Analysis of WannaCry 2.0 Variants and Propagation Vectors Seen in The Wild
An aggressive ransomware campaign WannaCry 2.0 went viral on May 12, 2017, that impacted over 200,000 systems worldwide and the attack remains active. The use of the leaked NSA “ETERNALBLUE” SMB exploit by the dropper payloads, which target a Microsoft Windows vulnerability in the Microsoft Server Message Block (SMB) v1.0 protocol, made this campaign virulent. Microsoft released a patch for this vulnerability in March 2017 for all the supported operating systems; however, there are still organizations with legacy systems running older and now unsupported operating systems like Windows XP for which the patch was not available in March. Microsoft released an emergency patch over the weekend for the unsupported operating systems in the wake of this attack.
As predicted in the WannaCry Zscaler Security advisory, we are now seeing different variants of the initial dropper in the wild that are leading to the WannaCrypt ransomware infection. In this blog, we will provide a technical analysis of different dropper variants we have seen till now, propagation vectors, and the final ransomware payload.
Read More: Wannacry 20 Ransomware Attacks Continue