[jsizzle]

Actually, I believe phishing / malicious attachment was debunked as the infection vector. Subsequent research found that WC starts scanning hosts and IP's on port 445 to try to find other machines to infect.

Source:https://www.us-cert.gov/ncas/alerts/TA17-132A

"Once the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP ranges on the local network and attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is successful, it creates an additional thread to propagate by exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten MS17-010."

[thefreeman]

That only happens after the initial infection into the network. Notice that it says it scans the "local network".

[jsizzle]

This is minutiae at this point, but it scans the "local" /24. My assumption is that it scans the /24 for any interface available, so if a machine is infected with a public IP, it will start scanning machines on the public Internet. Not to mention other variations may decide to scan more aggressively.