Hackers behind WannaCry ransomware decided to infect servers with vulnerable SMB ports before victimising them with phishing e-mails, says security firm Malwarebytes.
Malwarebytes believes SMB is an unnecessary protocol and should be done away with to prevent future ransomware attacks.
A popular theory on the dreaded WannaCry ransomware attack was that it was initiated by hackers sending out phishing e-mails to vulnerable recipients. Phishing e-mails have so far been a major source of malware attacks and WannaCry wasn't expected to be any different. However, Malwarebytes, who offer endpoint security to enterprises, now report that the modus operandi of hackers behind WannaCry was altogether different.
“Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. Rather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware,” said Adam McNeil, senior malware intelligence analyst at Malwarebytes.
“Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant,” he added.
The company believes that unnecessary protocols like SMB and network segmentation should be done away with as they are vulnerable to hackers. At the same time, more emphasis should be laid on updating all systems to the latest versions of operating systems as well as on timely patching of security updates.
"SMB is used to transfer files between computers. The setting is enabled on many machines but is not needed by the majority. Disable SMB and other communications protocols if not in use. Network Segmentation is also a valuable suggestion as such precautions can prevent such outbreaks from spreading to other systems and networks, thus reducing exposure of important systems," it said.
A security researcher associated with the Croatian Government CERT has warned that while WannaCry used only two cyber tools to exploit SMB vulnerabilities, an upcoming worm named EternalRocks will be armed with at least seven such tools to infect systems across the globe. EternalRocks will not only use lethal SMB (Server Message Block) tools which are named EternalBlue, EternalChampion, EternalSynergy, and EternalRomance but also SMB reconnaissance tools named SMBTouch and ArchTouch which will keep an eye on affected computers.
EternalRocks will also run DoublePulsar in infected systems which will work as a backdoor for malware to be installed. However, the researcher notes that the backdoor isn't protected yet and this will enable other hackers to utilize it to pour in their own malware, thus effectively destroying systems.