Back to Intelligence

WANNACRY Resurgence: Critical Infrastructure Assault & 2026 Exploit Campaign Analysis

SA
Security Arsenal Team
April 29, 2026
7 min read

Threat Actor Profile — WANNACRY

While historically associated with the 2017 worm-based outbreak, the 2026 iteration of "WANNACRY" operates with a significantly different tradecraft. This current faction is believed to operate as a closed-group syndicate that likely acquired the brand for intimidation value, given the high-profile nature of their recent claims.

  • Model: Closed-group (not RaaS). High operational security suggests a seasoned team.
  • Ransom Demands: Demands vary widely based on victim revenue, typically ranging from $500k to $10M for critical infrastructure targets.
  • Initial Access: Abandoning the SMB "EternalBlue" vector of their predecessors, this group focuses heavily on External Remote Services. Current campaigns leverage exploits against edge infrastructure, specifically email gateways and firewall management interfaces.
  • Double Extortion: Strict adherence to double extortion. They exfiltrate sensitive data (employee PII, client databases, strategic documents) before encryption and threaten leaks on their onion site.
  • Dwell Time: Short dwell time (3–7 days). This group moves rapidly from initial exploit (usually on an unpatched public-facing server) to lateral movement and encryption.

Current Campaign Analysis

Based on live data pulled from their leak site on 2026-04-30, WANNACRY is aggressively targeting high-value, critical infrastructure entities.

Sector Targeting

The group has demonstrated a distinct preference for Public Sector and Financial Services, but has expanded heavily into Energy and Telecommunications.

  • Public Sector: State agencies (CT, Becker County), Law Enforcement (Murfreesboro PD/FD), and Government ministries (Brazil Foreign Ministry, Chinese Public Security bureaus).
  • Financial: Major banks (Bank of China, Sberbank).
  • Energy & Telco: Petrobras (Brazil), Telkom (ZA), MegaFon.

Geographic Concentration

While the US remains a primary target (CT, Murfreesboro, Rensselaer), the campaign is notably transcontinental. Heavy activity is observed in the APAC region (China, Thailand, Singapore) and BRICS nations (Brazil, Russia/Sberbank, China, South Africa).

Victim Profile

Targets are exclusively Large Enterprise and Government levels. Victims like Petrobras and Honda Motor Co. indicate the group possesses the financial and technical resources to breach highly secured environments.

Exploitation & CVEs

This campaign is actively exploiting a specific set of CVEs added to the CISA KEV catalog in late 2025 and early 2026:

  1. SmarterMail (CVE-2025-52691 & CVE-2026-23760): Used for initial access in corporate environments.
  2. Cisco Secure Firewall FMC (CVE-2026-20131): A critical vector for breaching network perimeters.
  3. Microsoft Exchange (CVE-2023-21529): Continued exploitation of unpatched Exchange servers for persistent access.
  4. Meta React Server Components (CVE-2025-55182): Supply chain attack vector targeting modern web stacks.

Detection Engineering

The following detection rules and hunt queries are designed to identify the specific TTPs associated with WANNACRY's 2026 campaign, focusing on the exploit chains for SmarterMail, Exchange, and Cisco FMC.

SIGMA Rules

YAML
title: Potential SmarterMail Authentication Bypass or Exploit Attempt
description: Detects potential exploitation of SmarterMail CVE-2025-52691 or CVE-2026-23760 involving suspicious URI patterns or file uploads.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/04/30
status: stable
logsource:
    category: webserver
    product: iis, apache, nginx
detection:
    selection:
        cs-uri-query|contains:
            - '/Services/MailDir.asmx/'
            - '/Utility/HTMLSanitizer/'
            - 'Runtime.aspx'
        cs-uri-query|contains:
            - '..%2f'
            - '..\\'
            - 'file='
    condition: selection
falsepositives:
    - Legitimate administrative access to SmarterMail
level: high
tags:
    - attack.initial_access
    - attack.web_shell
    - cve.2025.52691
    - cve.2026.23760
    - wannacry
---
title: Microsoft Exchange Deserialization Exploitation Indicator
description: Detects suspicious deserialization patterns or anomalous EWS activity associated with CVE-2023-21529.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/04/30
status: stable
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140 or 5145
    filter:
        ShareName|contains: 'Exchange'
        RelativeTargetName|contains: 
            - '.__'
            - '.config'
            - '.dll'
    condition: selection and filter
falsepositives:
    - Legitimate admin file copies
level: medium
tags:
    - attack.initial_access
    - attack.t1059
    - cve.2023.21529
    - wannacry
---
title: Suspicious Process Spawn via Web Server or Management Console
description: Detects execution of shells or network tools via web server processes (IIS/Tomcat) or Cisco FMC management processes, common post-exploitation for web shells.
references:
    - https://attack.mitre.org/techniques/T1505/003/
author: Security Arsenal Research
date: 2026/04/30
status: stable
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\w3wp.exe'
            - '\java.exe' # Tomcat/FMC often runs on Java
            - '\sfmgr.exe' # Cisco FMC related
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\bash.exe' # WSL
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate administrative debugging
level: high
tags:
    - attack.execution
    - attack.persistence
    - wannacry

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for SmarterMail and Exchange Exploitation Indicators
// Focuses on web logs and process creation
let TimeFrame = 1d;
let SuspiciousPaths = dynamic(["Services/MailDir.asmx", "Runtime.aspx", "..%2f", "owa/auth.owa"]);
// Web Logs Hunt
W3CIISLog
| where TimeGenerated > ago(TimeFrame)
| where csUriQuery has_any(SuspiciousPaths) 
   or csUriStem has_any(SuspiciousPaths)
| extend Score = iff(csUriQuery contains ".." or csUriQuery contains "file=", 10, 5)
| project TimeGenerated, sSiteName, cIP, csUriStem, csUriQuery, scStatus, Score
| order by Score desc
| join kind=innerunique (
    SecurityEvent 
    | where TimeGenerated > ago(TimeFrame) 
    | where EventID in (4624, 4625) 
    | project Account, TargetLogonId, TimeGenerated, Computer
) on $left.cIP == $right.IpAddress
| distinct TimeGenerated, cIP, csUriStem, Account, Computer

Rapid Response Hardening Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    WANNACRY Response Script - Checks for IOCs and hardens IIS/SmarterMail.
.DESCRIPTION
    Checks for recent suspicious file modifications in web roots 
    and checks for the presence of vulnerable SmarterMail versions.
#>

Write-Host "[!] Initiating WANNACRY IOC Sweep and Hardening..." -ForegroundColor Cyan

# 1. Check for recently created ASPX/ASP files in common web roots (last 24h)
$webRoots = @("C:\inetpub\wwwroot", "C:\Program Files\SmarterTools\SmarterMail", "C:\Program Files (x86)\SmarterTools")
$cutOff = (Get-Date).AddHours(-24)

Write-Host "[*] Scanning for recently modified web scripts..." -ForegroundColor Yellow
foreach ($root in $webRoots) {
    if (Test-Path $root) {
        Get-ChildItem -Path $root -Recurse -Include *.aspx,*.asmx,*.ashx,*.config -ErrorAction SilentlyContinue | 
        Where-Object { $_.LastWriteTime -gt $cutOff } | 
        Select-Object FullName, LastWriteTime, Length | 
        Format-Table -AutoSize
    }
}

# 2. Check SmarterMail Version (Basic String Check)
$smPath = "C:\Program Files\SmarterTools\SmarterMail\"
if (Test-Path $smPath) {
    Write-Host "[!] SmarterMail Detected. Checking version info..." -ForegroundColor Red
    # Note: Specific version check logic depends on specific build numbers for CVE-2025-52691
    Get-ItemProperty "$smPath\*.exe" | Select-Object Name, VersionInfo | Format-List
} else {
    Write-Host "[-] SmarterMail default path not found." -ForegroundColor Gray
}

# 3. Check for suspicious Scheduled Tasks (Common persistence)
Write-Host "[*] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, TaskPath, Date, Author

Write-Host "[+] Scan Complete. If IOCs found, isolate the host immediately." -ForegroundColor Green

Incident Response Priorities

Given WANNACRY's speed of movement, response time is critical.

T-Minus Detection Checklist

  • IIS/Web Logs: Look for POST requests to /Services/MailDir.asmx or similar SmarterMail endpoints containing long encoded strings or path traversal characters (..\, %2f).
  • Firewall Logs: Check inbound connections to Cisco FMC interfaces originating from unusual IPs.
  • Exchange Logs: Audit EwsApplicationAccess logs for deserialization exceptions or suspicious DelegateAccess calls.

Critical Assets for Exfiltration

Historically, this group prioritizes:

  1. HR Databases: Full PII for extortion.
  2. Financial Records: Tax docs, transaction logs.
  3. Executive Email: Correspondence regarding mergers or legal issues.

Containment Actions (Ordered by Urgency)

  1. Isolate Edge Systems: Immediately disconnect SmarterMail servers and Cisco FMC appliances from the network if suspicious activity is detected. Do not shut down (capture RAM).
  2. Reset Credentials: Assume Active Directory credentials have been dumped. Force password resets for privileged accounts after the threat actor is evicted.
  3. Block IPs: Implement firewall blocks for C2 IP addresses associated with WANNACRY (check recent Threat Intel feeds).

Hardening Recommendations

Immediate (24h)

  • Patch CVE-2025-52691 & CVE-2026-23760: Apply the SmarterMail security update immediately.
  • Patch CVE-2026-20131: Update Cisco Secure Firewall FMC to the latest fixed software version.
  • Restrict Management Access: Ensure VPNs or Zero Trust access are the only way to reach FMC or SmarterMail management consoles. Block public internet access to /Services paths where possible.

Short-term (2 weeks)

  • Network Segmentation: Move email servers and firewall management consoles to a dedicated management VLAN with strict egress rules.
  • Web Application Firewall (WAF): Deploy WAF rules specifically targeting SmarterMail traversal attempts and Exchange deserialization signatures.
  • MFA Enforcement: Enforce phishing-resistant MFA for all webmail and management portal logins.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangwannacryransomwaresmartermailcisco-fmcexchange-servercritical-infrastructure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action