Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. News of the infection and the subsequent viral images showing everything from large display terminals to kiosks being affected created pandemonium in ways that haven’t been seen since possibly the MyDoom worm circa 2004.
News organizations and other publications were inundating security companies for information to provide to the general public – and some were all too happy to oblige. Information quickly spread that a malicious spam campaign had been responsible for circulating the malware. This claim will usually be a safe bet, as ransomware is often spread via malicious spam campaigns. Admittedly, it was also first thought the campaign may have been spread by spam and subsequently spent the entire weekend pouring through emails within the Malwarebytes Email Telemetry system searching for the culprit.
Claims of WannaCry being distributed via email may have been an easy mistake to make. Not only was the malware outbreak occurring on a Friday afternoon, but around the same time a new ransomware campaign was being heavily distributed via malicious email.
Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. Rather, research shows this worm was spread via an operation that hunts down vulnerable public facing Server Message Block (SMB) ports and then uses the alleged exploit to get on the network and then establish persistence and allow for the installation of the WannaCry Ransomware.