"WannaCry" Ransomware attack & BITAG's Port Blocking Report

I want to comment on the recent “WannaCry” ransomware attack that has been spreading internationally over these past few days, as it is distressing to see an increase in these types of attacks on the infrastructure to which we are so dependent.

As part of our mission, and well-understood to many security researchers and practitioners at the time, BITAG warned about something along these lines back in 2013  when it came to port blocking best practices – at least in terms of malicious attack vectors. In our Port Blocking report, BITAG’s Technical Working Group listed out many well-known ports that are abused and issued consensus recommendations as to blocking them. We also recommended that ISPs disclose which ports they may block.

Ports 139 and 445, as well as other ports associated with NetBios – which from what I can gather are the ports being used by WannaCry (also being called “WanaCrypt” or “Wcry” it seems) – were among the specific ports we recommended blocking. BITAG also recommended a number of other best practices in this area.

I might suggest that BITAG members and others who implemented these port blocking best practices have been better positioned during this recent attack than those who had not and instead left these ports open. Further, network operators and IT teams that have been affected by this ransomware may want to review the rest of our Port Blocking report and consider taking protective actions beyond simply mitigating further spread of WannaCry, as this may help in the future.

Finally, I also recommend to your attention BITAG’s other reports and recommendations on various network management practices and techniques, including the most recent on IoT security and privacy recommendations, all of which can be found on our website at www.bitag.org.  Future reports will be posted there as well.

Doug

Executive Director and Chair of the Technical Working Group
Broadband Internet Technical Advisory Group (BITAG)