Does Wannacry spread outside its private subnet to adjacent private subnets?

Question

Does a Wannacry-infected computer on an internal network with a private IP address attempt to spread to other privately-addressed subnets?

I have not found a definitive answer online.

Cisco says:

The first thread checks the IP address of the infected machine and attempts to connect to TCP445 (SMB) of each host/IP address in the same subnet and second thread generates random IP address on the Internet to perform the same action.

Which implies that Wannacry only spreads within a subnet (public or private addresses) and to public IP addresses, so adjacent private subnets are safe.

Microsoft says:

The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces.

This implies that Wannacry only discards loopback and multicast / reserved addresses. This would mean that a private IP address could be randomly generated and Wannacry could hop to another private subnet.

How would it _"hop to another private subnet"_? – multithr3at3d Apr 21 '18 at 01:30 — multithr3at3d, Apr 21 '18 at 01:30

score 1 · Answer 1 · answered Jun 27 '18 at 11:57

Answer to your question is yes, it can span across the network (could be private network/public network) depend on the way the code has worm has been programmed.

The wannacry worm can simply identify the routes which are available on the infected host. For example 'route print' will show all the active routes connected to the infected machine. Once this routes are available the worm can spread or started infecting other vulnerable machines on these networks.

A sample output of 'route print' - please note the active routes:

Note: This happened to us and few of our branch networks on separate private IP range got affected.

score 0 · Answer 2 · answered May 25 '17 at 12:03

My understanding is that it only searches for 24 hours within the same subnet(s) of the machine in which it infected. If the machine infected (or subsequently infected) is connected to multiple networks then it could transverse networks that way. I am trying to find the source I read that in and will add it to this post when/if I do.

Does Wannacry spread outside its private subnet to adjacent private subnets?

2 Answers2