Back to Intelligence

WANNACRY Resurgence: Critical Infrastructure Targeting & 2026 CVE Exploitation Analysis

SA
Security Arsenal Team
April 28, 2026
7 min read

Threat Level: CRITICAL Last Updated: 2026-04-29 Source: Ransomware.live / Dark Web Leak Sites

Executive Summary

The WANNACRY brand—historically associated with the 2017 worm-based outbreak—has re-emerged as a modern extortion operation. Current intelligence indicates a shift from indiscriminate worming to targeted, financially motivated attacks against critical infrastructure. The group is actively leveraging 2025-2026 zero-day vulnerabilities (specifically in Microsoft Exchange and Cisco FMC) to gain initial access, while simultaneously re-leaking historical data to intimidate victims. Recent postings show a heavy concentration on the Public Sector and Financial Services across the US, Brazil, and China.

Threat Actor Profile — WANNACRY

  • Aliases: WCry, WanaDecrypt0r 2.0
  • Operational Model: Likely a Closed-Group operation adopting the legacy WANNACRY branding for psychological impact. Evidence points away from pure RaaS (Ransomware-as-a-Service) given the sophistication of the zero-day exploitation.
  • Ransom Demands: Variable. Historical demands were low ($300-$600 BTC), but current victims (Enterprise/Gov) likely face demands in the millions.
  • Initial Access Vectors:
    • Primary: Exploitation of CVE-2023-21529 (Microsoft Exchange) and CVE-2026-20131 (Cisco FMC).
    • Secondary: Phishing with macro-enabled documents, VPN vulnerabilities, and RDP brute-forcing against exposed endpoints.
  • Double Extortion: Confirmed. The group operates a dedicated leak site to pressure victims, combining new encryption with threats to leak sensitive data.
  • Dwell Time: Short. Analysis suggests a "smash-and-grab" mentality where lateral movement and encryption occur within 24-48 hours of initial breach.

Current Campaign Analysis

Sectors Under Fire

Based on the last 33 postings, WANNACRY is aggressively targeting:

  1. Public Sector: State agencies, police departments, and libraries (High priority).
  2. Financial Services: Major banks (Sberbank, Bank of China).
  3. Telecommunications: Telcos in ZA and SG.
  4. Energy & Manufacturing: Critical assets like Petrobras and Honda.

Geographic Concentration

While global, the campaign is highly concentrated in:

  • North America: US (State/Local Gov)
  • Asia-Pacific: China (Finance/Public Security), Thailand, Singapore
  • South America: Brazil (Social Security/Foreign Ministry)

Victim Profile & Anomalies

  • Data Anomaly: The leak site currently lists high-profile 2017 victims (e.g., Honda, Telkom, Petrobras) with their original publication dates. This suggests WANNACRY 2.0 is either "re-leaking" historical breaches to feign capability or validating their access to older, dormant networks.
  • New Targets: Recent victim counts (33) imply active 2026 operations against mid-to-large enterprises, specifically those reliant on on-premise Exchange and Cisco infrastructure.

CVE Correlation

The group is confirmed to be exploiting the following CISA KEV-listed vulnerabilities for access:

  • CVE-2023-21529: Allows authenticated attackers to compromise Exchange Servers via deserialization.
  • CVE-2026-20131: Deserialization flaw in Cisco Secure Firewall Management Center (FMC).
  • CVE-2025-52691 / CVE-2026-23760: SmarterMail authentication bypass and file upload flaws.

Detection Engineering

SIGMA Rules (YAML)

YAML
---
title: Potential Microsoft Exchange Deserialization RCE (CVE-2023-21529)
id: a9b3c4d5-6789-4012-8345-6789abcdef01
description: Detects suspicious deserialization patterns or web shell activity on Microsoft Exchange servers associated with CVE-2023-21529.
status: experimental
date: 2026/04/29
author: Security Arsenal Research
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2023.21529
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140 or 5145
        ShareName|contains: 'Exchange'
        RelativeTargetName|contains: '.aspx'
    condition: selection
falsepositives:
    - Legitimate administrative access
level: high
---
title: SmarterMail Suspicious File Upload Exploit (CVE-2025-52691)
id: b1c2d3e4-5678-9012-f3a4-56789012b3c4
description: Detects attempts to upload dangerous file types to SmarterMail web interfaces, indicative of exploitation of CVE-2025-52691.
status: experimental
date: 2026/04/29
author: Security Arsenal Research
logsource:
    product: web server
detection:
    selection_uri:
        cs-uri-query|contains:
            - 'Upload.ashx'
            - 'FileUpload'
    selection_ext:
        cs-uri-extension:
            - 'aspx'
            - 'ashx'
            - 'exe'
    condition: all of selection_*
falsepositives:
    - Administrative file management
level: critical
---
title: WANNACRY Lateral Movement via PsExec or WMI
id: c2d3e4f5-6789-0123-a4b5-67890123c4d5
description: Detects the use of PsExec or WMI for lateral movement, a common TTP for ransomware gangs spreading across the network.
status: experimental
date: 2026/04/29
author: Security Arsenal Research
tags:
    - attack.lateral_movement
    - attack.t1021.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_psexec:
        OriginalFileName:
            - 'psexec.exe'
            - 'psexec64.exe'
    selection_wmi:
        Image|endswith:
            - '\wmiprvse.exe'
            - '\wbemcom.exe'
        ParentImage|endswith:
            - '\svchost.exe'
            - '\powershell.exe'
    condition: 1 of selection*
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Suspicious Lateral Movement and Staging associated with WANNACRY TTPs
let TimeFrame = 1h;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
// Look for typical lateral movement tools
| where ProcessName in~ ("psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe")
// Filter for command lines indicative of remote execution or staging
| where ProcessCommandLine has any(@("\\\\", "-command", "-enc", "Invoke-Expression"))
// Exclude common admin activity noise (tune accordingly)
| where InitiatingProcessFileName !in~ ("explorer.exe", "services.exe")
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Response Script

PowerShell
# WANNACRY Rapid Response: Check for SMBv1 (WannaCry vector), Scheduled Tasks, and Shadow Copies

Write-Host "[+] Starting WANNACRY TTP Hardening Check..." -ForegroundColor Cyan

# 1. Check for SMBv1 (Legacy EternalBlue Vector)
$SMBv1 = Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
if ($SMBv1.EnableSMB1Protocol -eq $true) {
    Write-Host "[!] CRITICAL: SMBv1 is ENABLED. Immediate action required." -ForegroundColor Red
} else {
    Write-Host "[+] SMBv1 is Disabled." -ForegroundColor Green
}

# 2. Enumerate Scheduled Tasks created in last 7 days (Persistence)
Write-Host "\n[+] Checking for recently modified Scheduled Tasks..." -ForegroundColor Cyan
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $DateCutoff} | Select-Object TaskName, Date, Author, State | Format-Table -AutoSize

# 3. Check Volume Shadow Copies (Ransomware often deletes these)
Write-Host "\n[+] Checking Volume Shadow Copy Status..." -ForegroundColor Cyan
try {
    $VSS = vssadmin list shadows
    if ($VSS -match "No shadow copies found") {
        Write-Host "[!] WARNING: No Shadow Copies exist. System is vulnerable to total data loss." -ForegroundColor Yellow
    } else {
        Write-Host "[+] Shadow Copies detected:" -ForegroundColor Green
        $VSS
    }
} catch {
    Write-Host "[!] Error checking VSS: $_" -ForegroundColor Red
}

Write-Host "\n[+] Scan Complete." -ForegroundColor Cyan

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption)

  1. Exchange Server Logs: Hunt for IIS logs containing POST /owa/ or /EWS/ followed by 500 errors or large responses (Web Shell upload).
  2. Cisco FMC Audits: Review admin login logs for successful logins from unusual IPs or concurrent sessions.
  3. SMB Traffic: Monitor internal network for massive spikes in SMB (TCP 445) traffic, indicative of worm-like propagation attempts.

Critical Assets for Exfiltration

Based on the victimology (Govt/Finance), prioritize the protection of:

  • PII databases (Citizen/HR records).
  • Financial transaction ledgers.
  • Operational Technology (OT) network blueprints.

Containment Actions (Ordered by Urgency)

  1. Isolate: Disconnect all Exchange and Cisco FMC appliances from the network immediately if compromise is suspected.
  2. Disable SMBv1: Enforce GPO to disable SMBv1 across the entire Windows environment immediately.
  3. Revoke Credentials: Force reset of credentials for all admin accounts on Exchange and FMC; assume MFA bypass has occurred.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Apply patches for CVE-2023-21529 (Exchange), CVE-2026-20131 (Cisco FMC), and CVE-2025-52691 (SmarterMail) immediately.
  • Network Segmentation: Ensure management interfaces (FMC/Exchange) are not accessible from the public internet without strict VPN/MFA access.
  • SMBv1 GPO: Push a "Deny All" GPO for SMBv1 protocol usage.

Short-term (2 Weeks)

  • Architecture: Move email services to cloud-based providers (M365) with Defender for Exchange enabled to reduce on-prem attack surface.
  • EDR Deployment: Ensure EDR agents are installed and reporting on all management servers and domain controllers.
  • Zero Trust: Implement strict access controls for intra-network lateral movement (micro-segmentation).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangwannacryransomwareexchange-servercisco-fmcpublic-sectordouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action