Threat Description

Subsequent to our advisory on the cache of tools leaked from the NSA by the group ShadowBrokers, a cybercriminal group has incorporated one of the exploits, EternalBlue, into a worm-propagated ransomware, hence termed as RansomWorm which has been spreading and infecting at very high pace to over 100 countries as of today. Named WannaCry or WCry, over 45,000 attacks have been logged in the past few days, and there may currently be close to 38,000 potentially vulnerable, public, internet-facing systems in the Arab World and High-Risk Asian countries, with c. 700 of those situated in the GCC. This figure increases significantly if non-internet facing systems are taken into consideration.

Parallels with Conficker and Likely Point of Entry

Due to its severity and speed of propagation the malware is similar to Conficker, a notorious worm that initially started spreading in 2008, going on to infect over 9 million windows machines worldwide. While both Conficker and WCry targeted ports 139 and 445 on LANs and over the internet, Conficker’s infection vector was mostly via NetBIOS. WCry is being propagated through the Windows-centric SMB protocol.