Updated July 24, 2017 (originally published May 12, 2017) Updated July 24, 2017

From NSA Exploit to Widespread Ransomware: WannaCry Is on the Loose

3 min. read

This article was revised 5/15/17 at 9:12 a.m. (PDT) with updated recommendations.

Over a dozen years ago, malware pioneer Dr. Peter Tippett coined the expression “virus disaster,” which describes the point at which more than 25 machines are infected on a single network as the “tipping point” for complete shutdown of a network.1 The new ransomware WannaCry,2 which locks down all files on an infected computer until the owner pays a ransom, seems to have plunged whole sections of critical infrastructure into a virus disaster. Hospitals in the UK were the first to feel it’s bite, but the damage is spreading far and wide. This is likely to jeopardize patient health as hospitals are being shut down. If someone dies because of this, we’ll be looking at murder by malware.3 That will be a game-changer for security and compliance.

The malware is using MS17-010,4 a.k.a. “EternalBlue” (a Shadow Brokers-released NSA exploit5) to punch through the network of anyone who hadn’t patched the weeks-old vulnerability. This vulnerability hits Server Message Block (SMB) protocol file sharing, which is often wide open within organizational networks and thereby facilitates fast spreading of this attack.

Just as we saw with the Cerberus ransomware and Apache Struts, cyber-crooks waste no time upgrading the warheads on their malware to the latest exploits. When new holes are released, you should expect the same old evil to come repackaged with a new way to get in.

WannaCry is coming into networks in many different forms. The most dangerous is via Microsoft SMB (Server Message Block)6 which is used for file sharing. Security researchers are reporting that a device listening to SMB placed on the open unfiltered Internet is attacked within three minutes. However, traditional malware propagation methods are also in use, including malicious email attachments and phishing.

The most prevalent form of the WannaCry ransomware comes in as a loader with an AES-encrypted DLL that writes a file called “t.wry”. This file is decrypted by a malware-embedded 128-bit key, which is what encrypts the victim’s disk files. By using an encrypted loading method, the malware is never written directly to disk in unencrypted form and remains invisible to traditional antivirus software.

While encrypting the victim’s files, it also scans all the visible IPC$ and SMB file shares. It uses the Microsoft MS17-010 SMB vulnerability to gain access to the systems on these shares, and infects those systems, as well. It is this behavior that has enabled WannaCry to quickly infect whole networks in minutes.

The primary variant of WannaCry used an unregistered domain to control distribution, a.k.a. “the kill switch.” A security researcher who goes by the name of MalwareTech, registered and sink-holed that domain7 which has stopped this version of WannaCry. Updated WannaCry ransomware variations have since been released, so the danger is still real.

Defense Advice

  • Block SMB access to the Internet, which runs over TCP ports 137, 139, 445 and UDP ports 137, 138.
  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Filter and monitor email for phishing attacks, watching for inbound executable and macro-enabled attachments.
  • Utilize least privilege by giving users access only to the resources they need to conduct their jobs to contain damage from a compromised user account.
  • Reduce and restrict full administrative privileges. Segregate administrative accounts from system administrators and from the user accounts they use to read email and surf the web. Also, restrict common administrative access to TCP ports such as 22, 23, and 3389.
  • Configure internal access controls to contain infection contagion within the networks. Block or restrict SMB (TCP ports 137, 139, 445 and UDP ports 137, 138).
  • Send internal flash bulletins to users regarding this outbreak, warning them to beware of attachments as well as cautioning them not to bring in possible infected outside devices (teleworkers, vendors, home computers) to the office network.
  • Perform and test backups regularly.

More Information

App Tiers Affected:
App Tiers Affected:

1 http://www.itwire.com/it-industry-news/development/1130-virus-attacks-continue-to-escalate-says-survey

2 https://en.wikipedia.org/wiki/WannaCry

3 https://www.reddit.com/r/worldnews/comments/6arkxt/hospitals_across_england_hit_by_largescale/dhh2ly9/

4 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

5 https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/

6 https://en.wikipedia.org/wiki/Server_Message_Block

7 http://money.cnn.com/2017/05/13/technology/hero-ransomware-malwaretech-cyberattack/

Join the Discussion


Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.