Security News Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

[Winter Soldier]

The only reason this malware is on a rampage because there are computers that are not patched for MS-17-010 even after the patch was released

Yeah, when WCRY infects a computer of a local network, it tries to spread to other computers on the network using the SMB shares and by exploiting the vulnerability already mentioned. So if a company is infected with a single Windows computer, there is the risk of infecting all the other Windows computers that are not updated on the same local network.

 

[Winter Soldier]

Looks like the malware drops the DoublePulsar backdoor, there is an nmap script for scanning you networks for any instances: smb-double-pulsar-backdoor NSE Script

It seems that the execution flow is divided in two groups of threads: one to infect the host on the LAN, the other to infect the host on the Internet network. The first one analyses the range of IP belonging to the local network, by running the exploit Eternal Blue on all the hosts with port 445 open, the second one generates a random IP using the generator that was previously initialized and attempts to attack the 445 port to that IP. If the attack is successful, it scans the whole subnet of class C (with prefix-length of 24 bits, thus identifying any IP to adjacent, presumably belonging to the same organisation and therefore presumably vulnerable) relative to the IP that is infected, attempting to carry out new attacks.

For any attempt of attack, the malware tries to detect the presence of DoublePulsar backdoor, used where possible to infect the system in a persistent way.