|Remove||Item||Quantity × Price|
|Your cart is empty|
In the weekend, one of the hardest worms started its action on the Internet. There is uncertainty about how it started spreading, if via mail phishing or something else, but it is something that made a lot of damage and will probably keep on in the next weeks. While the best strategies are obviously patching the vulnerable systems and having a very good backup policy, internal network control can help you to reduce its impact.
The good guys at Payload Security made an excellent analisys and, at least for the 12th May version, discovered that the infected machine contacts a list of 13 hosts on the Internet.
The list of systems, reported at their sites is the following:
126.96.36.199# WannaCry Telefonica
188.8.131.52# Wannacry UK
184.108.40.206# Wannacry UK
220.127.116.11# Wannacry Netherlands XS4ALL ASN 3265
18.104.22.168# Wannacry IS COGENT ASN 174
22.214.171.124# Wannacry France OVH
126.96.36.199 # Wannacry Intergenia AG ASN 8972
188.8.131.52# Wannacry Hetzner Online AG ASN 24940
184.108.40.206# Wannacry EU Digital Ocean ASN 200130
220.127.116.11# Wannacry Sweden
18.104.22.168# Wannacry UK
22.214.171.124# Wannacry Sweden ASN 198093
126.96.36.199# Wannacry Germany COLT ASN 8220
You can obviously stop it at the firewall, but with a solution like Fl0wer, you can use a LUA script (you can change it in realtime if you have LUA enabled) to alert you in real time if any of your internal hosts tries to contact the above said IP addresses (unless you like continuously checking your firewall logs).
An instantly edited raw example script is available here, customize it at your needs and make reference to the User Manual ! I didn't test it since it's late at night, but it should work even with the evaluation version.
This is not probably the solution you are looking for, but hey, it can help you to limit the infection !