WannaCry Enterprise

AnCatDubh

I know there's a thread or two on ransomware/wannacry but not covering this aspect.

Hypothetical question about general behavior of ransomware should it ever infect an enterprise and in particular its impact on network shares and recovery.

So, likely scenario is: first machine gets infected and sets about its nasty payload of encrypting everything it can see - some of which (depending on account privileges) will be network shares. That's fine - Curse, remove, restore, curse some more, yada yada, curse some more, and head home very late into the evening. However in the meantime the ransomware has wormed its way onto another or many other machines which also set about their nasty payloads - so rinse and repeat the above (a lot of cursing by the end of the day I suspect).

Anyway to the question, will the ransomware ignore files encrypted by other infections or will it indiscriminately set about encrypting everything in sight including files previously encrypted.

I suspect it is indiscriminate in its execution of the payload however as most (maybe all) that I've researched do change the file extension, there is a glimmer of hope that recovery via payment of ransom would be possible.

But, if it is the case that it is indiscriminate in its approach, then paying a ransom (which we know we should never do anyway) is a bit futile either ways as unless you know the exact order that individual files on your network shares are encrypted and decrypt them in that order having paid what therefore i'm guessing would be multiple ransoms in respect of each infected machine, and worse still in a multiple infection situation and parallel execution of the ransomware payload, it equates to an almost certain impossibility. So, a ransom paid in such an enterprise environment could at best only restore a single local working machine (assuming their decryption is successful).

Has anyone looked at the behaviour in a sandboxed network environment to see what sequencing the ransomware may be using?

Thanks