Secdo Blog

WannaCry & EternalBlue Aftermath. Is The Worst Over?


In a post published earlier today, we explained how organizations that succeeded in blocking the WannaCry ransomware or that were not directly attacked by the ransomware at all – may still be at risk, but are unaware of it. Secdo has discovered evidence of more sophisticated actors leveraging ETERNALBLUE to install backdoors and exfiltrate user credentials in networks around the world.

Are you really safe now?

1. Don’t be deluded that there is a solution that can prevent every attack

In the WannaCry incident, hackers were able to use the NSA’s ETERNALBLUE code to alter a thread within a legitimate system process which made it completely undetectable by nearly every detection system. Only after WannaCry was dropped on their endpoints were some security vendors able to detect and block the ransomware. However, they were still unaware of the initial breach which gave the attackers the ability to execute additional code. This proves once again that whenever there is a new type of attack, no-one can guarantee that your organization won’t be affected.

2. WannaCry is merely a visible symptom, not the underlying cause

You can cleanse your network of WannaCry and still have no guarantee that you are safe. ETERNALBLUE is the real culprit and it might have already infected your endpoints weeks before the WannaCry outbreak, even if you are fully patched. As of this moment, numerous organizations have no way of knowing if the threat is still alive. They do not have a full grasp of the damage that was done, and might not have the tools to surgically remediate it.

3. Deploying the Microsoft patch is not the end of the story

Even if organizations deploy the Microsoft patch now, it’s a false hope for safety from these attacks. The attackers had more than a month to breach organizations, install backdoors, steal information and cause damage which they have no way of discovering.

How can Secdo help you right now to find out if you were compromised?

Secdo lets you hunt for behavioral indicators that show if you were compromised anytime in the past month since the first signs of the ETERNALBLUE leak. Secdo finds the underlying attack which, in this case, is not WannaCry. Secdo has discovered that the attack vector includes installation of advanced backdoors dating back to the middle of April (Read all about it in our previous blog post). Secdo exposes the full scope of the damage and all endpoints and servers that were infected by any aspect of the attack, not just WannaCry. Secdo provides the tools to remediate the entire threat across the network.

What should your organization do to minimize the risk of future attacks?

No security team can prevent every attack from breaching a network. Time is of the essence. Once a breach happens, your organization’s ability to respond immediately and effectively is critical.

Secdo leverages the Preemptive Incident Response methodology to enable organizations to respond rapidly and effectively to inevitable breaches.

Preemptive Incident Response (PIR)

Secdo replaces the traditional, slow, after-the-fact incident response process with continuous collection of all activity on all endpoints and servers, down to the thread-level. Data is stored and on a central server where it establishes a permanent forensic record to enable a superior level of threat-hunting and fast response to incidents. PIR reveals the entire attack chain from root cause enabling investigations to be conducted quickly and accurately. Full damage assessments enable proper remediation across the network where endpoints have been affected.


1.Continuously collect thread-level data from all endpoints and servers 

Forensic evidence is established for all events before an incident occurs. Attacks like WannaCry are automatically tied to all the related events in the past that led up to the actual breach. Secdo reveals very sophisticated attacks at the thread level where they are often invisible to other systems.

2. Hunt for behavioral indicators

While highly sophisticated attacks can breach security and hide under the radar, their activity can give them away. Collecting the behaviors of every activity at the thread level ultimately reveals the presence of a threat. ETERNALBLUE exploited a hole in Microsoft SMB-protocol security and was able to place thread-level artifacts on endpoints and servers. WannaCry only came later. Even though WannaCry was cleaned up these artifacts might still be present. Find them with Secdo.

3. Investigate all the way back to the root cause and assess the full extent of the damage

Eradicating the payload is like fixing the symptom of a disease – helpful but not enough to be healthy and safe. To completely clear all endpoints and servers of threats, you need to know the origin of the attack and its every step, every host that was affected and what damage was caused.  Only when you see the full picture can you respond comprehensively, eradicating the entire threat. Secdo reveals the entire progress of the ETERNALBLUE attack including the components and steps that other systems missed.

4. Use response and remediation tools that are able to act surgically at the thread level without disrupting user productivity and business continuity

To remediate WannaCry, most IT teams will wipe endpoints and re-image. Hopefully, they have good backups that go back far enough to precede the initial ETERNALBLUE attack in mid-April. Secdo’s  surgical remediation tools can freeze a process or thread safely without shutting down the endpoint. Secdo enables the security team to precisely and remotely remediate everything.


Secdo helps organizations achieve the “4 Rs”, ensuring a robust security strategy that will withstand  future attacks:

1. Risk Reduction

The security team must have the visibility to see the full scope of any attack back to its root cause and right away before more damage occurs. With the complete story exposed, remediation can be quick and complete. Response actions can be incorporated in the automatic security regime to close holes in cyber defenses. PIR delivers all of these benefits and goes further, gathering all the forensic evidence even before an attack occurs.

2. Breach Readiness

Despite all the prevention and detection measures, breaches will inevitably happen. Once a breach happens, how ready is the organization to respond rapidly and effectively? Do you have the capabilities to spot the attack immediately, quickly learn all about it? Can you employ an advanced suite of tools to fully contain and eradicate the threat? Can you then automate the response for future protection? PIR delivers all of these capabilities.

3. Surgical Response

Attacks are getting more sophisticated daily and response tools must stay a step ahead. Secdo delivers a suite of very advanced surgical response tools that can rapidly and remotely isolate an endpoint, freeze a process or a thread, eradicate malware and much more. When an attack strikes, speed, full knowledge and precision are necessary. Secdo quickly provides all the information, to the thread level, necessary to determine root cause and full damage assessment enabling comprehensive IR that remediates the entire attack and all of its components.

4. Rapid Recovery

How fast can the organization return to normal operations after a breach, with minimal business downtime? Without the right tools, organizations rely on re-imaging and other gross response methods that take time and impact the business. Preemptive Incident Response slashes investigation time, fully assesses the damage and makes response precise without affecting business productivity.

For more information or for your own personal demo, speak to us today.


Connect with us

Stay connected

whitepaper banner-280X233.png