Knowledge Base

How a Managed Services Approach to Ransomware Protection Would Have Blocked WannaCry

June 7th, 2017

by Nick Seal, Practice Director, Managed Services;  Terry McBride Sr. Sales Executive


Beginning on May 12, 2017, in more than 150 countries around the world, business operations for companies of all shapes and sizes ground to a halt.  Over 230,000 computers were infected in only a few days by a particularly malicious crypto-worm known as WannaCry.  Despite protections that blocked initial versions of the worm, even some of the largest corporate entities across Europe were eventually breached by later permutations.  In addition to thousands of smaller companies, victims of this attack included the British National Health Service, FedEx, Telefonica Spain, and Deutsche Bahn.

WannaCry utilized a Windows Server Message Block (SMB) exploit, a known issue that had been addressed by Microsoft in March of 2017 with a security patch.  However, due primarily to lax approaches to Endpoint Security and Patch Management, millions of machines around the world remained unpatched and vulnerable to the worm which, once inside, encrypted critical client data and demanded payment for its release.  The propagation of WannaCry became so severe that Microsoft broke corporate protocol to release a critical security patch for unsupported systems still running on Windows XP and Windows 2003.


Hundreds of Billions or Trillions; Cyber-Crime will cost the global economy dearly.


New malware and worms are released “into the wild” on a daily basis.  Even in the short weeks since WannaCry, two major pieces of malware, Fireball and EternalRocks propagated using similar exploits.  In the case of WannaCry, a hacking group known as the Shadow Brokers leaked the Windows exploit, which was discovered originally by the United States’ National Security Agency (NSA), but not reported to Microsoft.  It is believed that the Shadow Brokers group first learned of the exploit when it was revealed in a large dump of NSA tools by Wikileaks.  While analysts’ estimates vary greatly,  it is a certainty that the next 5 years will carry a cost of many billions, or even several trillions of dollars.  Considering the current estimated value of the global economy is only 78 trillion dollars, the implication is clear.

The nature of worms such as WannaCry is that they can cause a major security breach via even a single vulnerable machine on a network.  There was already a two-month old security patch from Microsoft when WannaCry began to spread in mid-May.  However, unless machines were fully patched from that version forward, they were left critically vulnerable.  While device-based edge security is a common area of focus, companies typically do not work proactively at aggressively patching and securing end-points, because it can be a cumbersome difficult task that is time-consuming for any size IT team.


CIS takes a layered pro-active approach to help clients protect themselves as much as possible from the next malware/ransomware outbreak.


The CIS Managed Services team takes a security-oriented pro-active approach to managing the endpoint.  CIS engineers and technicians work with clients to make recommendations on what can be reasonably done to mitigate the likelihood of falling victim to an attack.  CIS experts continually monitor the state of global malware attacks, as well as work with organizations such as Microsoft when critical patches are released.  As part of the Managed Services program, the CIS team works with clients to regularly review and update patches to the most current secure version.  As one of the most popular attack vectors centers around the user, not the machine, end-user training and awareness seminars are an added service that significantly improves client’s odds of avoiding the next attack.

CIS takes a layered approach to management and security of the endpoint.  Among the first tasks for any new managed services client is a full review of the entire environment, with the goal of creating a common baseline of software versions, patches, and security.

Supported Software:  CIS recommends that clients use only manufacturer-supported software that gets security updates, such as Windows 10 and Windows Server 2016.  This also extends to 3rd party software such as modern versions of line-of-business applications.  If there are any machines that use Windows XP, Windows 2003, or other non-supported Operating Systems, they must be replaced or upgraded immediately.

Patching: CIS’ approach to patch management is that monthly is good, weekly is better, and daily is best.  While daily patching is not practical for all organizations, CIS strongly recommends setting up at least monthly patch cycles for workstations and servers.  Companies following this simple rule in March would have been completely protected from WannaCry in May.

Email Protection:  All email must be filtered and scanned, at a minimum by native tools within a service such as Microsoft Office 365 or Google Apps, but ideally utilizing additional layers of protection such as MimeCast or SpamStopsHere.  All links in emails should be scanned to ensure that they are not hiding malicious executable code.  End user IT Security Best Practices education should be rigorous and continual.

Anti-Virus:  CIS recommends anti-virus solutions that are not reliant on public definitions, as many traditional anti-virus products are.  When a new virus is released, if the A/V application doesn’t have a definition for it already it will be vulnerable, this is known as a zero-day attack.  CIS recommends a specific Anti-Virus product, which will not be named here, in the interest of client security, which is cloud-based and uses behavior analysis, rather than definitions, to identify malware and viruses, as it scans everything in use.

Anti-Malware:  All CIS Managed Services clients receive an additional layer of protection with an Anti-Malware platform that does utilize definition-based scans, as a secondary protocol, in the event that the primary cloud-based A/V application does miss something.

Edge Appliance:  Depending on the size and operational budget of a client, CIS recommends either SonicWALL or Cisco current-generation firewalls, with full security services, to block malicious code before it gets to the network.

End-Users:  User behavior and training can have a huge impact on security.  Supporting users directly and regularly conducting best practices seminars and hands-on training can help ensure users are following smart computing practices.

Security Testing – In addition to the standard pro-active services provided by the Managed Services team, CIS has a Network Security focused team that conducts high-level network penetration testing, vulnerability analysis, phishing and spear-fishing testing, and other social engineering, to help ensure that security standards are met or exceeded.

While there may be no such thing as TOTAL security, CIS’ philosophy is that if breaching the network is made difficult enough, the odds are strongly in your favor that the attack will simply move along to the next potential victim.  Taking a Managed Services approach to endpoint and network security will help ensure that critical company data is protected against attack vectors of all sorts.