I don't think anyone really knows the initial vector, but RDP was an entry point according to the site I was reading: Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes) It seems more believable to me than everyone with SMB access to the public internet.
Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 -----Original Message----- From: clamav-users [mailto:[email protected]] On Behalf Of Dennis Peterson Sent: Tuesday, May 16, 2017 12:25 PM To: ClamAV users ML Subject: Re: [clamav-users] Malware/ransomware and Yara signatures with clamav If not email what is the vector? dp On 5/15/17 5:11 PM, Joel Esler (jesler) wrote: > To be clear let me link to our blog post on the subject: > > http://blog.talosintelligence.com/2017/05/wannacry.html > > There has been No email vector seen in WannaCry to date. Almost everyone that has claimed this, has retracted it. Please read the above blog post for all the facts as we know them. > > This is an ongoing threat. > > -- > Joel Esler | Talos: Manager | [email protected]<mailto:[email protected]> _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
