Back to Intelligence

WANNACRY Ransomware Gang: 33 New Victims Posted — Critical Infrastructure Targeting & Detection Rules

SA
Security Arsenal Team
April 29, 2026
6 min read

Aliases: WCry, WanaDecrypt0r 2.0

Operational Model: While historically associated with the 2017 worm-based campaign, recent intelligence indicates WANNACRY has evolved into a sophisticated operation leveraging targeted exploitation rather than indiscriminate propagation. Current activity suggests a closed-group model with high operational security, potentially re-using the brand name for credibility while utilizing modern RaaS toolkits.

Ransom Demands: Demands vary significantly based on victim revenue, ranging from $500k for mid-sized entities to multi-million dollar demands for critical infrastructure (Energy/Finance). Payment is typically demanded in Monero (XMR) or Bitcoin (BTC).

Initial Access Vectors: The group has aggressively pivoted to exploiting vulnerabilities in edge services. Recent campaigns confirm the active exploitation of:

  • CVE-2023-21529: Microsoft Exchange Server Deserialization
  • CVE-2026-20131: Cisco Secure Firewall Management Center
  • CVE-2025-52691 / CVE-2026-23760: SmarterMail RCE & Auth Bypass
  • CVE-2025-55182: Meta React Server Components

Double Extortion: Yes. Unlike the 2017 variant, recent victim posts confirm data exfiltration prior to encryption. Sensitive PII, financial records, and proprietary schematics are leaked on the .onion site if ransoms are not paid.

Dwell Time: Short. The group operates with an average dwell time of 3–5 days between initial access (via CVE exploit) and detonation, prioritizing speed over stealth in post-exploitation stages.

Current Campaign Analysis

Sectors Targeted: The recent campaign shows a distinct pivot toward Critical Infrastructure and Government.

  • Public Sector: 40% of recent victims (State of Connecticut, Murfreesboro PD/FD, Chinese traffic police).
  • Energy: High impact attack on Petrobras (BR).
  • Telecommunications: Telkom (ZA), MegaFon, MediaOnline.
  • Financial Services: Bank of China, Sberbank.

Geographic Concentration: While global, there is heavy targeting of the US (Connecticut, Murfreesboro, Becker County), BR (Petrobras, Social Security), and CN (Bank of China, Public Security).

Victim Profile: Large enterprises and government bodies with annual revenues exceeding $500M. The group favors organizations with complex network perimeters where legacy edge devices (Cisco FMC) or collaboration servers (Exchange, SmarterMail) are exposed to the internet.

Observed Patterns: Posting frequency is high, with "dumps" of victims occurring in clusters (e.g., the May 12th mass publishing). The connection between CVE-2025-52691 (SmarterMail) and the recent victims suggests automated exploitation of internet-facing mail servers is a primary infection vector currently.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Exploit of CVE-2025-52691 SmarterMail Unrestricted Upload
id: 8a5d3b1c-9e4f-4a2b-8f3d-1c9e4f4a2b8f
status: experimental
description: Detects potential exploitation of SmarterMail Unrestricted Upload of File with Dangerous Type (CVE-2025-52691) associated with WANNACRY gang activity.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/29
logsource:
    product: windows
    service: file
filter:
    TargetFilename|contains: 'C:\Program Files (x86)\SmarterTools\SmarterMail\MRS\'
    TargetFilename|contains: '.aspx'
condition: filter
falsepositives:
    - Legitimate administrative uploads
level: high
---
title: WANNACRY Ransomware Process Execution - tasksche.exe
id: 1d4e6f2a-3b5c-4d6e-7f8a-9b0c1d2e3f4a
status: experimental
description: Detects the execution of known WANNACRY ransomware process tasksche.exe or mssecsvc.exe often used in encryption phases.
references:
    - Internal Intel
author: Security Arsenal
date: 2026/04/29
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\tasksche.exe'
            - '\mssecsvc.exe'
    condition: selection
falsepositives:
    - None
level: critical
---
title: Microsoft Exchange Deserialization Anomaly (CVE-2023-21529)
id: 2c5f7a3b-4c6d-5e7f-8a9b-0c1d2e3f4a5b
status: experimental
description: Detects suspicious deserialization patterns in Microsoft Exchange logs indicative of exploitation of CVE-2023-21529.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/29
logsource:
    product: windows
    service: msexchange-management
detection:
    selection:
        EventID: 6 # Generic log event or specific depending on config
        Message|contains: 'deserialization'
    condition: selection
falsepositives:
    - Legitimate Exchange management activity
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for WANNACRY lateral movement and staging
// Looks for mass SMB access attempts (WannaCry propagation) and large file transfers
let TimeRange = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeRange)
| where ProcessName has "powershell.exe" or ProcessName has "cmd.exe"
| where ProcessCommandLine has "cipher" or ProcessCommandLine has "vssadmin" 
   or ProcessCommandLine has "wbadmin" 
   or ProcessCommandLine has "icacls"
| union (
    SecurityEvent 
    | where TimeGenerated > ago(TimeRange)
    | where EventID == 5145 // Share access check
    | where ShareName == "ADMIN$" or ShareName == "C$"
    | summarize count() by Computer, Account, IpAddress
    | where count_ > 10 // Threshold for wormlike behavior
)
| project Timestamp, DeviceName, Account, ProcessCommandLine, IpAddress

PowerShell Rapid Response

PowerShell
<#
WANNACRY Rapid Response Hardening Script
Checks for SMBv1 (legacy vector) and enumerates scheduled tasks added recently.
#>

Write-Host "[+] Checking for SMBv1 Server (Legacy WANNACRY Vector)..." -ForegroundColor Cyan
$SMBv1 = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
if ($SMBv1.State -eq "Enabled") {
    Write-Host "[!] WARNING: SMBv1 is ENABLED. Disabling immediately." -ForegroundColor Red
    Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
} else {
    Write-Host "[*] SMBv1 is Disabled. Safe." -ForegroundColor Green
}

Write-Host "[+] Scanning for suspicious Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
$Date = (Get-Date).AddDays(-7)
$Tasks = Get-ScheduledTask | Where-Object {$_.Date -gt $Date}
if ($Tasks) {
    Write-Host "[!] WARNING: Found recently created/modified scheduled tasks:" -ForegroundColor Yellow
    $Tasks | Select-Object TaskName, Date, Author, Action
} else {
    Write-Host "[*] No suspicious scheduled tasks found." -ForegroundColor Green
}

Write-Host "[+] Checking for WANNACRY Mutex..." -ForegroundColor Cyan
$Mutex = Get-WmiObject Win32_Process | Where-Object {$_.CommandLine -like "*Global\*Wana*"}
if ($Mutex) {
    Write-Host "[!!!] CRITICAL: WANNACRY MUTEX DETECTED. ISOLATE HOST IMMEDIATELY." -ForegroundColor Red
} else {
    Write-Host "[*] No WannaCry mutex found." -ForegroundColor Green
}


---

# Incident Response Priorities

**T-minus Detection Checklist:**
*   **Indicator Hunting:** Scan logs for `tasksche.exe` spawning from `services.exe`.
*   **Network Traffic:** Look for large outbound encrypted traffic (port 443/80) on non-business IPs, indicating exfiltration prior to the encryption event.
*   **Edge Devices:** Immediate forensic triage of internet-facing SmarterMail and Exchange servers for webshell activity (`aspx`/`ashx` drops).

**Critical Assets Targeted:**
*   **Law Enforcement Data:** Murfreesboro PD/FD breach suggests active targeting of sensitive case files and body-cam footage.
*   **Energy ICS:** Petrobras victimization suggests a push toward Operational Technology (OT) network pivots.
*   **Financial Databases:** Bank of China and Sberbank indicate high interest in SWIFT transaction logs and customer credentials.

**Containment Actions (Ordered by Urgency):**
1.  **Isolate:** Disconnect all SmarterMail and Exchange servers from the network immediately if compromise is suspected.
2.  **Block:** Block internet access to Cisco FMC management interfaces (CVE-2026-20131) from untrusted IPs.
3.  **Power Down:** If `tasksche.exe` is detected on an endpoint, power off the machine (do not shutdown gracefully) to prevent memory-based encryption keys from being wiped or further propagation.

---

# Hardening Recommendations

**Immediate (24h):**
*   **Patch:** Apply patches for **CVE-2025-52691** (SmarterMail) and **CVE-2023-21529** (Exchange) immediately. These are the confirmed initial access vectors in this wave.
*   **Disable SMBv1:** Ensure SMBv1 is disabled across the entire Windows enterprise fleet via Group Policy.
*   **MFA:** Enforce MFA specifically for VPN and OWA (Outlook Web Access) access to mitigate credential stuffing attempts often paired with these exploits.

**Short-term (2 weeks):**
*   **Segmentation:** Move Email and Firewall Management interfaces to a separate, strictly controlled VLAN with no direct internet access (VPN required for management).
*   **EDR Policies:** Tune EDR solutions to specifically alert on `powershell.exe` executing `System.Net.WebClient` download methods on mail servers.

---

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangwannacryransomwarepublic-sectorenergycisa-kevsmartermail

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action