I previously wrote a short note on wannacry and indicated that I thought Patient Zero (those initial infections) were done via phishing and email. I still very much believe that, though I’ll admit I don’t have the necessary smoking gun to display as evidence. I received a fair amount of cynical responses to this declaration, mainly due to the ample displays of lateral infection via SMB. Folks who downloaded the growing amount of sources for wannacry on Virustotal (VT) and other sources quickly saw that it infected via SMB, if that was present, and later on through other methods if RDP could be iterated.
I get it.
Observations can be king. We treat them as gold and properly should. Don’t forget, however, that nothing happens in isolation. How did those many variations of wannacry get there? Not on VT or wherever you downloaded your copy, but on systems. If it came in via SMB infection, how the infecting machine get infected? How about the machine that infected it? You have to reverse the chain to follow the path of infection, especially in a situation like this one where several points of initial infection spread out massively to laterally infect others.
Excluding these lateral infections, you have to ask: How did it start? My thought for the initial distribution (with some ideas as to why) was via phishing or cloud phishing email. Part of that thought was that the initial march release of Wannacry used this tactic of phishing emails with password protected zip files. Nothing indicated that the same approach wasn’t employed in this campaign. In fact, I’d speculate that the outstanding success of wannacry was not even remotely predicted by its creators. As a disturbance, it was outstanding. As ransomware…not so much. I’ve seen a lot of media on how much or little it made monetarily, but none of the numbers were outstanding in any way.
I’m skirting away from the point, so let me get back to that. Let’s talk about this as if SMB was the only method of propagation. I’ve read a fair number of discussions on propagation and this article is by far the best, complete with a plug at others for saying email is a vector. I like this author. He makes great points and performs solid research. I just want to ask — how did the malware that kicked off this string of attacks arrive on the victim? Patient Zero didn’t start with SMB — that’s why I think Patient Zero suffered a phishing attack. I think the massive storm of lateral infections that happened afterward have disguised this fact. A lot of research has started from the vantage of, “The malware infected my system, and here’s what I’m seeing”. This obscures the starting point. especially given it’s likely that only a few Patient Zeros exist and they are unlikely to publicly expose that data.
So, I’m going to stick with the initial infection being via phishing and lateral infection afterward via SMB, RDP and other noted channels. Its past method (March 2017) was primarily email and drive-by download. Nothing indicates the creators updated this tactic when they released the May campaign that shook the world (at least, those who hadn’t patched).
Image courtesy of Symantec/Handout via REUTERS