Blackfoot Newsflash – WannaCry

There has been extensive news coverage over the weekend about the WannaCry malware infection which has impacted computer systems at the NHS, FedEx (USA), Telefonica (Spain), in addition to literally hundreds of thousands of computers in over 150 countries worldwide.

The most likely initial infection vector is either email-borne malware, or users being tricked into clicking on a poison link. At the point of infection, two main programme elements are installed. First, WannaCry itself which sets about encrypting files locally and on any available file shares. And a second which attempts to spread by exploiting the MS17-010 (SMB CVE-2017-0145) vulnerability on any computer systems it can find. The spread is via the SMB v1 protocol, and therefore uses TCP ports 139 and 445.

The main types of systems which are vulnerable to WannyCry are un-patched ones running Windows 7, Windows Server 2008 or earlier. Microsoft released a critical security patch on 14th March for supported operating systems. And, on 13th May Microsoft took the unusual step of releasing a patch for the unsupported Windows XP, Windows Server 2003 and Windows 8 systems in order to protect them against vulnerability MS17-010.