What it is, where it’s going, and what you can do
What is WannaCry?
WannaCry is an aggressive ransomware campaign that went viral on May 12, 2017, impacting more than 300,000 systems (and counting) worldwide and remains active.
The primary mode of attack was to exploit vulnerabilities in the Server Message Block (SMB) protocol, a Windows file-sharing protocol. The infiltration of the worm was through Windows devices that allowed inbound SMB communications on firewall ports 139 or 445 and had not been updated with the latest Microsoft security patch. Once a device had been exploited, the malware would scan for other vulnerable devices and spread laterally — quickly.
On Monday, May 15, 2017, a new variant of WannaCry was identified by Zscaler. This variant had the same ransomware payload, but was delivered over HTTP port 80 via a phishing email or a drive-by-download. This variant did not use the SMB exploit to propagate, but it’s likely that subsequent variants will.
Zscaler ThreatLabZ continues to identify new variants of the threat and we will continue to keep this page updated with the latest analysis and recommendations.
Zscaler resources on WannaCry
Timeline of WannaCry
- Friday, April 14, 2017Shadow Brokers, a hacker group, publishes a cache of NSA documents, including 23 executable hacking tools targeting Windows. WannaCry, codenamed EternalBlue, is included among the exploits exposed.
- Friday, May 12, 2017WannaCry attack surfaces, making its first appearance at 8:42 a.m. London time.
Friday afternoon, a British cyber analyst stumbles upon a WannaCry kill switch and the initial attack is effectively shut down.
- Sunday, May 14, 2017New variants of WannaCry are identified, but do not spread as quickly as the original infection.
- Monday, May 15, 2017Zscaler ThreatLabZ identifies a variant of the exploit that is using HTTP as the attack vector.
- Tuesday, May 16, 2017Shadow Brokers posts a new message claiming to have many more new exploits, offering them as subscription services to would-be attackers.
- Variants of WannaCry continue to appear. Zscaler ThreatLabZ continues to actively monitor the threat.