At first, it was suspected that the WannaCry ransomware spread via phishing. However, according to a research by Malwarebytes, the ransomware was distributed via scanning for vulnerable SMB ports displayed on the Internet.
Attackers applied the NSA’s EternalBlue exploit in order to take the aimed network. Meanwhile, the DoublePulsar backdoor was used to increase the persistence that enables it to install other malware, such as WannaCry.
Adam McNeil, the senior malware intelligence analyst at Malwarebytes, states:
“Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks. Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.”
The takeaways stay similar: better patching of systems; migrating to more advanced, supported operating systems if it’s possible; damaging and disabling of irrelevant protocols, such as network segmentation or SMB.
Moreover, Brad Smith, the president of Microsoft Corporation, called out the NSA for stocking up on exploits. The WannaCry ransomware case can be set as an example of what could happen if government-developed exploits are taken by criminals.
WannaCry also demonstrates that even if the authentic threat does not compromise consumers anymore, more recent versions are able to take over.