I happened to be monitoring dropped connection attempts at the internet facing interface of my router. This monitoring attempt has provided me unexpected insights to the global spread of worms/viruses/trojans/ransomware that uses the Ethernal Blue exploit. One of those widespread devastating attacks is the WannaCrypt(WannaCry) ransomware attack. This story shares some of the rather speculative empirical observations though they may not necessarily be directly caused by the exploits or attacks.
I noticed a rather high count of unsolicited port 445 (microsoft-ds) probes. The counts easily averaged 400–600 a day. As I researched further it turns out that port 445 is used for MS Windows file sharing (CIFS protocol).
To gain further insights of these port 445 probes, I made an attempt to infer the origin location by means of geo-ip guesses. The result is this stunning map with the speculated origin locations of the probe.
Some further web searches, I stumbled into the notion that ransomware like WannaCry connects to a random IP address as its propagation / attack methods. That would in part explains why I’m getting unsolicited port 445 probes from around the world.
