Security Research > Wannacry Ransomware


What it is, where it’s going, and what you can do

What is WannaCry?

WannaCry is an aggressive ransomware campaign that went viral on May 12, 2017, impacting more than 300,000 systems (and counting) worldwide and remains active.

The primary mode of attack was to exploit vulnerabilities in the Server Message Block (SMB) protocol, a Windows file-sharing protocol. The infiltration of the worm was through Windows devices that allowed inbound SMB communications on firewall ports 139 or 445 and had not been updated with the latest Microsoft security patch. Once a device had been exploited, the malware would scan for other vulnerable devices and spread laterally — quickly.

On Monday, May 15, 2017, a new variant of WannaCry was identified by Zscaler. This variant had the same ransomware payload, but was delivered over HTTP port 80 via a phishing email or a drive-by-download. This variant did not use the SMB exploit to propagate, but it’s likely that subsequent variants will.

Zscaler ThreatLabZ continues to identify new variants of the threat and we will continue to keep this page updated with the latest analysis and recommendations.

Suggested Resources

CIO Insights

In the aftermath of WannaCry, our concept of the network has to change

Cyber Security

Indicators Associated With WannaCry Ransomware

Microsoft Security

Microsoft Customer Guidance for WannaCrypt

Timeline of WannaCry

  • Friday, April 14, 2017

    Shadow Brokers, a hacker group, publishes a cache of NSA documents, including 23 executable hacking tools targeting Windows. WannaCry, codenamed EternalBlue, is included among the exploits exposed.

  • Friday, May 12, 2017

    WannaCry attack surfaces, making its first appearance at 8:42 a.m. London time.<br><br>Friday afternoon, a British cyber analyst stumbles upon a WannaCry kill switch and the initial attack is effectively shut down.

  • Sunday, May 14, 2017

    New variants of WannaCry are identified, but do not spread as quickly as the original infection.

  • Monday, May 15, 2017

    Zscaler ThreatLabZ identifies a variant of the exploit that is using HTTP as the attack vector.

  • Tuesday, May 16, 2017

    Shadow Brokers posts a new message claiming to have many more new exploits, offering them as subscription services to would-be attackers.

  • Variants of WannaCry continue to appear. Zscaler ThreatLabZ continues to actively monitor the threat.

Check your security with our instant risk assessment, Security Preview tool


Check your security with our instant risk assessment, Security Preview. It’s free, confidential and safe. 85% of companies who run this test find vulnerabilities that require immediate attention.