1

After the recent spread of WannaCrypt, there has been a lot of warnings about the dangers of emails and clicking on links in them.

But the malware is spreading as a worm using SMB to infect other vulnerable computers.

Here is Microsoft's answer to the problem:

Customer Guidance for WannaCrypt attacks (Microsoft Technet, May 2017)

you'll notice they have no mention about emails in there.

My question is in the title: What do emails have to do with the spread of WannaCrypt?

SDsolar
  • 977
  • 1
  • 6
  • 25
  • Because people write their opinions and other people repeat these opinions. I don't see how this question relates to information security (maybe except for amplifying opinions to an extent that they are accepted as facts). – techraf May 16 '17 at 01:58
  • Possible duplicate of [How is the "WannaCry" Malware spreading and how should users defend themselves from it?](https://security.stackexchange.com/questions/159331/how-is-the-wannacry-malware-spreading-and-how-should-users-defend-themselves-f) – Serverfrog May 17 '17 at 15:16
  • Or https://security.stackexchange.com/questions/159740/wannacrypt-smb-exploit-known-since-stuxnet-circa-2008-but-microsoft-hid-the-fi – SDsolar May 17 '17 at 15:26
  • I did much research, but there is no glimpse of any emails linked with wannacry. Beat me if I'm wrong, but for me the search for this answer is over. There is nothing then "I have heard that someone have told, he've got such a mail". In fact I'm registered to stackexchange because there are users at askubuntu who claimed to have wannacry phishing mails. After two days of communication I could for sure say: they don't have. And nobody else. Look also here: https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/ – user689443 May 20 '17 at 10:10
  • I agree. But this latest advisory about the utility companies does for sure. Check out how easily it works: https://security.stackexchange.com/questions/168940/what-harm-is-there-in-obtaining-password-hashes-in-a-windows-environment – SDsolar Sep 07 '17 at 02:59

3 Answers3

7

Many organizations don't have SMB directly exposed to the internet, but SMB is widely used internally by organizations.

It is believed that the initial attack vector for WannaCry was /is a malicious email. Once a single computer on a network of vulnerable computers is infected, it is then able to propagate itself to other vulnerable hosts on the network via the MS17-010 vulnerability.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • 1
    "*it is believed*" - pure speculation. Equally it is believed that there was no initial infection thorough email. Depends on who blogged. – techraf May 16 '17 at 01:05
  • 2
    @techraf the wording was chosen carefully. There is a lot we don't know about WannaCry so far, but people _think_ that it might be getting into networks via email, and that is why people are being told to be very careful with emails. – DKNUCKLES May 16 '17 at 01:10
  • 1
    The belief that there was an initial email infection is a pure speculation. That's what I wrote in my comment. I also pointed out that the belief is not a prevalent one, but depends on a believer. – techraf May 16 '17 at 02:01
  • 2
    more recent updates say email was not involved: http://www.telegraph.co.uk/technology/2017/05/15/nhs-cyber-attack-latest-authorities-warn-day-chaos-ransomware/ – schroeder May 16 '17 at 06:44
  • @techraf Even if we don't *know* if original infection was by email, it *could be*. That may be reason enough to recommend people being careful with emails. – Anders May 17 '17 at 23:47
  • @Anders What was your intention behind writing this comment? Is there any connection to the question, answer, or my previous comments? – techraf May 17 '17 at 23:56
  • @techraf It's related to all of the above. – Anders May 17 '17 at 23:59
  • @Anders Do you mind explaining how? Did you want to communicate, convey some thought, or just wanted to mark your presence? – techraf May 18 '17 at 00:04
7

According to Craig Williams of Cisco the reason for the email infection-rumour was another new attack that happened almost at the same time as WannaCry:

A likely point of confusion was the Jaff ransomeware, another new type of ransomware (so 2 new types in 2 days) that did spread via email, used the same executable name. It’s possible this lead some folks to the wrong conclusion. Many sites are including pictures of emails that are clearly Jaff. It’s also possible we’ve not seen everything yet but only time will tell. As we state in the blog it’s an ongoing investigation.

techraf
  • 9,141
  • 11
  • 44
  • 62
  • An internal proprietary feed from a major security vendor informed me of the email vector. So true or not, at least one vendor was spreading the email vector story. I've seen nothing to confirm their research, but this suggests a possible honest mistake. Thanks :-) – mgjk May 19 '17 at 17:08
  • I see little to no relation to this answer, so please add it as your own one, not a comment. You might also consider discussing the problem with Craig Williams directly in the thread on the blog I linked to. – techraf May 19 '17 at 20:12
  • I think you misread my comment. – mgjk May 19 '17 at 20:45
  • That's not uncommon to misread other person words, so do you mind explaining how? The question was about the source of the email vector theory. The fact that such theory exists is at the very root of the question itself, so I cannot see why it would require reconfirmation in the comment here. Hence I assumed it must serve a different purpose and given the context, I further assumed it: either suggests the "internal proprietary feed" might have been the source (thus I suggested another answer), or it stands in opposition to the above words (thus I suggested discussing with the author). – techraf May 19 '17 at 21:08
  • The proprietary feed gives a clue as to why the mistake might have had legs among the tech journalists and bloggers. The feed's examples of email vectors likely being Jaff, as per your comment. – mgjk May 20 '17 at 11:08
0

The logic is the following: SMB ports should not be open towards internet. There should be a firewall in-between. In that case, the malware will not be able to affect you directly.

But if a user downloads it and activates it, then, the malware is inside the network and will be able to spread around at will while having nothing to do with the firewall.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 2
    Can a user download and activate, though? Is there any evidence of this happening? All I'm seeing are network worm activity. – schroeder May 17 '17 at 09:55
  • Yes, there are 2 executables also associated with this malware. – Overmind May 17 '17 at 10:01
  • 1
    That is an opinion put forth as if a fact, but not backed up by references. My Adviser wouldn't allow me to put a statement like that in any of my papers. But I will upvote you if you can show what you mean. – SDsolar May 19 '17 at 01:14
  • I did dig a lot into this. I protect a network of ~350 devices at this moment from such things. If I e-mail you mssecsvc.exe which is one of the mw/rw .exes and I even compress it a little, not even your anti-virus can detect it and anyone opening it will be instantly affected. – Overmind May 19 '17 at 06:09