Malware: WannaCry RansomWare - Infection Vector unlikely to be Phishing

By now, the whole world has heard of the new ransomware WannaCry and its variants. Some of you might be wondering why there hasnt been anything posted here on this sire regarding the phishing aspect of the campaign. The reason is quite simple. Unlike what many security vendors have reported, it is highly unlikely that the infection is being spread through phishing campaigns. The malware is targeting victims across the world, based on the well-known SMBv1 vulnerability that was released by ShadowBrokers very recently. It is looking like the internet is being scanned for vulnerable computers and then attacked with the malware.

Easy wins: disable SMB, make sure you are not blocking the killSwitch.

There is a lot of reporting around this now but most of it is just re-tweets and news stories which add little to nothing to the real campaign.

Here's a good RE paper from Jake Williams on the payload.
And here's the tool that you can use to prevent WannaCry infections if you cant patch your systems.


No comments:

Powered by Blogger.