WannaCry is a familiar name to security professionals, enterprises and even regular internet users—the massive 2017 ransomware outbreak made headlines and cost several multinationals millions of dollars in repair and recovery. Two years later, enterprises are still being targeted by WannaCry. The Trend Micro™ Smart Protection Network™ shows it is still the most detected ransomware of 2019. In fact, the total detections for WannaCry total more than all other ransomware families combined.
WannaCry still accounted for the majority of ransomware detections: Monthly comparison between detections of WannaCry and combined detections of the other ransomware families in the first half of 2019
The moving force behind the spread of WannaCry is EternalBlue (patched by Microsoft in MS17-010), which is an exploit leaked by the cybercriminal group ShadowBrokers and widely reported to be stolen from the National Security Agency (NSA). EternalBlue actually involves CVE-2017-0143 to 48, a family of critical vulnerabilities related to the Microsoft SMBv1 server protocol used in certain Windows versions. It allows an attacker to execute arbitrary code on a victim system by sending tailored messages to the SMBv1 server. Because the Microsoft SMB vulnerabilities affect many different systems across industries—from healthcare machinery to office printers, storage devices and more—cybercriminals quickly adopted EternalBlue. And because many enterprises have trouble instituting patches and remain vulnerable, these criminals are still using EternalBlue.
EternalBlue has been steadily in use since 2017. Just a few weeks after the leak, there were already a variety of malware using the exploit—apart from WannaCry, there was the fileless ransomware UIWIX, mining malware Adylkuzz, and the SMB worm EternalRocks. In 2018, we saw even more ransomware adopt it; and in 2019 it is part of the toolbox of several mining malware. Some of the malware using EternalBlue are old, known threats that have adopted new tools and capabilities.
We tracked the notable malware that use EternalBlue though our Smart Protection Network and publicly available indicators of compromise to provide a clear view of how it is still used against vulnerable systems today.
Notable malware tracked from May 2017 to September 2019
EternalBlue activity over the years
As we can see, EternalBlue is still quite active even two years after a patch was released. We looked at the activity of malware using EternalBlue from 2017 to September 2019 from our Smart Protection Network, we can see how specific samples of malware that use EternalBlue and vulnerabilities covered by MS17-010 have been active from 2017. And we also see that even in 2019, WannaCry has the most detections of the malware using EternalBlue. The numbers for WannaCry are almost quadruple the detections for all the other ransomware combined.
SPN detection numbers of specific malware samples known to use EternalBlue May 2017- September 2019
Monthly detections of specific malware using EternalBlue from January to September 2019
Top five malware using EternalBlue in 2019 based on detections from SPN
As a tool, EternalBlue helps hackers broadly compromise numerous victims, which is why ransomware and miners take on the exploit. Ransomware distributors used to prefer quantity over quality when it came to victims, although now their targeting tactics might be changing. WannaCry aside, in 2019, most of the malware using EternalBlue are cryptocurrency mining malware–more compromised devices means more computing power for mining.
The easiest step enterprises can take to protect themselves from EternalBlue is to patch their systems. Microsoft released a patch for this vulnerability in March 2017, mere weeks after the leak of the exploit. However, patching can be difficult for enterprises–there may be disruptions to operations and the process may be lengthy for large or multinational groups. But this is a necessary step, especially because EternalBlue is still very actively being utilized by cybercriminal groups.