WannaCry

One-liner: Global Ransomware outbreak in May 2017 that exploited EternalBlue to infect 300,000+ systems worldwide.

🎯 What Is It?

WannaCry (also WannaCrypt, WCry) was a ransomware cryptoworm that spread rapidly across the globe in May 2017, exploiting the EternalBlue vulnerability (CVE-2017-0144) in Microsoft's SMB protocol. It became one of the most infamous cyberattacks in history due to its speed, scale, and impact on critical infrastructure.

⏱️ Timeline: May 12-15, 2017

Day 1 (May 12)

08:00 UTC - Initial infections detected in Asia
10:00 UTC - Spreads to Europe
12:00 UTC - UK's National Health Service (NHS) crippled
         - 80+ NHS trusts affected
         - Ambulances diverted
         - Surgeries cancelled
15:00 UTC - 150+ countries infected
22:30 UTC - Marcus Hutchins discovers kill switch domain
         - Registers sinkhole domain
         - Slows infection spread

Days 2-3 (May 13-14)

• New variants without kill switch appear
• Total infections: 300,000+ systems
• 150 countries affected

Post-Attack

• Attribution: North Korea (Lazarus Group)
• US indictments issued (2018)

🐛 Technical Details

Infection Vector

EternalBlue + DoublePulsar

1. Scan for vulnerable SMB (port 445)
2. Exploit CVE-2017-0144 (EternalBlue)
3. Install [[DoublePulsar]] backdoor
4. Drop WannaCry payload
5. Encrypt files
6. Propagate to other systems

Propagation (Worm Behavior)

# Pseudo-code
while True:
    scan_random_ips()  # Scan for port 445
    if smb_vulnerable(target):
        exploit_eternalblue(target)
        copy_self_to(target)
        encrypt_files(target)

Unlike typical ransomware, WannaCry was a cryptoworm—it self-replicated without user interaction.

Kill Switch

Domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

if resolve_domain(kill_switch_domain):
    exit()  # Stop execution
else:
    continue_infection()

How it worked:

• Malware checked if kill switch domain was registered
• If domain resolved, malware terminated
• Marcus Hutchins registered domain for $10.69
• Acted as global "off switch"

Why include a kill switch?

• Likely anti-sandbox mechanism (sandboxes resolve all domains)
• Unintentional "accident" by attackers

Encryption

• Algorithm: AES-128 + RSA-2048
• Target Extensions: .doc, .xls, .ppt, .pdf, .jpg, .png, databases
• Renamed Extensions: .WNCRY, .WCRY
• Ransom Note: @WanaDecryptor@.exe, @Please_Read_Me@.txt

Ransom Demand

• Amount: $300-600 USD in Bitcoin
• Deadline: 3 days to pay $300, 7 days to pay $600
• After 7 days: Files permanently deleted (claimed)
• Bitcoin Wallets: 3 hardcoded addresses
• Total Paid: ~$130,000 across all victims

🎯 Impact by Sector

Healthcare (Most Visible)

• UK NHS: 80 trusts, 19,000+ appointments cancelled
• Ambulances diverted
• Medical devices infected (MRI scanners, blood storage)

Manufacturing

• Nissan UK: Factory halted
• Renault: French plants stopped
• Boeing: Production systems affected

Transportation

• Deutsche Bahn: Railway displays infected
• FedEx: Package tracking disrupted

Government

• Russian Interior Ministry
• Chinese universities and government agencies

Total Damage

• Financial: $4 billion+ (estimates)
• Systems: 300,000+ infected
• Countries: 150+

🔒 The EternalBlue Connection

Origin: Leaked by Shadow Brokers (April 2017)

• NSA exploit (Equation Group)
• Exploits Windows SMB vulnerability CVE-2017-0144
• Microsoft patched in March 2017 (MS17-010)
• Many systems unpatched by May

Why it spread so fast:

• No user interaction needed
• Spread via SMB (network shares)
• Legacy systems (Windows XP, 7) still in use
• Critical infrastructure slow to patch

🛡️ Detection & Prevention

IOCs (Indicators of Compromise)

File Hashes:

SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA256: 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

File Names:

• mssecsvc.exe (WannaCry service)
• tasksche.exe (encryption module)
• @WanaDecryptor@.exe (ransom GUI)
• @Please_Read_Me@.txt (ransom note)

Registry Keys:

HKLM\SOFTWARE\WanaCrypt0r
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssecsvc

Network:

• SMB traffic on port 445
• Kill switch domain lookups
• Bitcoin wallet connections

Sysmon Detection

Process: mssecsvc.exe, tasksche.exe
Network: Outbound SMB (445) scanning
File Creation: Mass .WNCRY extensions
Registry: WanaCrypt0r key creation

Prevention

1. Patch MS17-010 — CVE-2017-0144
2. Disable SMBv1 — Legacy protocol
3. Firewall rules — Block port 445 externally
4. Backups — 3-2-1 rule
5. Segment networks — Limit Lateral Movement

🔍 Attribution

Lazarus Group (North Korea)

Evidence:

• Code similarities to previous Lazarus malware
• Shared infrastructure
• Language artifacts (Korean)
• US DOJ indictment (2018) — Park Jin Hyok

Motive:

• Financial (Bitcoin ransom)
• Potentially state-sponsored cyber-sabotage

🎯 Lessons Learned

1. Patch Management is Critical

• Patch was available 2 months before outbreak
• Unpatched systems = global catastrophe

2. Legacy Systems are Dangerous

• Windows XP support ended in 2014
• NHS still using XP in 2017
• Microsoft released emergency XP patch post-WannaCry

3. Network Segmentation

• WannaCry spread via flat networks
• Segmentation would've limited damage

4. Backups Save Lives (Literally)

• NHS trusts with backups recovered quickly
• Others paid ransom or lost data

5. Supply Chain Matters

• Shadow Brokers leak of NSA tools
• Government stockpiling of exploits = risk

🔄 Variants

1. WannaCry 1.0 — Original with kill switch
2. WannaCry 2.0 — Kill switch removed
3. WannaCry 3.0 — Additional obfuscation

All variants still exploited EternalBlue.

🎤 Interview Angles

Q: What made WannaCry so devastating?

• Exploited EternalBlue (NSA exploit leaked by Shadow Brokers)
• Worm behavior—spread without user interaction
• Targeted unpatched Windows systems (patch available for 2 months)
• Hit critical infrastructure (healthcare, manufacturing)
• 300,000+ systems in 150 countries in 24 hours

Q: What was the kill switch and how did it work?

STAR Example:

• Malware checked if domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered
• If domain resolved, malware stopped executing
• Marcus Hutchins registered it for $10.69, creating a global "off switch"
• Likely intended as anti-sandbox mechanism (sandboxes resolve all domains)
• Slowed but didn't stop outbreak (variants without kill switch appeared)

Q: How would you prevent another WannaCry?

1. Aggressive patch management — MS17-010 patch applied immediately
2. Disable SMBv1 — Legacy, vulnerable protocol
3. Firewall rules — Block external SMB (port 445)
4. Network segmentation — Limit lateral spread
5. EDR — Detect EternalBlue exploitation attempts
6. Backups — Offline, tested regularly

🔗 Related Concepts

• Ransomware — Malware category
• [[EternalBlue]] — Exploit used
• [[CVE-2017-0144]] — SMB vulnerability
• Shadow Brokers — Leak source
• Malware Analysis — Analyzing WannaCry samples
• Incident Response — Responding to outbreak