WANNACRY Resurgence: 33-Victim Global Campaign Targets Public Sector & Critical Infrastructure

Threat Actor Profile — WANNACRY

Aliases: WCry, WannaCryptor Operational Model: While historically associated with worm-like propagation, this 2026 iteration operates via a Ransomware-as-a-Service (RaaS) model with dedicated affiliate access to exploit infrastructure. Recent activity suggests a shift from automated propagation to targeted, manual exploitation of critical internet-facing infrastructure.

Ransom Demands: Highly variable based on victim revenue, typically ranging from $500,000 to $5 million for decryption keys, with separate demands for data deletion to prevent leak site publication.

Initial Access Vectors:

Web Application Exploitation: Primary vector currently involves exploiting authentication bypass and file upload vulnerabilities in email gateways (SmarterMail) and collaboration servers (Microsoft Exchange).
Perimeter Bypass: Active exploitation of Cisco firewall management consoles (CVE-2026-20131) to pivot into internal networks.

Double Extortion: Confirmed. The group operates a dedicated .onion leak site ("WANNACRY DATA") where victim data is published if negotiations fail or fail to initiate within the specified timeframe.

Average Dwell Time: Approximately 3–5 days. Unlike the 2017 worm variant, this campaign shows slower, stealthy lateral movement to maximize data exfiltration before detonation.

Current Campaign Analysis

Campaign Overview: In the last 100 postings (Live Data: 2026-04-28), the WANNACRY operation has claimed 33 victims. The campaign exhibits a distinct preference for high-value public sector and critical infrastructure targets, likely driven by the sensitivity of the data and the urgency of restoration.

Targeted Sectors:

Public Sector (Primary): Heavy focus on municipal governments, law enforcement (PD/FD), and libraries. Notable victims include the State of Connecticut and Becker County.
Energy & Manufacturing: Strategic targeting of operational continuity, e.g., Petrobras and Honda Motor Co.
Telecommunications: Disruption of communication hubs (Telkom, MegaFon).
Financial Services: Direct hits on major banking institutions (Bank of China, Sberbank).

Geographic Concentration: While global, the activity is concentrated in:

North America (US): State and local government bodies.
Asia-Pacific (CN, TH, SG): Financial services and public security bureaus.
South America (BR): Critical national infrastructure (Social Security, Foreign Ministry).
Europe (GB, DE): Spillover attacks targeting multinational corporate branches.

CVE Exploitation & TTP Alignment: The victimology correlates with the exploitation of specific CISA Known Exploited Vulnerabilities (KEVs):

SmarterMail (CVE-2026-23760 / CVE-2025-52691): Used to gain initial access to email infrastructures of the targeted Public Sector and Financial entities.
Microsoft Exchange (CVE-2023-21529): Leveraged for remote code execution (RCE) and credential dumping in Enterprise environments.
Cisco Secure Firewall (CVE-2026-20131): Used to bypass network perimeter defenses, likely allowing the gang to move laterally from segmented networks to the core.

Detection Engineering

The following detection logic targets the specific initial access vectors and lateral movement patterns observed in this WANNACRY campaign.

YAML

title: SmarterMail Authentication Bypass and Webshell Upload
id: 9e8b4a2d-1f3c-4d5e-8a9b-2c3d4e5f6a7b
description: Detects exploitation of CVE-2026-23760 (Auth Bypass) and CVE-2025-52691 (File Upload) on SmarterMail servers via suspicious URI patterns and file extensions.
author: Security Arsenal Research
date: 2026/04/28
status: experimental
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
    product: iis
    service:_smartermail: true
detection:
    selection_bypass:
        cs-uri-query|contains: 'MegaControl' # Suspicious path often associated with exploit attempts
    selection_upload:
        cs-uri-stem|contains: '.aspx'
        cs-method: 'POST'
    filter_legit:
        cs-uri-query|contains: 'ViewState' # Reduce FPs on legit ViewState usage
    condition: selection_bypass or (selection_upload and not filter_legit)
falsepositives:
    - Legitimate administrative access to SmarterMail
level: critical
tags:
    - attack.initial_access
    - attack.web_shell
    - cve-2026-23760
    - cve-2025-52691
    - wannacry
---
title: Microsoft Exchange Deserialization RCE (CVE-2023-21529)
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects suspicious deserialization activity or child process spawning from w3wp.exe associated with Exchange exploitation.
author: Security Arsenal Research
date: 2026/04/28
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains: '\inetpub\wwwroot\bin\'
        ParentImage|endswith: 'w3wp.exe'
    selection_suspicious_child:
        Image|endswith:
            - 'powershell.exe'
            - 'cmd.exe'
            - 'powershell_ise.exe'
    filter_legit:
        User|contains: 'IUSR'
        CommandLine|contains: 'appcmd' # Allow legitimate IIS management tools
    condition: selection_parent and selection_suspicious_child and not filter_legit
falsepositives:
    - Exchange maintenance scripts
level: high
tags:
    - attack.initial_access
    - attack.execution
    - cve-2023-21529
    - wannacry
---
title: Suspicious Lateral Movement via PsExec and WMI
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects lateral movement typical of ransomware operators post-exploitation using PsExec or WMI for remote service creation.
author: Security Arsenal Research
date: 2026/04/28
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        Image|endswith:
            - 'psexec.exe'
            - 'psexec64.exe'
        CommandLine|contains: 'accepteula'
    selection_wmi:
        Image|endswith: 'wmic.exe'
        CommandLine|contains: 'process call create'
    selection_source:
        SubjectLogonId: '*' # Correlate with network logon
    condition: 1 of selection_*
falsepositives:
    - System administration tasks
level: high
tags:
    - attack.lateral_movement
    - attack.execution
    - wannacry


**KQL (Microsoft Sentinel) — Pre-Encryption Staging Hunt**

This query hunts for mass file encryption precursors (rapid modifications of shadow copies or unusual file access patterns) combined with the CVE exploitation indicators.

kql
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Hunt for Exchange Exploitation (CVE-2023-21529)
| where (FileName == "w3wp.exe" and ProcessCommandLine has "powershell") 
// Hunt for PsExec lateral movement (WANNACRY Gang TTP)
or (FileName has "psexec" and InitiatingProcessFileName != "services.exe")
// Hunt for SmarterMail exploitation indicators (Process spawning from MailService)
or (FolderPath contains "SmarterTools" and FileName == "cmd.exe")
| extend HostName = DeviceName, Account = AccountName
| project Timestamp, HostName, Account, FileName, ProcessCommandLine, InitiatingProcessFileName
| summarize count() by HostName, Account, FileName
| where count_ > 5 // Threshold for automated activity


**PowerShell — Rapid Response Hardening Script**

This script checks for the presence of web shells associated with the SmarterMail/Exchange CVEs and identifies suspicious scheduled tasks added in the last 24 hours.

powershell
<#
.SYNOPSIS
    WANNACRY Response Script: Check for Webshells and Scheduled Tasks.
.DESCRIPTION
    Checks IIS logs for SmarterMail exploit patterns (CVE-2026-23760) and enumerates suspicious scheduled tasks created recently.
#>

# 1. Check for recent Scheduled Tasks (Persistence mechanism)
Write-Host "Checking for suspicious scheduled tasks created in the last 24 hours..." -ForegroundColor Cyan
$DateThreshold = (Get-Date).AddDays(-1)
Get-ScheduledTask | Where-Object {$_.Date -gt $DateThreshold} | Select-Object TaskName, TaskPath, Date, Author | Format-Table -AutoSize

# 2. Hunt for SmarterMail Web Shell Indicators in IIS Logs (Last 48 hours)
Write-Host "Scanning IIS logs for SmarterMail exploit patterns (CVE-2026-23760)..." -ForegroundColor Cyan
$logPath = "C:\inetpub\logs\LogFiles"
$pattern = "MegaControl|.aspx\?cmd="

if (Test-Path $logPath) {
    Get-ChildItem $logPath -Recurse -Filter "u_ex*.log" | 
    Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-2)} | 
    Select-String -Pattern $pattern -Path $_.FullName | Select-Object -First 10 Path, Line
} else {
    Write-Host "IIS Log path not found." -ForegroundColor Yellow
}

# 3. Check for Exchange Suspicious Processes (w3wp spawning cmd)
Write-Host "Checking for suspicious Exchange process spawning..." -ForegroundColor Cyan
Get-WmiObject Win32_Process | Where-Object {$_.Name -eq "cmd.exe" -and $_.ParentProcessId -ne 0} | 
ForEach-Object {
    $parent = Get-WmiObject Win32_Process | Where-Object {$_.ProcessId -eq $_.ParentProcessId}
    if ($parent.Name -eq "w3wp.exe") {
        Write-Host "ALERT: w3wp.exe spawned cmd.exe! PID: $($_.ProcessId) Parent: $($parent.ProcessId)" -ForegroundColor Red
    }
}


---

Incident Response Priorities

Based on the WANNACRY playbook observed in this campaign, execute the following T-minus checklist immediately:

Scan for CVE-2026-23760: Immediately inspect SmarterMail installations for signs of authentication bypass. Check the MegaControl endpoint logs.
Isolate Exchange & FMC: If unpatched against CVE-2023-21529 or CVE-2026-20131, isolate Microsoft Exchange servers and Cisco Firewalls (management interfaces) from the network.
Hunt for Web Shells: Look for newly created .aspx or .ashx files in web directories with recent timestamps (last 48 hours).

Critical Assets for Exfiltration: WANNACRY historically prioritizes:

Citizen PII (Public Sector targets).
Financial transaction logs (Banking targets).
Intellectual Property / Schematics (Manufacturing).

Containment Actions (Order by Urgency):

Disable Internet-Facing Mail Services: Take SmarterMail and Exchange OWA offline temporarily if patches are not applied.
Revoke Admin Sessions: Force termination of all active RDP and VPN sessions; require re-authentication with MFA.
Block Port 445 (SMB): While not the primary vector in this 2026 campaign, legacy WannaCry worm behavior suggests they still use SMB for lateral movement. Block SMB at the firewall level between subnets.

Hardening Recommendations

Immediate (24 Hours):

Patch CVE-2026-23760 & CVE-2025-52691: Apply the SmarterMail updates immediately. This is the top Initial Access vector currently.
Patch CVE-2023-21529: Update Microsoft Exchange servers to the latest Security Updates.
Disable VPN/Internet Access to Cisco FMC: Ensure management interfaces are not accessible from the public internet until CVE-2026-20131 is patched.

Short-Term (2 Weeks):

Network Segmentation: Ensure critical assets (SCADA, Financial DBs) are not reachable from the DMZ or Email server segments.
MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all administrative access to Email and Firewall management consoles.
Web Application Firewall (WAF): Deploy strict WAF rules to block known exploit patterns for SmarterMail and Exchange deserialization attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub