Security ResearchWannacry Ransomware

WannaCry

What it is, where it’s going, and what you can do

What is WannaCry?

WannaCry is an aggressive ransomware campaign that went viral on May 12, 2017, impacting more than 300,000 systems (and counting) worldwide and remains active.

The primary mode of attack was to exploit vulnerabilities in the Server Message Block (SMB) protocol, a Windows file-sharing protocol. The infiltration of the worm was through Windows devices that allowed inbound SMB communications on firewall ports 139 or 445 and had not been updated with the latest Microsoft security patch. Once a device had been exploited, the malware would scan for other vulnerable devices and spread laterally — quickly.

On Monday, May 15, 2017, a new variant of WannaCry was identified by Zscaler. This variant had the same ransomware payload, but was delivered over HTTP port 80 via a phishing email or a drive-by-download. This variant did not use the SMB exploit to propagate, but it’s likely that subsequent variants will.

Zscaler ThreatLabZ continues to identify new variants of the threat and we will continue to keep this page updated with the latest analysis and recommendations.

Additional resources

In the aftermath of WannaCry, our concept of the network has to change

Read more 

Indicators Associated With WannaCry Ransomware

Read more 

Microsoft Customer Guidance for WannaCrypt

Read more 

Timeline of WannaCry

  • Friday, April 14, 2017
    Shadow Brokers, a hacker group, publishes a cache of NSA documents, including 23 executable hacking tools targeting Windows. WannaCry, codenamed EternalBlue, is included among the exploits exposed.
  • Friday, May 12, 2017
    WannaCry attack surfaces, making its first appearance at 8:42 a.m. London time.

    Friday afternoon, a British cyber analyst stumbles upon a WannaCry kill switch and the initial attack is effectively shut down.
  • Sunday, May 14, 2017
    New variants of WannaCry are identified, but do not spread as quickly as the original infection.
  • Monday, May 15, 2017
    Zscaler ThreatLabZ identifies a variant of the exploit that is using HTTP as the attack vector.
  • Tuesday, May 16, 2017
    Shadow Brokers posts a new message claiming to have many more new exploits, offering them as subscription services to would-be attackers.
  • Variants of WannaCry continue to appear. Zscaler ThreatLabZ continues to actively monitor the threat.
Check how healthy is your Internet security with Security Preview, Zscaler's free security scan

How secure are you?

Check your security with our instant risk assessment, Security Preview. It’s free, confidential and safe. 85% of companies who run this test find vulnerabilities that require immediate attention.