These techniques let the ransomware attack spread like wildfire through vulnerable Windows machines across the globe in May, infecting over 230,000 machines in 150 countries and blocking users from their data unless they agreed to pay approximately $300 in Bitcoin.
The attack’s spread only slowed when security researcher MalwareTech accidentally discovered a killswitch for the malware by registering a domain for a DNS sinkhole found in the virus’s code.
Though MalwareBytes conclusions are not airtight, the company said that the initial infection of SMB ports is the most likely culprit for the attack.
“Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks,” explained Malwarebytes senior malware intelligence analyst, Adam McNeil.
“Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.”
Latest posts by Jeff Edwards (see all)
- Five Questions You Need To Ask Yourself When Evaluating SIEM Solutions - November 8, 2017
- Winning the Data Breach War with User and Entity Behavioral Analytics - November 3, 2017
- 5 Alternatives to The Gartner Magic Quadrant for SIEM - October 31, 2017