> The initial attack vector is via an email attachment.
So far it seems an hypothesis and nobody has shown such an email attachment, which is strange considering all the systems out there which save and archive attachments. Especially hospitals and gov't sites saves it all.
The Jaff waves and the massive amount of threats make it really hard to identify. Wannacrytor may not be found directly attached in the mail, only a downloader for it (like office docs/pdfs/js) might be.
Given that the primary targets seem to be running unpatched Windows (at least to latest), I'd guess there's a substantial amount of internet-accessible SMB ports.
If so, you wouldn't need a very high phish:total infected hosts ratio to explain the numbers. And given that whoever was originally phished didn't know it was an illegitimate email... not betting we'll see many examples of the initial vector.
So far it seems an hypothesis and nobody has shown such an email attachment, which is strange considering all the systems out there which save and archive attachments. Especially hospitals and gov't sites saves it all.