Ransomware Traffic Detected (WannaCry)

Critical Nessus Network Monitor Plugin ID 700099

Synopsis

A payload has been detected that targets a critical vulnerability that encrypts most or all of a user's data, demanding a ransom to have the files decrypted.

Description

The remote system may be affected by ransomware that encrypts most or all of the files on a user's computer. Then, the software demands that a ransom be paid in order to have the files decrypted. This attack is related to the recent ShadowBrokers dump containing NSA weaponized software exploits.

Solution

A remote service may be attempting to target user data and potentially encrypt it, rendering it unattainable until the user pays a ransom to have it decrypted. This type of issue can quickly spread laterally through organizations. Inspect the system for malicious code, and follow appropriate incident response procedures.

See Also

https://technet.microsoft.com/library/security/ms17-010

http://www.nessus.org/u?cd7c91b0

Plugin Details

Severity: Critical

ID: 700099

Family: Generic

Published: 2017/05/15

Updated: 2019/03/06

Dependencies: 5266, 8314

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 2017/03/14

Vulnerability Publication Date: 2017/03/14

Exploitable With

Metasploit (MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)

Reference Information

CVE: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148

BID: 96703, 96704, 96705, 96706, 96707, 96709