What it is, where it’s going, and what you can do
WannaCry is an aggressive ransomware campaign that went viral on May 12, 2017, impacting more than 300,000 systems (and counting) worldwide and remains active.
The primary mode of attack was to exploit vulnerabilities in the Server Message Block (SMB) protocol, a Windows file-sharing protocol. The infiltration of the worm was through Windows devices that allowed inbound SMB communications on firewall ports 139 or 445 and had not been updated with the latest Microsoft security patch. Once a device had been exploited, the malware would scan for other vulnerable devices and spread laterally — quickly.
On Monday, May 15, 2017, a new variant of WannaCry was identified by Zscaler. This variant had the same ransomware payload, but was delivered over HTTP port 80 via a phishing email or a drive-by-download. This variant did not use the SMB exploit to propagate, but it’s likely that subsequent variants will.
Zscaler ThreatLabZ continues to identify new variants of the threat and we will continue to keep this page updated with the latest analysis and recommendations.