How To Detect WannaCry On Your Server

by Sunny Hoi

WannaCry (also known as WannaCrypt) refers to the latest ransomware attack that has impacted over 100 countries and devastated many businesses. The malware is parallel to other ransomware since it encrypts local files with 2048-bit RSA encryption, prompting a $300 ransom payment to decrypt the files.

Frustratingly, the ransom fee doubles if the victim affected by the ransomware takes too much time to decide.

This new attack utilizes leaked NSA code that exploits SMBv1 (Server Message Block), furnishing as a significant asset for attackers. The SMBv1 protocol is obsolete, but several Windows network administrators leave the protocol enabled by default.

Additionally, WannaCry reproduces to network shares. Hence it proliferates swiftly, especially on local enterprise networks. The authors of WannaCry have made at least $70,000 in ransom fees from victims.

WannaCry can be detected by monitoring network traffic. Unknowingly, you could be hosting WannaCry on your servers. The good news is that you can stop WannaCry from being the root cause of pivotal downtime on your network by using monitoring software.

WannaCry serves as an ideal example of why you should always implement some sort of monitoring system. The reason is simple: Monitoring software helps in detection and stopping malicious network traffic.

If you are fortunate enough to have a running server still then you are capable of detecting WannaCry before it encrypts your software.

Below are some basic events that you may monitor:

File create or rename events

Using SMBv1 to access file shares

DNS lookup events for a specific domain

Outbound traffic on TCP port 445


Since WannaCry encrypts files, it generates new versions of your documents, keeping them on the server.

If auditing is set up on the file shares, then you shall be capable of analyzing logs to detect the ransomware.

WannaCry creates files using the subsequent extensions:






If you see these files on your system, then there is a strong possibility that WannaCry has already encrypted some of your documents.

You may proceed by scanning the entire network for these files to pinpoint whether it has infected your systems.

SMBv1 ought to be disabled on your network. Keep it mind that it is common to have SMBv1 enabled by default. SMBv1 uses TCP port 445. Thus you can identify any abnormal network traffic on your routers. Make sure to log any attempts to connect to shares utilizing port 445. With this, you can discover if a machine is truly infected. If you are running a Windows server, you may also detect port 445 traffic employing Windows Firewall.

WannaCry tries to connect to the domain This domain is retained as a kill switch if the attacker calls for the ransomware to stop functioning. A security researcher registered the domain which puts an end to the program from replicating.

Any DNS queries for the aforementioned domain can be detected either on your own network or on DNS servers if you host your service. The hosting provider may try to notify you if they discover numerous queries on their DNS servers originating from your network. Nevertheless, it is recommended that you keep looking for these queries by yourself.

The best way to defend and protect against WannaCry is patching your servers. Since WannaCry targets Windows servers, it is imperative to update the operating system and disable SMBv1. Microsoft has taken a preventive measure by releasing a Windows Defender signature to stop WannaCry from running on your system.


As WannaCry quickly duplicates, it’s essential you continuously monitor for the dangerous ransomware. The sooner you stop it, the better.

Related Posts