Ad Image

WannaCry Did Not Start with a Phishing Attack, Experts Say

Despite initial claims to the contrary, this month’s widespread WannaCry ransomware attack didn’t begin with phishing emails as first suspected, according to recent analysis from Malwarebytes.
Though the phishing claim was “an easy mistake to make”, according to the security company, the infection actually spread “via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware.”

These techniques let the ransomware attack spread like wildfire through vulnerable Windows machines across the globe in May, infecting over 230,000 machines in 150 countries and blocking users from their data unless they agreed to pay approximately $300 in Bitcoin.

The attack’s spread only slowed when security researcher MalwareTech accidentally discovered a killswitch for the malware by registering a domain for a DNS sinkhole found in the virus’s code.


Widget not in any sidebars

Though MalwareBytes conclusions are not airtight, the company said that the initial infection of SMB ports is the most likely culprit for the attack.

“Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks,” explained Malwarebytes senior malware intelligence analyst, Adam McNeil.

“Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.”

Share This

Related Posts