WannaCry, Two Years On: Current Threat Landscape, Forgotten Lessons, and Hope for the Future

WannaCry, Two Years On: Current Threat Landscape, Forgotten Lessons, and Hope for the Future

We've provided quite a bit of information and education on WannaCry, Petya-like ransomware, and EternalBlue over the past two years. Rather than take a cue from a bad ‘80s sitcom and write a warbly-vision retrospective post, let's take a look at the current attacker landscape related to both EternalBlue and ransomware in general, along with some lessons that have clearly not been learned since the emergence of the exploits leaked by the Shadow Brokers. Don’t worry, though—we’ll close with a bit of hope for the future.


Do [they] really want to hurt [you]? (Hint: yes)


Depending on how you scan, where you scan from, and what you are trying to count when it comes to finding exposed Microsoft Windows Server Message Block (SMB) nodes on the internet, you'll get a number anywhere between 500,000 to 1 million. The range is due to whether you are an ethical internet scanner and obey opt-out requests and use well-identified scanner nodes (like Rapid7's Project Sonar) or whether you just cast ethics to the wind and find ways to cut corners and even use compromised devices to tally up an inventory.


Even though half a million or 1 million nodes seems like a big number, neither is truly accurate, since many regional internet service providers have blocked extranet access to the common service ports associated with Microsoft SMB since EternalBlue-based exploits became commonplace.


Regardless of the precise number, there are plenty of vulnerable nodes on the internet for attackers to pract ..