Here is a quick overview of scenarios which need to be addressed in relation to WannaCry malware - if someone has knowledge of how the malware spreads, could they please help address the concerns I have.
Scenario 1: One Windows host unpatched and infected with WannaCry connects (via authentication) to a Windows server which is patched - can the infection propagate and result in encrypted files on the Windows server?
Scenario 2: One Windows host unpatched and infected with WannaCry connects (via authentication) to SAN storage to access files. Can the infection attack the files on the SAN and encrypt them?
Scenario 3: On a public Wi-Fi network where BYOD Windows laptops share internet access such as in a public library or university campus - if there is one device infected with WannaCry can the infection propagate to other Windows devices if they are unpatched. I will make the assumption the infected host does not have authenticated access to the other Windows hosts.
If anyone can provide some insight it would be greatly appreciated.
I'm consulting with the other moderators about who is the best person to answer this.
You don't want guesswork you need something authoritative, so we'll try to find
someone, maybe from McAfee Labs, who can give you that answer.
I have contacted the Incident Response Manager from McAfee Labs on your behalf. Hopefully David will add to the discussion in short order. It is late here in the U.S. and most likely will be tomorrow before we hear from him.
I have created a Request to the Labs. The Ticket number is as follows Ticket #: AM000962 - Customer needs assistance
For 1 and 2: Yes if the server shares any folder and those are mounted as local drives on the infected machine. WannaCry will infect files on any locally mounted disk including network shares. It will also copy itself to these folders, so if someone on another machine with access to these shares click on them by mistake they might get infected too.
3: yes, they can get infected as wannacry will attempt to exploit machines on the local network so anyone connected to the same wifi hotspot (hence connected to same network) could get exploited and infected.
Hope that helps,
You may find this correspondence I just received most informative also;
The answer to all 3 scenarios is Yes. The malware will attempt to spread to remote unpatched machines via the MS17-010 SMB vulnerability. It will encrypt data files on network shares and removable drives in addition to the local disk of the infected machine, and will also attempt to propagate to machines locally.
We have a Threat Advisory available that describes the behavior of the malware, including the following propagation information: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27077/en_US...
The malware spreads by exploiting shares and uses the EternalBlue (MS17-010 Echo Response - SMB vulnerability) vulnerability. The authors have utilized publicly available exploit code and embedded it as a part of their dropper. The malware, on execution, connects to the IPC$ tree and attempts a transaction on FID 0, triggers the vulnerability, and then exploits it. During replication, we observed that it generates a random set of IP addresses for the purposes of propagation. These IPs are not restricted to internal IPs.
We found that the main dropper malware generates random IP addresses, not limited to the local network. This fact means the malware can spread not only to other machines in the same network, but also across the Internet if they allow NetBIOS packets from outside networks.
The sub dropper infects files with specific extensions on the local machine, any removable drive connected to it, and any network share mounted locally. It then attempts to find machines on the local network via NetBios broadcast messages and Master Browser queries. Once a machine is found, the malware connects to the IPC$ default share and attempts to log in. If it is successful, it tries to list all available shares and will attempt to infect them It does so by copying itself to the remote share first, then encrypting all files with specific extensions it can find there.