Wanna Crypt Malware Begins US Assault

The Wanna Crypt Malware has been shown to utilize vulnerabilities involving the SMB networking protocol.  With the resumption of the work week today after the havoc that started last week, further compromises across the US are expected to be reported as workers return from the Holiday weekend and boot up their computers.

Wanna Crypt Ransomware continues its propagation across US targets.  See current map at https://intel.malwaretech.com/WannaCrypt.html

Unlike other malware, this malware utilizes the NSA leaked Double Pulsar exploit MS17-010 vulnerability that was leaked online three weeks ago by a group known as the Shadow Brokers. What is most concerning is that the exploits for this vulnerability allow for compromising of a target without having to get the user to click on an attachment. Any attacker or compromised machine that is on the same network as another device with the vulnerable port 445 open and running SMB v 1 protocol can be compromised without any specific action by the target necessary in order for the infection to take place.

Fortunately, Microsoft released patches last Tuesday that if applied, would protect a target from attack.  Microsoft even released a patch for their no longer supported Windows XP Operating system.

A search today of Shodan.io, a security vulnerability search engine tool, revealed that more than 509,000 publicly facing web servers in the United States have the vulnerable port 445 open, which could allow for infection of those devices over the Internet. Once a target is compromised, other computers that compromised target has access to are vulnerable for further exploitation, unless proper security steps have taken place.  Remediation of an infected target remains complicated given the many disclosures of hiding places for malware, including on board the computing devices firmware, and peripheral storage areas that can allow for persistence of infection even after completely reformatting a computer’s hard drive.


Vulnerabilities allegedly leaked from US Intelligence organizations are now readily available to the bad guys, with many computers in Government, Corporations and Healthcare Organizations still not properly patched and secured.

A search for on Shodan.io for computers with the port 445 open showed that Los Angeles had the greatest potential for propagation of Wanna Crypt malware. Copy Cat malware is likely to begin infecting the unpatched devices.

The Top 50 Major/Medium sized Cities showing the highest count of computing devices with port 445 open as reported on the morning of May 15th, 2017 follow:

  1. Los Angeles – 122,612
  2. Cheyenne, WY – 42,973
  3. Thousand Oaks, CA – 42,549
  4. San Jose, CA – 36,895
  5. Phoenix, AZ – 35,589
  6. Walnut, CA – 32,814
  7. Burbank, CA – 14,216
  8. Dallas, TX – 6,772
  9. Chicago, IL – 5,605
  10. Ashburn, VA – 5,178
  11. Boardman, OR – 3,847
  12. San Antonio, TX – 3,472
  13. Kansas City, MO – 3,316
  14. Seattle, WA – 3,084
  15. Denver, CO – 2,924
  16. Scottsdale, AZ – 2,601
  17. Atlanta, GA – 2,058
  18. Yelm, WA – 1,909
  19. New York, NY – 1,869
  20. Matawan, NJ – 1,816
  21. Las Vegas, NV – 1,661
  22. Tulsa, OK – 1,573
  23. Houston, TX – 1,429
  24. Miami, FL – 1,392
  25. Saint Louis, MO – 1,363
  26. Secaucus, NJ – 1,298
  27. Wayne, PA – 1,233
  28. Orlando, FL – 1,182
  29. Overland Park, KS – 834
  30. Columbus, OH – 784
  31. Austin, TX – 771
  32. San Diego, CA – 666
  33. San Francisco, CA – 652
  34. Tampa, FL – 641
  35. Washington, DC – 619
  36. Des Moines, IA – 512
  37. College Park, MD – 488
  38. Philadelphia, PA – 365
  39. Jacksonville, FL – 216
  40. Fort Lauderdale, FL – 197
  41. Detroit, MI – 154
  42. Minneapolis, MN – 154
  43. Huntsville, AL – 151
  44. Cincinnati, OH – 127
  45. Pittsburgh, PA – 124
  46. Cleveland, OH – 115
  47. Baltimore, MD – 114
  48. Louisville, KY – 118
  49. Boston, MA – 94
  50. Indianapolis, IN – 86

Steps individuals and organizations should take to protect themselves from further spreading of this malware include:

  1. Run windows update and fully apply all patches with reboot
  2. Make a complete backup of your data and store offline in case you get compromised
  3. Block port 445 on your firewall both local and your router
  4. Disable services running SMB v1 on your devices
  5. Search for and apply firmware updates to secure hardware chips such as the Intel vulnerabilities recently reported
  6. Monitor your firewall for suspicious traffic

Mac users should remain equally vigilant and be sure their devices are running the latest versions of the Operating system since there are many other vulnerabilities leaked that may impact tablets, smartphones and all types of computing devices.

Overtime Snapshots showing spreading of the Malware Across the United States Follow:

5/15/17 12:05PM

5/15/17 1:49PM (IP’s reporting infection within the last 24 hours)

5/16/17 10:40AM CST (IP’s reporting infection within the last 24 hours)


Facebook Comments

Be the first to comment on "Wanna Crypt Malware Begins US Assault"

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.