Dissecting WannaCry – Understanding the Past to Anticipate the Future

With the initial wave of WannaCry subsiding, it’s important to dissect what transpired in anticipation of the next possible emergence.

We know that The Shadow Brokers released what were supposedly an arsenal of nation-state hacking tools last month. Two of which are the engines behind WannaCry targeting exclusively Windows machines.

The WannaCry ransomware/worm has a modular configuration and operates as a two-stage attack. It is comprised of a remote Windows Server Message Block (SMB) exploit known as EternalBlue paired with a backdoor, DoublePulsar. As an initial attack vector, Eternalblue exploits SMB remotely installing DoublePulsar which is then used to deliver WannaCry. Once installed, WannaCry uses the same exploit methods to propagate. Whether spear phishing or EternalBlue/DoublePulsar, there is still some debate on the initial attack vector WannaCry threat actors used.

EternalBlue and DoublePulsar ultimately gave threat actors full admin privileges to vulnerable systems in only a few seconds—with virtual point-and-click ease. Once activated on a victim’s machine, WannaCry propagates like a worm to automatically attempt to install itself on as many other vulnerable computers as possible using the EternalBlue/DoublePulsar combo on the local network.

At its core, WannaCry is not really much different than any other ransomware that encrypts files for ransom. The unique and newsworthy aspect of this ransomware is the opportunistic delivery and propagation method that propelled this ransomware across hundreds of thousands of unpatched systems.

Researchers discovered that once the ransomware installs, it reaches out to a “kill switch” domain. If the domain exists, the ransomware does not encrypt the files. Shortly after the discovery, researchers registered the “kill switch” domain and setup a DNS Sinkhole which dramatically slowed down the rate of infection.

Microsoft released Security Bulleting MS17-010 on March 14 outlining a critical SMB patch for affected Windows systems. At the time of writing this post, there are more than 400 thousand Windows machines exposing SMB to the internet.

It’s a safe bet that a large portion of these machines are still not patched.

At this point, it’s not if, but when is the next wave coming.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals