Back to Intelligence

WANNACRY Resurgence: 33 New Victims Posted — Critical Infrastructure Targeting & Modern Exploit Analysis

SA
Security Arsenal Team
April 28, 2026
7 min read

Threat Actor Profile — WANNACRY

WANNACRY (also known as WCry, WannaCryptor) has historically operated as a self-propagating crypto-worm. However, intelligence from the current 2026 campaign suggests a shift toward a "RaaS 2.0" model or a closed-group operation leveraging modern vulnerabilities rather than relying solely on the EternalBlue (MS17-010) exploit vector used in their original 2017 rampage.

  • Model: Hybrid (Opportunistic Worming + Targeted Ransomware).
  • Ransom Demands: Variable; historically ranged from $300 to $600 BTC per host, but current enterprise demands likely exceed six figures USD given the critical nature of recent victims.
  • Initial Access: Historically SMBv1 exploits (EternalBlue). Current campaign pivots to:
    • Web Application Exploits: Focus on Microsoft Exchange and external mail servers.
    • Edge Device Exploitation: Targeting Cisco Firepower Management Centers.
    • Supply Chain: Potential exploitation of cloud-based services (Meta React Server Components).
  • Dwell Time: Estimated 3–7 days. The gang moves quickly laterally once a foothold is established on Exchange or edge infrastructure.

Current Campaign Analysis

Targeted Sectors

The latest leak site dump (33 victims) indicates a broad-spectrum attack strategy with a heavy emphasis on Public Sector and Critical Infrastructure.

  • High Frequency: Public Sector (State of Connecticut, Becker County, Brazil's Social Security), Manufacturing (Honda), Energy (Petrobras).
  • Secondary Targets: Financial Services (Bank of China, Sberbank) and Telecommunications (Telkom, MegaFon).

Geographic Concentration

  • Americas: Heavy targeting of US (State/Local gov) and Brazil (Federal/Ministry level).
  • EMEA: UK, Germany (implied by recent gang activity), South Africa (Telkom).
  • APAC: China (Financial/Public Security), Thailand, Singapore.

Victim Profile

  • Size: Large Enterprises and Government Agencies.
  • Revenue/Impact: Targets range from municipal entities (Becker County) to multinational conglomerates (Honda, Petrobras, Bank of China).

CVE Connection & Initial Access Vectors

This campaign represents a significant modernization of the WANNACRY playbook. Instead of purely scanning for port 445 (SMB), the gang is actively exploiting critical internet-facing infrastructure:

  1. CVE-2023-21529 (Microsoft Exchange): Used to bypass authentication on Exchange servers, providing a direct pivot into internal networks via OWA.
  2. CVE-2026-20131 (Cisco Secure Firewall FMC): Deserialization flaw allowing attackers to execute code as root on the firewall management console, effectively disabling perimeter defenses.
  3. CVE-2025-52691 & CVE-2026-23760 (SmarterTools SmarterMail): Authentication bypass and file upload flaws, likely used for initial access in targeted spam or credential-stuffing campaigns against hosted email providers.

Posting Frequency

Victims are posted in batches correlating with successful exploitation waves. The current cluster suggests an automated exploitation tool was deployed against vulnerable Exchange and Cisco FMC endpoints roughly 4-5 days prior to the leak site publications.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Exploitation of CVE-2023-21529 Microsoft Exchange Deserialization
id: 4a8b9c0d-1e2f-3456-7890-abcdef123456
description: Detects potential exploitation of Microsoft Exchange Deserialization of Untrusted Data vulnerability (CVE-2023-21529) via suspicious backend process activity.
status: experimental
date: 2026/04/28
author: Security Arsenal Research
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-21529
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2023.21529
    - exchange
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140 or 5145
        ShareName|contains: 'Exchange'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative access
level: high
---
title: SmarterMail Suspicious File Upload Pattern (CVE-2025-52691)
id: b1c2d3e4-5678-90ab-cdef-123456789abc
description: Detects suspicious file extensions uploaded to SmarterMail web root paths, indicative of exploitation of Unrestricted Upload of File with Dangerous Type.
status: experimental
date: 2026/04/28
author: Security Arsenal Research
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-52691
tags:
    - attack.initial_access
    - attack.web_shell
    - cve.2025.52691
logsource:
    product: webserver
    service: iis
detection:
    selection_uri:
        cs-uri-query|contains:
            - 'SmarterMail'
            - 'Services/MailItem.asmx'
    selection_ext:
        cs-uri-stem|endswith:
            - '.aspx'
            - '.ashx'
    condition: all of selection_*
falsepositives:
    - Legitimate SmarterMail usage
level: critical
---
title: Cisco FMC Management Console Anomaly (CVE-2026-20131)
id: f9e8d7c6-b5a4-9234-5678-90abcdef123
description: Detects suspicious command execution or deserialization attempts on Cisco Secure Firewall Management Center FMC based on log patterns.
status: experimental
date: 2026/04/28
author: Security Arsenal Research
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-20131
tags:
    - attack.execution
    - attack.t1059
    - cve.2026.20131
logsource:
    product: cisco
    service: fmc
detection:
    selection:
        Message|contains:
            - 'deserialization'
            - 'Runtime.exec'
    condition: selection
falsepositives:
    - Administrator troubleshooting
level: high

KQL (Microsoft Sentinel)

Hunt for lateral movement and data staging associated with this group. WANNACRY often utilizes SMB for propagation, but modern variants rely on web shells and scheduled tasks.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious scheduled tasks created for persistence (often used post-exploitation)
SecurityEvent
| where EventID in (4688, 4698)
| where ProcessName contains "schtasks.exe" or TaskName contains "Update" or TaskName contains "System"
| where SubjectUserName != "SYSTEM" and SubjectUserName != "LOCAL SERVICE"
| project TimeGenerated, Computer, SubjectUserName, TaskName, ProcessCommandLine
| order by TimeGenerated desc
// Correlate with large file movement (Data Staging)
| join kind=inner (
    DeviceFileEvents
    | where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe")
    | where FileSize > 10000000 // > 10MB
    | project FileTime=TimeGenerated, DeviceName, FileName, FileSize, InitiatingProcessFileName
) on $left.Computer == $right.DeviceName
| where TimeGenerated > FileTime - time(1h) // Task created near file activity

PowerShell

Rapid response script to enumerate potential persistence mechanisms and check for specific CVE indicators on Exchange servers.

PowerShell
<#
.SYNOPSIS
    WANNACRY Campaign Hardening & Hunt Script
.DESCRIPTION
    Checks for signs of CVE-2023-21529 exploitation and enumerates suspicious scheduled tasks.
#>

Write-Host "[+] Checking for Scheduled Tasks registered in the last 7 days..." -ForegroundColor Yellow
$DateThreshold = (Get-Date).AddDays(-7)

Get-ScheduledTask | Where-Object { $_.Date -ge $DateThreshold } | ForEach-Object {
    $TaskInfo = $_ | Get-ScheduledTaskInfo
    Write-Host "[!] Suspicious Task Found: $($_.TaskName)" -ForegroundColor Red
    Write-Host "    Last Run: $($TaskInfo.LastRunTime)"
    Write-Host "    Author: $($_.Author)"
}

Write-Host "[+] Checking Exchange Server Backend Logs for Deserialization Anomalies (CVE-2023-21529)..." -ForegroundColor Yellow
# Checks if Exchange is installed and looks for recent backend errors
if (Get-Service -Name MSExchangeOWAAppPool -ErrorAction SilentlyContinue) {
    $EventLog = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='MSExchange Common'; StartTime=$DateThreshold; Id=4999} -ErrorAction SilentlyContinue
    if ($EventLog) {
        Write-Host "[!] Potential Deserialization Exception Detected in Exchange Logs!" -ForegroundColor Red
        $EventLog | Select-Object TimeCreated, Message | Format-List
    } else {
        Write-Host "[-] No critical deserialization events found in Application log." -ForegroundColor Green
    }
} else {
    Write-Host "[-] Exchange not detected on this host." -ForegroundColor Gray
}

Write-Host "[+] Checking SMBv1 Status (Legacy WANNACRY Vector)..." -ForegroundColor Yellow
$SMBv1 = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
if ($SMBv1.State -eq "Enabled") {
    Write-Host "[!] WARNING: SMBv1 is Enabled. Consider disabling to prevent worm propagation." -ForegroundColor Red
} else {
    Write-Host "[-] SMBv1 is Disabled." -ForegroundColor Green
}

Incident Response Priorities

T-Minus Detection Checklist

  • Network Traffic: Hunt for inbound traffic to /owa or /ecp paths on Exchange servers followed by large outbound SMB traffic.
  • Process Anomalies: Look for w3wp.exe (IIS worker process) spawning cmd.exe or powershell.exe — a strong indicator of successful web shell exploitation (Exchange/SmarterMail).
  • Firewall Logs: Review Cisco FMC logs for any users logging in and immediately executing CLI commands or downloading configuration backups (CVE-2026-20131).

Critical Assets for Exfiltration

WANNACRY historically prioritizes:

  • PII Databases: DMV, Social Security, Police Records (observed in victims).
  • Intellectual Property: Manufacturing schematics (Honda).
  • Financial Data: Banking transaction logs (Bank of China, Sberbank).

Containment Actions (Ordered by Urgency)

  1. Isolate Exchange Servers: Immediately disconnect Exchange servers from the network if CVE-2023-21529 is suspected but not confirmed patched.
  2. Revoke Firewall Admin Creds: If Cisco FMC is compromised, assume all firewall rules have been modified. Revoke API keys and admin credentials immediately.
  3. Disable SMBv1: Ensure SMBv1 is disabled network-wide to stop lateral movement.
  4. Reset Service Accounts: Cycle credentials for accounts used by SmarterMail or Exchange Application Pools.

Hardening Recommendations

Immediate (24h)

  • Patch Exchange: Apply the security update for CVE-2023-21529 immediately. This is the primary vector in this campaign.
  • Patch Cisco FMC: Apply patches for CVE-2026-20131. Restrict management interface access to internal subnets only.
  • SmarterMail Updates: If running SmarterMail, update to the latest version to patch CVE-2025-52691 and CVE-2026-23760.

Short-term (2 weeks)

  • Network Segmentation: Move Exchange and Firewall Management interfaces to dedicated management VLANs, inaccessible from the public internet without VPN.
  • Web Application Firewall (WAF): Implement strict WAF rules to block deserialization attacks and anomalous HTTP traffic to mail servers.
  • Zero Trust: Implement phishing-resistant MFA (FIDO2) for all administrative access, especially for cloud and firewall management consoles.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangwannacryransomwarepublic-sectorexchange-servercve-2023-21529cve-2026-20131

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action