As per my research till now, i could find below information which could help in at least detection of any variants, which should be enough for you to isolate the machine quickly on your network and then perform investigations:
> Check for traffic on port 445 minutely within your core network
> Monitor and validate any Network traffic headed outbound to TOR nodes on ports >9000
> Watch and block any permitted CnC traffic attempts ASAP on your all firewalls
> Watch and block all kinds of download activity containing .Wncry extension like files
> Also, look for below extensions for exe's within your files/registry scans on windows machines
WNCry, WCry, WanaCrypt0r, Wana Decrypt0r
> Create a separate Alert Watchlist on SIEM/other monitoring solutions for below C2 domains
gx7ekbenv2riucmf.onion,
57g7spgrzlojinas.onion,
xxlvbrloxvriy2c5.onion,
76jdd2ir2embyv47.onion, and
cwwnhwhlz52maqm7.onion
> Check any outgoing communication attempt on below url from your organization;
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
> Disable Autorun on all windows macihnes
> Do no disable UAC
> Monitor your SIEM or Log monitoring solutions for any Privilege changes/modifications
> Look for Microsoft Security Bulletin MS17-010 and apply patches immediately if you have not till now. The ransomware exe file executes and exploits this Vulnerability and spreads like a worm within your network.
Note: This is not the complete list of indicators, however if you monitor these in addition to other solutions, your chances of being safe are high.
