In the weekend, one of the hardest worms started its action on the Internet. There is uncertainty about how it started spreading, if via mail phishing or something else, but it is something that made a lot of damage and will probably keep on in the next weeks. While the best strategies are obviously patching the vulnerable systems and having a very good backup policy, internal network control can help you to reduce its impact.

The good guys at Payload Security made an excellent analisys and, at least for the 12th May version, discovered that the infected machine contacts a list of 13 hosts on the Internet.

The list of systems, reported at their sites is the following: # WannaCry Telefonica # Wannacry UK # Wannacry UK # Wannacry Netherlands XS4ALL ASN 3265 # Wannacry IS COGENT ASN 174 # Wannacry France OVH # Wannacry Intergenia AG ASN 8972 # Wannacry Hetzner Online AG ASN 24940 # Wannacry EU Digital Ocean ASN 200130 # Wannacry Sweden # Wannacry UK # Wannacry Sweden ASN 198093 # Wannacry Germany COLT ASN 8220

You can obviously stop it at the firewall, but with a solution like Fl0wer, you can use a LUA script (you can change it in realtime if you have LUA enabled) to alert you in real time if any of your internal hosts tries to contact the above said IP addresses (unless you like continuously checking your firewall logs).

An instantly edited raw example script is available here, customize it at your needs and make reference to the User Manual ! I didn't test it since it's late at night, but it should work even with the evaluation version.

This is not probably the solution you are looking for, but hey, it can help you to limit the infection !