WannaCry victims didn't do anything wrong, they didn't click any suspicious links or visited shady websites

May 22, 2017 22:31 GMT  ·  By

The WannaCry ransomware nightmare didn't begin like most other ransomware instances - via phishing - but rather through a simple scan of the public Internet. 

Security firm Malwarebytes writes in a new report that given the lack of other evidence, this is the only way the WannaCry ransomware could have propagated - the attackers scanned the Internet for vulnerable SMB ports.

"Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks," writes Malwarebytes senior malware intelligence analyst Adam McNeil.

Basically, once a few vulnerable machines were discovered, the attackers used the EternalBlue exploit to get on the target network, and then the DoublePulsar backdoor to gain persistence, which allowed for the WannaCry installation.

"Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant," McNeil writes.

Say no to 0day stockpiles

McNeil agrees with Microsoft on the fact that the NSA and other intelligence agencies need to stop stockpiling exploits. The WannaCry incident is just one example of what can happen when 0days are not reported to the affected companies and kept for exploit by the government. This is, as many other researchers have said, just the beginning. Adylkuzz, a cryptomining threat that uses the same EternalBlue vulnerability has already been spotted, as well as EternalRock, a worm that uses seven NSA hacking tools, although the latter hasn't been weaponized just yet.

The only way to protect yourself is to update your operating system, make sure it's all patched up, and install a security software that will, hopefully, block any attempts to infect you.