So by now everyone should have heard of WannaCry and all the variants. Here is a good rundown on https://en.wikipedia.org/wiki/WannaCry_ransomware_attack. It stems from tools being made available that the NSA used in exploiting holes in the Windows SMB http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145. Just goes to show again that patching is important. Had folks patched their PCs when the patch was made available the ransomware would have just remained local to the victim and not been able to propagate. You can read up on the eternalblue remote exploit and the “kill switch” that was discovered as well in the Wiki article above.
I wanted to throw up a quick video on how it looks and works etc… but for now I at least wanted to help make it easier to discover machines on your network that “may” be vulnerable by using metasploit.
From the metasploit console:
#use/auxiliary/scanner/smb/smb_ms17_010 #set rhosts <enter the IP of the machine to check> #exploit
The result of this will show a message stating the likelihood of the machine being vulnerable, meaning it has not been patched. Make sure your environment stays as current as possible.
You may also find it interesting to track this twitter account since it is a twitterbot keeping track on the Bitcoin accounts that are listed in the WanaCry ransomware. It is showing how much the ransomware has collected so far. https://twitter.com/actual_ransom.