WannaCry Ransomware Worm Risk Continues As Exploit Lands in Metasploit

The global WannaCry ransomware outbreak remains a risk, though there is now a new ability for security researchers to test organizations against the exploit.

WannaCry Ransomware

The WannaCry ransomware worm that first struck organizations around the world on May 12 continues to be a threat to IT systems as new variants emerge and the underlying exploit is now freely available in the open-source Metasploit penetration testing framework.

Security firm Symantec reported that as of May 15, it had blocked approximately 22 million WannaCry infection attempts across 300,000 endpoints. The initial WannaCry malware attack included a 'kill switch', that has already been triggered. With the kill switch, the WannaCry ransomware is supposed to stop encrypting data, if it is able to connect to a specific domain. 

The worm has also been modified in multiple ways since May 12, with different versions emerging. Security firm Cylance reported on May 17 that it has seen at least 27 unique hashes for WannaCry malware.

The amount of ransom paid to the original group of WannaCry attackers has also risen over the course of the week. As of 8 AM ET on May 18, 279 payments totalling approximately $83,000 have been made to the three Bitcoin wallets associated with WannaCry, up from $50,000 on May 15.

On a positive note, the global media attention on WannaCry may well have encouraged organizations to patch their systems and configure servers more securely to limit the risk.  The WannaCry attack is based on an exploit that Microsoft patched with its MS17-010 advisory on March 14 in the Server Message Block (SMB) service that enables file and folder sharing. The flaw was publicly released by a hacker group known as the ShadowBrokers on April 14, allegedly stolen from the U.S. National Security Agency (NSA).

Security firm Rapid7 runs a pair of scanning efforts that aim to monitor global internet activity, including Project Sonar and Project Heisenberg. Rapid7's scans on May 17 found that there were more than 1 million internet-connected devices openly exposing SMB on port 445. An open SMB port is one that potentially could be attacked by WannaCry and used to spread the ransomware.

WannaCry specifically exploits a flaw in the SMBv1 protocol and it's not entirely clear how many of the open SMB ports scanned by Rapid7 were running that version of SMB. That said, there is an indication of some positive actions taken by organizations over the course of the last week to limit WannaCry risks.

"When comparing our May 12 scan with May 17, we see 100,000 fewer Windows devices with port 445," Lee Weiner, Chief Product Officer at Rapid7, told eWEEK. "While we can’t definitively say these machines are running SMBv1, the downward trend may be a good sign those most at-risk systems are being addressed."


To date, attribution for the WannaCry attack is not definite, though some media reports have alleged a North Korea connection. The underlying exploit, known as 'EternalBlue' that enables WannaCry however is now publicly available to anyone who wants it, as part of the open-source Metasploit penetration testing framework.

Metasploit is intended to be used by security researchers to help test and improve defences. There has been some criticism in the past from those that argue that Metasploit also helps enable malicious hackers redevelop vulnerabilty exploits. Among the incidents was a 2005 Windows zero-day exploit that was available in Metasploit before any patch was publicly release by Microsoft.

Rapid7 is now the lead commercial sponsor behind Metasploit and Weiner emphasized that there is a difference between what is in the Metasploit module and what WannaCry is doing.

"The critical difference between WannaCry and the EternalBlue Metasploit module, authored by zerosum0x0, is that WannaCry is specifically engineered for malicious purposes, spreading a 'ransomworm' so the attackers behind it can force victims to pay them," Weiner said. "By contrast, the Metasploit module is designed to enable security professionals to test their organization’s susceptibility to attack via MS17-010."

Weiner added that the EternalBlue exploit in Metasploit is entirely reverse engineered and recreated from the NSA leak and it doesn't actually use any of the NSA code or tools. As a result of the reverse engineering  process, Weiner said that any potential side effects that may have come from running an NSA tool have been eliminated.

"Metasploit is built on the belief that security professionals need to understand what they are up against in order to defend against attackers," Weiner said. "That belief has not wavered in the face of WannaCry or the availability of the EternalBlue module now available in Metasploit."

"The only way to level the playing field is to arm security professionals with the same tools that attackers are using in the wild," he added.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.