In the weekend, one of the hardest worms started its action on the Internet. There is uncertainty about how it started spreading, if via mail phishing or something else, but it is something that made a lot of damage and will probably keep on in the next weeks. While the best strategies are obviously patching the vulnerable systems and having a very good backup policy, internal network control can help you to reduce its impact.

The good guys at Payload Security made an excellent analisys and, at least for the 12th May version, discovered that the infected machine contacts a list of 13 hosts on the Internet.

The list of systems, reported at their sites is the following:

62.138.7.231# WannaCry Telefonica
163.172.153.12# Wannacry UK
163.172.185.132# Wannacry UK
83.162.202.182# Wannacry Netherlands XS4ALL ASN 3265
50.7.151.47# Wannacry IS COGENT ASN 174
94.23.13.93# Wannacry France OVH
217.172.190.251 # Wannacry Intergenia AG ASN 8972
136.243.176.148# Wannacry Hetzner Online AG ASN 24940
178.62.173.203# Wannacry EU Digital Ocean ASN 200130
185.97.32.18# Wannacry Sweden
163.172.35.247# Wannacry UK
171.25.193.9# Wannacry Sweden ASN 198093
213.61.66.116# Wannacry Germany COLT ASN 8220

You can obviously stop it at the firewall, but with a solution like Fl0wer, you can use a LUA script (you can change it in realtime if you have LUA enabled) to alert you in real time if any of your internal hosts tries to contact the above said IP addresses (unless you like continuously checking your firewall logs).

An instantly edited raw example script is available here, customize it at your needs and make reference to the User Manual ! I didn't test it since it's late at night, but it should work even with the evaluation version.

This is not probably the solution you are looking for, but hey, it can help you to limit the infection !