WannaCry FAQ – Take-aways and Learnings

WannaCry has multiple ways of spreading. Its primary method is to use the Backdoor.Double.Pulsar backdoor exploit tool released last March by the hacker group known as Shadow Brokers, and managed to infect thousands of Microsoft Windows computers in only a few weeks. Because DoublePulsar runs in kernel mode, it grants hackers a high level of control over the compromised computer system.

If the WannaCry malware senses that a system has DoublePulsar installed, it will try to download and execute its payload using this method. Interestingly, in some samples we analyzed we discovered an unused flag to disable the DoublePulsar.

If DoublePulsar is not available, WannaCry will spread via the SMB (Service Message Block) Protocol by taking advantage of a Microsoft vulnerability associated with the EternalBlue NSA exploit. Microsoft released a patch for this vulnerability for all supported versions of Windows in March 2017, and additionally released a patch for Windows XP and Windows 2003 on Friday, May 12, 2017 even though those versions are no longer officially supported.

Once the malware has successfully breached a targeted system, WannaCry attempts to spread across the internal network, and also attempts to connect to random hosts on the Internet via SMB over ports TCP 139 and TCP 445.

There are also some rumors of an RDP-based exploit (Remote Desktop Protocol), dubbed ESTEEMAUDIT, being used as one of the primary vectors for infecting corporations. Be sure to understand your environment.

Read full news article on Fortinet Blog