[firewalkwithme]

I don't understand how a machine becomes infected, it is perhaps not very clear yet? this article explains receiving an email containing a link OR a PDF with a link to a .hta file ? what a strange sentence. Can one get infected without user interaction, or even with a passive client ?

[Scoundreller]

Yes, a vulnerable system can get infected without user interaction.

This malware somehow got seeded, either by (1) direct scanning the internet for vulnerable systems, or (2) traditional "open-this-link / install-this-file" emails/downloads. Maybe that's why we see at least 3 bitcoin addresses: 3 different "seeding" groups.

Corp networks shouldn't be accepting outside SMB connections, and home routers will block them too, so that's where user-initiated emails/downloads come in (or someone connecting an outside laptop).

[cpncrunch]

From what I gather, it tends to be one person in an organisation opening a dodgy attachment, then it spreads through the internal network via unpatched SMB flaw.

[Scoundreller]

That, or they bring a work computer home, get infected, then bring it back to work. Could happen if the network they got infected on resolved all domains (so it didn't execute then), but their corporate network didn't.

[remx]

This is what I want to know[0] too.

To mitigate, you can disable SMB1.0 with the following command. Make sure to run as administrator:

    dism /online /norestart /disable-feature /featurename:SMB1Protocol

[0]: https://news.ycombinator.com/item?id=14335845

[syshum]

To mitigate, Install Security Patches in a Timely manner.

Also note that only works on windows 7 and later, dism is not a tool for XP or Windows 2003 which seem to be the largest numbers hit by this since there is/was no patches for them

[technion]

Careful, most old scanners out there only talk SMB1.

I'm all for recommending defence in depth, but please study changes like this before doing them.

[syshum]

In this case it is passive. SMB in unpatched windows has a Remote Code Execution vulnerability that allows attackers to execute arbitrary code on your system with out your knowledge or interaction