Stats & Trends
Jonathan Crowe
May 2017

WannaCry Follow-up Attacks: 3 New Outbreak Scenarios to Be Ready For

Map of WannaCryt infections. Source: MalwareTech

The WannaCry ransomware outbreak caught organizations all around the world by surprise. Here's what the next major outbreak will likely look like and how you can make sure you're ready.

It's been a little over a week since the WannaCry ransomware worm swept onto the scene, infecting an estimated 300,000 computers in more than 150 countries. Now that the initial dust has settled a more complete picture of the attack has emerged, along with indications that WannaCry actually wasn't the first attack using leaked NSA exploit ETERNALBLUE to infect victims, and it almost certainly won't be the last. 

In the wake of the outbreak there's been no lack of hot takes. By this point, nearly every vendor has issued a statement as to how they now protect organizations from WannaCry after the fact. But with the outbreak contained (at least for the moment), what organizations should be more concerned with is how they can protect themselves from the next wave of attacks to come. 

To help you prepare for what's coming next, let's break down the following:

  • The three primary components of the WannaCry attacks
  • Which two are most likely to be utilized in other attacks
  • The three most likely outbreak scenarios we can expect to see next
  • What organizations can do now to proactively prevent getting infected (instead of waiting to react to an infection after the damage is done)

Anatomy of a ransomware outbreak

The 3 primary components of the WannaCry attacks (and which ones we'll likely see used again)


1) The ransomware

Despite giving the outbreak its name, this was actually the least sophisticated component of the attack, the least responsible for its success, and the least likely to be used again. 

That's because, as far as ransomware variants go, WannaCry was fairly average and didn't really bring anything special to the table. In fact, several mistakes and signs of shoddy mechanics — the now infamous "kill switch," having a manual system for processing victim payments and decryption, using an encryption method that was eventually cracked — indicate the ransomware was the work of amateurs

It may be a household name now, but prior to the oubreak a previous verison of WannaCry had unsuccessfully lurked around since February without gaining much notice or traction. On the other hand, that may have actually played to its advantage during the outbreak, effectively helping the 2.0 version fly under the radar and bypass antivirus programs that hadn't created signatures for it. 

It's certainly on the radar now, however, which means unless the attackers release an updated version of the ransomware, we likely won't actually see WannaCry in any future WannaCry-inspired attacks.


2) The exploit

So if WannaCry was such an run-of-the-mill piece of ransomware, how was it able to cause such a widespread outbreak? Part of the reason is the attackers were utilizing ETERNALBLUE, one of the purported NSA exploits leaked in April by the Shadow Brokers hacking group.

ETERNALBLUE targets a vulnerability in Server Message Block (SMB), a network file sharing protocol. What makes it so dangerous is that:

  1. there are a ton of devices with port 445 (the port associated with SMB) either knowingly or inadvertently open to the Internet right now — over 1 million if you're keeping score at home.
  2. the Shadow Brokers leak provided everything even novice attackers need to start utilizing ETERNALBLUE, including an exploit framework called FUZZBUNCH that makes deploying it extremely simple. 

All the attackers had to do was scan the Internet for systems with port 445 (the port associated with SMB) open, and then use the exploit. If successful, it gave them the remote execution they needed to run the ransomware by installing a backdoor. 

The good news is Microsoft update MS17-010 addresses the vulnerability and renders the exploit ineffective. The company also took the unusual step of releasing updates for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. The bad news is the former had been available for two months prior to the WannaCry outbreak — a stark reminder of how unnrealistic it is to assume that a patch spells the end of an exploit.  

Even after all the publicity attached to this outbreak, there's no denying the fact that, on average, it takes companies 100-120 days to patch vulnerabilities. The Conficker worm, the largest known computer worm infection to date, compromised computers for years after a patch was created to close the vulnerability it exploited. 

We should continue to see ETERNALBLUE leveraged for months and maybe even years to come. 


3) The worm

The other reason WannaCry was able to spread so quickly is that it utilized a self-propagating worm component. That allowed it to infect other hosts on the original victim's LAN, as well as on the wider Internet (there's a good technical write-up of how the worm works on the Malwarebytes blog). 

This is arguably the component that truly set this attack apart (case in point: another ransomware variant called Uiwix was spotted utilizing ETERNALBLUE to infect victims, but without the worm component it quickly fizzled out). While worms have wreaked havok before (again, see Conficker), this was one of the first instances of a ransomware attack incorporating worm functionality. 

Importantly, this allowed WannaCry to spread with zero human interaction, whereas the vast majority of other ransomware has traditionally relied on tricking users into helping it along, either by downloading a malicious email attachment, or visiting a compromised website. 

Now that there's a proven blueprint for infecting large numbers of victims with this type of attack, organizations have to assume more will be coming down the pike.  


What's next after WannaCry?

3 likely outbreak scenarios to prepare for now


Map tracking the spread of WannaCry./ The New York Times

So what types of repeat and follow-up attacks should organizations be preparing for, specifically? Here are three of the most likely possibilities:  


1) Another attack using ETERNALBLUE

Same exploit, different payload

The WannaCry outbreak may have blown the lid off of ETERNALBLUE, but it also verified its effectiveness. As long as slower-moving organizations continue to struggle to update their systems, attackers will continue to use this exploit to their advantage. And next time around, the payload could be much more damaging than an amateur piece of ransomware. 

Take more silent threats like remote access trojans and credential stealers, for example. We know about the spread of WannaCry partly because the nature of ransomware attacks make them impossible to ignore. But other malware can hide out on victim systems without attracting any notice, quietly extracting information indefinitely. In fact, that's exactly what another strain of malware was doing for three weeks prior to the WannaCry outbreak, while its victims remained oblivious.   

Attacks utilizing ETERNALBLUE to drop different strains of ransomware are still on the table, too, and could be potentially even more damaging than this outbreak. Take Cerber for example, which has a long history of using sophisticated evasive techniques, can't be decrypted, and has recently been spotted bypassing next-generation antivirus solutions that rely on machine learning. For as bad as the disruption and damage caused by WannaCry was, the fallout from an outbreak delivering a ransomware like Cerber would be much worse.  

How to prepare for it

The short answer: Patch. If that's not an immediate possibility, however, you can and should also consider restricting access to port 445 or simply disabling SMB altogether if you're not relying on it.

For those looking for additional, less disruptive protection, Barkly's exploit protection also blocks any attempted SMB exploits automatically. 


2) An attack that spreads via RDP

SMB isn't the only vulnerable protocol 

This outbreak comes on the heels of a rising number of ransomware attacks targeting organizations with port 3389 open and exposing Remote Desktop Protocol (RDP) to the Internet. Attackers behind Dharma, CrySiS, and SamSam ransomware have all taken to exploiting RDP to infect their victims, typically brute forcing their way past weak or default passwords to gain execution.

As the WannaCry attacks clearly illustrate, it's trivial for attackers to scan the Internet for devices with either SMB or RDP exposed. One particular port scanning tool, masscan, boasts it can scan the entire Internet in under 6 minutes, so it’s easy to see how attackers can quickly amass a large list of target victims. Adding worm functionality to RDP attack campaigns could make any one of them just as widespread and damaging as WannaCry's SMB-targeting attack. 

Another one of the NSA exploits leaked by the Shadow Brokers actually targets RDP, specifically. Called ESTEEMAUDIT, it thankfully only targets a vulnerability affecting Microsoft Windows Server 2003 and Windows XP. But that's not to say an exploit targeting newer systems doesn't also exist and won't be released at some point (more on that possibility below). 

How to prepare for it

While all the attention is on securing SMB and port 445, organizations can't neglect to do the same for RDP and port 3389. While you're at it, using a port scanning tool like Nmap can help you find all the open ports on your network. Keep in mind, attackers have access to these types of tools, as well. Here’s a tutorial from DigitalOcean that walks you through how to test your firewall configuration and see what your network looks like to an attacker.


3) An attack that uses another leaked NSA exploit

As mentioned, ETERNALBLUE was just one of the exploits included in the April 14, 2017 Shadow Brokers leak. As you can see from the list below published by Bleeping Computer, there are several others, many also targeting SMB.  

EASYBEE appears to be an MDaemon email server vulnerability [source, source, source]
EASYPI is an IBM Lotus Notes exploit [source, source] that gets detected as Stuxnet [source]
EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 to 7.0.2 [source, source]
EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor [source, source]
ETERNALROMANCE is a SMBv1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges [source, source]
EDUCATEDSCHOLAR is a SMB exploit [source, source]
EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 [source, source]
EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino [source, source]
ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users [source, source]
ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003 [source, source]
ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 [source, source, source]
ETERNALBLUE is a SMBv1 and SMBv2 exploit [source]
ETERNALCHAMPION is a SMBv1 exploit [source]
ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers [source, source]
ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003 and Windows XP [source, source]
ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later [source, source]
EXPANDINGPULLEY is another Windows implant [source]
GROK is a keylogger for Windows, also known about since Snowden [source]
ETRE is an exploit for IMail 8.10 to 8.22 [source]
FUZZBUNCH is an exploit framework, similar to MetaSploit [source, source], which was also part of the December-January "Windows Tools" Shadow Brokers auction [source]
DOUBLEPULSAR is a RING-0 multi-version kernel mode payload [source]
PASSFREELY is a tool that bypasses authentication for Oracle servers [source]
ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later [source, source], also not detected by any AV vendors [source]


Thanks to WannaCry, the cat is now out of the bag on just how effective utilizing these exploits can be. Naturally, attackers are rushing to use these exploits while the exploiting is still good. That means incorporating them into their attacks before patching and other security measures continue to reduce the number of potential victims. 

Case in point: Another worm researchers are calling EternalRocks has already been spotted utilizing not just one but seven of these tools.

To make matters worse, the Shadow Brokers, emboldened by the WannaCry frenzy, have announced they'll be launching what's essentially an "Exploit of the Month" subscription service. By signing up, "members" will receive fresh batches of new exploits that Shadow Brokers say they will be releasing every month beginning in June. 

Unfortunately, these leaked exploits will be keeping organizations on high alert and potentially blindsiding unprepared victims for months to come. 

How to prepare

Again, since so many of the exploits we know about target SMB, the first step is to secure it by patching and revisiting access policy to port 445. From there, things get trickier since there's no telling what the exploits that haven't been released yet will be.

To protect themselves from the unknown, organizations should put the work in now to make sure they're able to conduct patching urgently, and they should make sure all machines are running endpoint security designed to hold up against a wide variety of malware and zero-day threats

Attackers are learning from WannaCry — are you?

The methods WannaCry attackers used to trigger such a massive ransomware outbreak have not gone unnoticed by the criminal community. Other attackers are already seizing opportunities to follow suit by making adjustments and learning from WannaCry's mistakes.  

Organizations need to seize this as an opportunity, too. They need to step back and take renewed stock of their security. Most already have substantial investments in defenses like antivirus, next-generation antivirus, firewalls, and backup. What's clear now is they don't just need to do more, they need to do "different"

The threat of new zero-day exploits means none of these solutions can ensure malware will never find its way onto our systems. And once it's there, backup can only help us recover from a limited scope of damage after it's already done.

So where does that leave us?

It leaves us with one critical point to focus on: stopping attacks during runtime — after they've been triggered but before they have the chance to do any harm. 

To find out how Barkly is helping organizations do that, see our Complete Guide to Runtime Malware Defense.

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.