In this section we characterize “network worms” as threats that exploit vulnerabilities in software to infect and establish control over an endpoint. Following initial access, adversaries leverage the infected endpoints’ network connections to identify additional assets to infect and repeat the cycle.
WannaCry ransomware (ranked #31 in 2021)
WannaCry, often shortened to “WCry,” is a ransomware variant that spreads as an SMB worm leveraging the ETERNALBLUE vulnerability, MS17-010. WannaCry was first observed in May 2017, indiscriminately spreading across many organizations. Early variations of WannaCry had code built in to discontinue ransomware operations, but later versions of did not include this functionality. Half a decade later, some might laugh that we’re including WannaCry in a report released now, and we must admit that seeing WannaCry so high in our rankings was a bit of a shock for us too, but here we are. Simply put, there’s a reason why the vulnerability WannaCry targets, MS17-010, is known as ETERNALBLUE. Just like MS08-067 is to Conficker, MS17-010 is so reliable that we are likely to continue seeing WannaCry for quite some time. If you are concerned that your endpoints might be afflicted by WannaCry, Microsoft provides guidance on how to identify endpoints that may be susceptible to SMBv1 exploitation, as well as mitigation techniques that are still applicable today.
Process names that are consistent with WannaCry binaries
This detection analytic will identify processes that are executing with process names that are consistently observed in use by WannaCry binaries.