Restarting the initially infected machine, however, will prompt the LAN scanning routine again. Fortunately, WannaCry has a "kill switch". Part of WannaCry's infection routine involves sending a request that checks for a live URL/domain. If its request returns showing that the URL is alive or online, it will activate the kill switch, prompting WannaCry to exit in the system and no longer proceed with its propagation and encryption routines. Thus, even if the infected machine restarts, the kill switch will prevent WannaCry from performing its routines on it.
This shouldn't be taken for granted, however. This can serve as either a window of opportunity, or exposure. IT/system administrators must patch and update the systems at this point.
What if WannaCry is already in the system?
What happens if the machine is already infected? If mssecvc.exe, one of WannaCry's components, is already in the system, the kill switch-as long as it is there-will prevent WannaCry's encrypting component from being dropped in the vulnerable machine. IT/system administrators and InfoSec professionals can still do the necessary incident response and remediation tasks-updating and patching the system in particular.
Patch your systems and implement best practices.
WannaCry underscores the importance of keeping systems and networks regularly patched and updated. Threats like WannaCry abuse vulnerabilities to penetrate security gaps in an organization's perimeter. This is compounded by the window of exposure between exploitation and the release of a patch; the longer your systems and networks remain vulnerable, the more time it gives attackers to exploit it. Organizations must balance the need to maintain business operations with the need to secure them.
Indeed, keeping attackers at bay is always a race against time for many enterprises. A defense-in-depth approach combining proactive security mechanisms, robust IT policies, and strong security posture in the workplace can help deter threats like WannaCry.
This article was originally published by Trend Micro and has been republished with permission.
Sign up for CIO Asia eNewsletters.