On Friday after the work week was nearing its end in Finland, news started coming in that a large scale ransomeware campaign was spreading all over the world.

As of Friday evening, the attack, spread by software called Wana Decrypt0r, seems to have been stopped spreading due to a security researcher registering the hard coded domain in the ransomware software (confirmed by Talos employee).

There are already quite comprehensive articles detailing the ransomware, but in this post, I will take a look on the actual spreading of the ransomware.

Background

The Wana Decrypt0r takes advantage of a vulnerability in Windows network file sharing protocol called Server Message Block (SMB) Protocol. If you’re not familiar with the term, most Windows users will still know the feature. Network shares, printer access and many other Windows networking features use the SMB protocol. The specific version affected here is the SMBv1 protocol (used since at least Windows Server 2003) which the US-CERT has recommended for some time should be disabled altogether.

The ransomware takes advantage of the vulnerabilities in the SMBv1 protocol which were made public in the NSA leaks in March and patched by Microsoft in March 14th. Despite patching update and marking it “critical” for every single supported Windows version, the update has still apparently not been installed widely enough. The British public health care system (NHS), a Spanish telecom giant (Telefonica) and other critical infrastructure providers apparently failed to keep their systems up to date resulting in this.

Injection

It has not been widely reported yet what the initial method for injection is. Most probably the initial malware is distributed via email and executed by a unsuspecting user. But this has not been confirmed.

However, what happens next, has been reported by at least Cisco. http://blog.talosintelligence.com/2017/05/wannacry.html

The ransomware uses a payload called ETERNALBLUE targeting SMB exploit using the SMBv1 vulnerability. EternalBlue is a remote code execution exploit capable of injecting code to other vulnerable Windows machines in the same network. According to Cisco Talos, when the WannaCrypt is first initiated, it scans the network for vulnerable machines and machines that have already been infected and contain a backdoor called DOUBLEPULSAR.