share:

CORE SYSTEMS

Stavíme core systémy a AI agenty, které drží provoz. 15 let zkušeností s enterprise IT.

Need help with implementation?

Our experts can help with design, implementation, and operations. From architecture to production.

Contact us

Related articles

Forensic Analysis základy

Jak provádět digitální forenzní analýzu. Evidence, memory dump, disk image.

Incident Response Plan — jak reagovat na bezpečnostní incident

Postup při bezpečnostním incidentu. Preparation, detection, containment, recovery.

Integrating Java applications with Active Directory

User authentication and authorization in Java EE via LDAP/Active Directory. JNDI, Spring Security.