WannaCry attacks qualify as virus disaster many times over

WannaCry attacks qualify as virus disaster many times over

Ray Pompon is Principal Threat Research Evangelist at F5 Networks.

Over a dozen years ago, malware pioneer Dr Peter Tippett coined the expression virus disaster, which describes the point at which more than 25 machines are infected on a single network as the tipping point for complete shutdown of a network. The new ransomware WannaCry, which locks down all files on an infected computer until the owner pays a ransom, seems to have plunged whole sections of critical infrastructure into a virus disaster.

Hospitals in the UK were the first to feel it’s bite, but the damage is spreading far and wide. This is likely to jeopardize patient health as hospitals are being shut down. If someone dies because of this, we will be looking at murder by malware. That will be a game-changer for security and compliance.

The malware is using MS17-010, EternalBlue, a Shadow Brokers-released NSA exploit, to punch through the network of anyone who has not patched the week’s old vulnerability. This vulnerability hits Server Message Block protocol file sharing, which is often wide open within organizational networks and thereby facilitates fast spreading of this attack.

Just as we saw with the Cerberus ransomware and Apache Struts, cyber-crooks waste no time upgrading the warheads on their malware to the latest exploits. When new holes are released, you should expect the same old evil to come repackaged with a new way to get in.

The obvious message is to patch quickly, though most organizations already know this and were probably already working to patch. This is where secondary layers of defense can buy you time: lock down traffic both incoming from the Internet and moving laterally through your networks. Block or restrict TCP ports 22, 23, 3389, 139, and 145 as well as UDP 137 and 138. Make sure backups are tight and complete.

The story is rapidly developing and we will likely hear more interesting and terrible things as it plays out over the next few days. Hopefully everyone affected by this will be able to weather the storm and come out stronger afterwards.


When more than 25 machines are infected on a network, the tipping point for a virus disaster is reached, which did happen last week says Ray Pompon at F5 Networks.

Browse our latest issue

Intelligent CISO

View Magazine Archive