Ransomware Traffic Detected (WannaCry)

critical Nessus Network Monitor Plugin ID 700099
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

A payload has been detected that targets a critical vulnerability that encrypts most or all of a user's data, demanding a ransom to have the files decrypted.

Description

The remote system may be affected by ransomware that encrypts most or all of the files on a user's computer. Then, the software demands that a ransom be paid in order to have the files decrypted. This attack is related to the recent ShadowBrokers dump containing NSA weaponized software exploits.

Solution

A remote service may be attempting to target user data and potentially encrypt it, rendering it unattainable until the user pays a ransom to have it decrypted. This type of issue can quickly spread laterally through organizations. Inspect the system for malicious code, and follow appropriate incident response procedures.

See Also

https://technet.microsoft.com/library/security/ms17-010

http://www.nessus.org/u?cd7c91b0

Plugin Details

Severity: Critical

ID: 700099

Family: Generic

Published: 5/15/2017

Updated: 3/6/2019

Dependencies: 8314, 5266

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

Patch Publication Date: 3/14/2017

Vulnerability Publication Date: 3/14/2017

Exploitable With

Metasploit (MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption)

Reference Information

CVE: CVE-2017-0143, CVE-2017-0146, CVE-2017-0145, CVE-2017-0144, CVE-2017-0147, CVE-2017-0148

BID: 96707, 96709, 96703, 96704, 96705, 96706