The Network: A not-for-profit 501(c)(3) community asset providing healthcare related services in many states in the southeast United States.
The Expectation: Prevention defenses are working (antivirus, next generation firewall) and monitoring is in place to catch anything that slips through the prevention layer.
The Catch: EventTracker identified and terminated an instance of WannaCry.
The Find: A user was tricked into clicking an infected attachment in email, resulting in tor.exe being dropped into the user subfolder on the desktop. The EventTracker sensor reported the launch of tor.exe as an unknown process. Shortly thereafter, tor.exe was observed communicating with the IP address 18.104.22.168.These are published indicators of compromise of WannaCry.
The Fix: Quarantine the infected desktop; ideally re-image the infected laptop before returning to service. Scan all machines on the network for vulnerabilities (esp MS17-010). Limit traffic to/from ports 139 and 445 to internal hosts only.
The Lesson: Stop relying exclusively on antivirus and next generation firewall. Think defense in depth (network access control, endpoint threat detection). Monitoring DNS activity and network traffic are excellent techniques.