Wannacry: Everything you still need to know because there were so many unanswered Qs

How it first spread, Win XP wasn't actually hit, and more

By Iain Thomson in San Francisco


Vid It has been a week since the Wannacry ransomware burst onto the world's computers – and security researchers think they have figured out how it all started.

Many assumed the nasty code made its way into organizations via email – either spammed out, or tailored for specific individuals – using infected attachments. Once accidentally opened, Wannacry would be installed, its worm features would kick in, and it would start the spread via SMB file sharing on the internal network.

However, the first iteration of the malware – the one that got into the railways, telcos, universities, the UK's NHS, and so on – required no such interaction. According to research by boffins at Malwarebytes, email attachments weren't used. Instead, the malware's operators searched the public internet for systems running vulnerable SMB services, and infected them using the NSA's leaked EternalBlue and DoublePulsar cyber-weapons. Once on those machines, Wannacry could be installed and move through internal networks of computers, again using EternalBlue and DoublePulsar, scrambling files as it went and demanding ransoms.

"Our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware," said Adam McNeil, a malware intelligence analyst at Malwarebytes.

The NSA's EternalBlue exploit and its various clones attack a programming bug present in SMB code in Windows XP to pre-Windows 10. The Wannacry masterminds, exploiting the same flaw, scanned for computers with SMB port 445 open on the 'net, and injected their code into the vulnerable systems via a classic buffer overflow.

Many assumed Wannacry could infect any pre-Windows 10 systems, however it mostly infected Windows 7 computers that hadn't pick up Microsoft's March security patch for the SMB bug. That's because the malware's implementation of EternalBlue is ineffective on Windows XP and Windows Server 2003: it simply wouldn't work reliably. In other words, contrary to popular belief, the outbreak didn't hit very many WinXP and similarly aging boxes at all – it was mostly unpatched Win7 and Server 2008 machines in enterprises and other large organizations that were slow to apply Microsoft's fixes earlier this year, while most Windows 10 users were automatically patched.

So in summary, the outfits infected by Wannacry were most likely pwned using EternalBlue via an external SMBv1 service – pro tip: never use SMBv1, never expose your file servers to the internet – and then the DoublePulsar backdoor was deployed to take full control of the box and allow it to be remotely controlled. From that foothold, Wannacry could be deployed, using both cyber-weapons to move through the organization's Windows 7 and Server 2008 computers.

"The easiest route would be if an attacker had already compromised the system and installed DoublePulsar. In these cases WannaCry would just leverage that to infect the system," Nick Biasini, Cisco Talos outreach team manager, told The Reg.

So, if you have a Wannacry outbreak on your systems, it's going to be vital to get the DoublePulsar element ripped out as well as cleaning out the ransomware and shutting down vulnerable SMB ports.


For all the buzz Wannacry created, it seems the malware's operators haven't had much of a payday given the number of computers infiltrated. An analysis of the Bitcoin addresses from the ransomware shows they have reaped just over $90,000 for their efforts. While that's not bad for a week's work, it's still not worth it. The masterminds have managed to enrage Russian, UK, and US authorities, and caused infections in over a hundred countries. That leaves very limited places to hide and the Feds are keen to make a collar as soon as possible.

As for where the software nasty came from and how it was grown from leaked NSA tools, opinion is still divided. However, there has been some interesting research detailed by Professor Alan Woodward from the University of Surrey's department of computing. It suggests a security researcher called ZeroSum0x0 published an implementation of EternalBlue's exploit in Ruby on Github shortly before Wannacry began to spread – this code, designed to work with penetration-testing tool Metasploit, may have been used as a blueprint by the Wannacry developers.

"The post on GitHub was six days ago and that places it before the malware started to make the rounds," he wrote. "Maybe the exploit was cribbed by the malware cabal to use EternalBlue.

"Did someone fuck up and place code on the net for research that in turn was used by the adversaries to make Wannacry work and launch it into the wild? I ask this because of the time table here and the events since that lead me to believe this is the case. I cannot say for sure because no one has given me any information to counter this belief."

The hunt for the malware's source code and its coders continues. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Poison ping pong prompts patch from Cisco

Switchzilla has fixes for appliances, voice portal, Nexus switch OS

Won’t patch systems? Never run malware scans? Welcome to the US State Department!

Don’t worry, they’re only in charge of catching visa and passport fraud

Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix

If at first you don't succeed, you're Redmond

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

The weekend starts here... right after you've installed these critical Cisco bug patches

Coding screwups for Prime Infrastructure and DNA Center admins to slurp up

Cisco wireless, cloud management on this week's must-patch list

The Borg's 'This kit has Struts 2 trouble' list is also getting longer

Running Drupal? You need to patch, patch, patch right now!

Website building biz warns exploit may come in hours

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

Management bug can crash Cisco IOS, IOS XE

Nine SNMP MIBs vulnerable

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login