WannaCry Ransomware Attack

Interactive Learning Module | May 2017 Global Cyber Incident

200,000+
Infected Systems
150+
Countries Affected
$4-8B
Economic Impact
May 12, 2017
Attack Date

Overview: WannaCry Ransomware Attack

Attack Summary: WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, and Wana Decrypt0r 2.0) was a worldwide cyberattack that occurred in May 2017, leveraging the EternalBlue exploit to propagate ransomware across networks. The attack infected over 200,000 computers across 150 countries in a matter of hours, causing billions of dollars in damages.

Quick Statistics

  • Infection Scale: 200,000+ computers in 150+ countries
  • Duration: Peak activity May 12-15, 2017
  • Ransom Demand: $300-$600 USD in Bitcoin per infected system
  • Total Ransom Collected: Approximately $140,000 USD
  • Estimated Economic Impact: $4-8 billion globally
  • Primary Vulnerability: CVE-2017-0144 (EternalBlue - SMBv1 Remote Code Execution)

Timeline of Key Events

March 14, 2017
Microsoft releases security bulletin MS17-010 patching the EternalBlue vulnerability (CVE-2017-0144) for supported Windows versions.
April 14, 2017
The Shadow Brokers hacker group leaks NSA exploit tools including EternalBlue, DoublePulsar, and other SMB-targeting exploits.
May 12, 2017 - 07:44 UTC
First WannaCry infections detected in Asia, rapidly spreading westward. The attack begins affecting Spain's Telefónica and other major organizations.
May 12, 2017 - Afternoon
UK's National Health Service (NHS) severely impacted with 80 NHS trusts affected, forcing ambulance diversions and cancellation of thousands of appointments and operations.
May 12, 2017 - 15:03 UTC
Marcus Hutchins (MalwareTech), a 22-year-old British security researcher, discovers and registers the unregistered kill switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com), significantly slowing the spread.
May 13, 2017
Microsoft takes unprecedented step of releasing emergency patches (MS17-010) for unsupported legacy systems including Windows XP, Windows 8, and Windows Server 2003.
May 14, 2017
WannaCry variant 2.0 detected without the kill switch domain check, though it spreads less effectively than the original variant.
May 15, 2017
Infection rate drops significantly as organizations implement patches and network segmentation. Global coordination of incident response begins.
December 18, 2017
United States, United Kingdom, Australia, Canada, New Zealand, and Japan formally attribute the attack to North Korea's Lazarus Group.
September 2018
U.S. Department of Justice charges Park Jin Hyok, a North Korean programmer, for his role in the WannaCry attack and other cybercrimes.

WannaCry combined worm-like propagation capabilities with ransomware payload delivery, making it particularly devastating. The attack chain consisted of:

  1. Initial Infection: Exploitation of unpatched SMBv1 vulnerabilities (CVE-2017-0144) using the EternalBlue exploit leaked from NSA tools
  2. Backdoor Installation: Deployment of DoublePulsar backdoor for persistent access
  3. Payload Execution: Download and execution of WannaCry ransomware dropper
  4. Lateral Movement: Autonomous scanning of networks for vulnerable systems, creating worm-like propagation
  5. Encryption: File encryption using AES-128 and RSA-2048 cryptography
  6. Ransom Demand: Display of ransom note demanding Bitcoin payment with countdown timer

The malware checked for the existence of a specific unregistered domain before proceeding with encryption. This was likely intended as an anti-sandbox mechanism but inadvertently created a kill switch when the domain was registered by security researchers.

Target Organizations and Affected Sectors

Important Note: WannaCry was an indiscriminate attack that did not specifically target particular organizations or sectors. Instead, it exploited a widespread vulnerability, affecting any unpatched Windows system with SMBv1 enabled and accessible. However, certain sectors were disproportionately impacted due to legacy systems and operational constraints.

Most Severely Affected Sectors

Global Impact Distribution

WannaCry Global Impact Map
Heavily Affected (10,000+ infections)
Moderately Affected (1,000-10,000 infections)
Less Affected (<1,000 infections)

Healthcare Sector

United Kingdom - National Health Service (NHS)

  • Scope: 80 out of 236 NHS trusts affected, plus 603 primary care and other NHS organizations
  • Impact: 19,494 appointments cancelled, ambulances diverted, emergency departments closed
  • Why Affected: Many NHS systems ran Windows XP (end-of-life since April 2014) and Windows 7 without recent patches due to compatibility concerns with critical medical equipment and software
  • Notable Incidents: East and North Hertfordshire NHS Trust had to divert emergency patients; patients turned away from A&E departments
  • Recovery Time: Several days to weeks for full restoration of services

Other Healthcare Organizations Affected:

  • Bayer AG (Germany) - pharmaceutical and medical device manufacturer
  • Multiple hospitals in Romania, Indonesia, and other countries
  • Various healthcare providers across Asia, including several hospitals in South Korea

Telecommunications

  • Telefónica (Spain): One of the first major victims, with internal systems encrypted. Employees sent home as IT staff worked to contain the spread.
  • Megafon (Russia): Major telecommunications provider affected
  • Deutsche Telekom (Germany): Customer routers affected, though impact less severe

Transportation and Logistics

  • Deutsche Bahn (German Rail): Display boards and ticketing systems affected at multiple stations
  • FedEx: Windows subsidiary TNT Express severely impacted with operational disruptions lasting weeks
  • Renault (France): Manufacturing facilities forced to halt production temporarily
  • Nissan (UK): Manufacturing plant in Sunderland forced to stop production

Government and Public Sector

  • Russian Ministry of Interior: Approximately 1,000 computers affected
  • Chinese Universities: Multiple institutions including educational networks affected
  • Spain's Infrastructure Ministry (Fomento): Some systems impacted
  • Andhra Pradesh Police (India): Systems encrypted

Geographic Distribution

Region/Country Estimated Infections Notable Impacts
Russia ~50,000 Interior Ministry, Megafon, Railway systems
United Kingdom ~20,000 NHS, Nissan manufacturing
China ~30,000 Universities, PetroChina, government systems
Spain ~15,000 Telefónica, Gas Natural, government ministries
United States ~10,000 FedEx/TNT, various enterprises
India ~10,000 Andhra Pradesh Police, various organizations
Other (144+ countries) ~65,000 Distributed across Europe, Asia, Americas, Africa

Attribution: Attackers Behind WannaCry

Attribution Context: Cybersecurity attribution is complex and rarely provides absolute certainty. Multiple intelligence agencies, private security firms, and governments contributed to the attribution analysis of WannaCry, converging on North Korea's Lazarus Group as the most likely perpetrator.

Official Government Attribution

December 18, 2017
United States, United Kingdom, Australia, Canada, New Zealand, and Japan jointly attribute WannaCry to North Korea. The U.S. Homeland Security Advisor Tom Bossert publicly stated: "We do not make this allegation lightly. It is based on evidence."
September 6, 2018
U.S. Department of Justice files criminal charges against Park Jin Hyok, alleging he was a North Korean programmer working for the Reconnaissance General Bureau (RGB), North Korea's primary intelligence agency, and was part of the conspiracy behind WannaCry.

The Lazarus Group

Background: Lazarus Group (also known as Guardians of Peace, HIDDEN COBRA, Zinc) is a North Korean state-sponsored advanced persistent threat (APT) group believed to operate under the Reconnaissance General Bureau. The group has been active since at least 2009 and is attributed to multiple high-profile cyberattacks.

Notable Lazarus Group Operations

  • 2014 - Sony Pictures Entertainment: Destructive attack in response to the film "The Interview"
  • 2016 - Bangladesh Bank Heist: Attempted theft of $951 million via SWIFT network (successfully stole $81 million)
  • 2017 - WannaCry: Global ransomware attack
  • 2018-Present - Cryptocurrency Exchanges: Multiple targeted attacks on exchanges

Attribution Confidence Assessment

Attribution Aspect Confidence Level Supporting Evidence
State-Sponsored Operation High Sophistication, infrastructure, resources required
North Korean Origin High Code overlap, TTPs, intelligence assessments
Lazarus Group Involvement High Technical similarities, pattern analysis

Method of Attack: Technical Analysis

Attack Classification: WannaCry is a wormable ransomware cryptoworm that combines network worm propagation capabilities with file-encrypting ransomware payload.

Attack Chain Overview

1. Initial Infection EternalBlue Exploit 2. Backdoor Installation DoublePulsar Implant 3. Payload Delivery WannaCry Dropper 4. Kill Switch Check Domain Resolution Test Domain exists Domain not found Exit (No Encryption) Malware Terminates 5. Worm Propagation Network Scanning Infect new hosts 6. File Encryption AES-128 / RSA-2048 7. Ransom Demand Display Payment Note

MITRE ATT&CK Framework Mapping

Tactic Technique ID Technique Name
Initial Access T1190 Exploit Public-Facing Application
Execution T1569.002 Service Execution
Lateral Movement T1210 Exploitation of Remote Services
Impact T1486 Data Encrypted for Impact

Vulnerabilities Exploited by WannaCry

Primary Vulnerability: EternalBlue (CVE-2017-0144)

Attribute Details
CVE ID CVE-2017-0144
Vulnerability Type Remote Code Execution via Buffer Overflow
Affected Component Server Message Block 1.0 (SMBv1)
CVSS v3 Score 8.1 (High) / 9.8 (Critical when internet accessible)

System and Configuration Weaknesses

  • Unpatched systems (MS17-010 not applied)
  • End-of-life operating systems (Windows XP, Server 2003)
  • SMBv1 protocol enabled
  • Flat network architecture without segmentation
  • Inadequate backup and recovery capabilities

Patch Timeline

March 14, 2017
Microsoft releases MS17-010 for supported Windows versions
May 12, 2017
WannaCry attack begins (58 days after patch release)
May 13, 2017
Microsoft releases emergency patches for unsupported systems (XP, Server 2003)

Detection: Indicators of Compromise

File-Based Indicators

Known File Hashes (SHA-256)

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

File Names and Paths

File Name Typical Location Description
mssecsvc.exe C:\Windows\ Initial dropper executable
tasksche.exe C:\Windows\ Dropper variant
@WanaDecryptor@.exe Desktop Ransom GUI application
*.WNCRY Various Encrypted file extension

Network Indicators

Kill Switch Domain

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Bitcoin Wallet Addresses

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Response: Containment and Remediation

Immediate Containment Steps

  1. Network Segmentation: Block SMB ports (445, 139) at firewalls
  2. System Isolation: Disconnect infected systems from network
  3. Kill Switch Implementation: Configure DNS to resolve kill switch domain
  4. Emergency Patching: Deploy MS17-010 to all vulnerable systems
  5. SMBv1 Disablement: Disable SMBv1 protocol globally

Remediation Procedures

Important: File decryption without the attacker's private key is not possible. Focus on containment, eradication, and restoration from backups.
  • Create memory dumps for forensic analysis
  • Remove malware using updated antivirus tools
  • Restore systems from clean backups
  • Rebuild systems if necessary
  • Verify patches before reconnecting to network
Do NOT Pay Ransom: Government agencies and security experts recommend against paying ransom. There's no guarantee of file recovery, and payment funds criminal activities.

Impact: Consequences of the WannaCry Attack

Global Statistics

  • Infected Systems: ~200,000 computers across 150+ countries
  • Economic Impact: Estimated $4-8 billion USD globally
  • Ransom Collected: Approximately $140,000 USD (327 payments)
  • Recovery Time: Days to weeks for most organizations

Financial Impact Analysis

Impact Category Estimated Cost
Direct IT Remediation $500M - $1B
Business Disruption $2B - $3B
Recovery and Restoration $1B - $2B
Security Improvements $500M - $1B
Total Estimated Impact $4B - $8B

Sector-Specific Impacts

Healthcare (NHS UK)

  • 19,494 appointments cancelled
  • 80 NHS trusts affected
  • Ambulance diversions
  • Emergency department closures
  • Estimated £92 million cost

Transportation & Logistics

  • FedEx/TNT Express: $300 million loss
  • Renault and Nissan: Production halts
  • Deutsche Bahn: Display systems affected

Lessons Learned: Strategic Recommendations

Purpose: These recommendations are prioritized for maximum security improvement and apply to organizations of all sizes.

Priority 1: Critical Immediate Actions

  • Implement Rigorous Patch Management - Deploy critical patches within 72 hours for internet-facing systems, 14 days for internal systems
  • Eliminate Legacy Operating Systems - Migrate all end-of-life systems to supported versions
  • Disable SMBv1 Protocol - Remove this outdated and vulnerable protocol across all systems
  • Implement Network Segmentation - Separate networks by security zone and isolate critical systems
  • Block Unnecessary Lateral Movement - Restrict SMB traffic and enable host firewalls

    • Priority 2: Essential Security Controls

  • Deploy Robust Backup Systems - Follow 3-2-1-1 rule: 3 copies, 2 media types, 1 offsite, 1 offline/immutable
  • Implement EDR Solutions - Deploy endpoint detection and response on all systems
  • Enable Comprehensive Logging - Implement SIEM and monitor for suspicious activities
  • Implement Application Whitelisting - Use default-deny approach for executable execution
  • Enforce Least Privilege Access - Remove unnecessary administrative rights

    • Priority 3: Organizational Improvements

  • Develop Incident Response Plan - Document procedures and conduct regular tabletop exercises
  • Implement Security Awareness Training - Mandatory training for all employees
  • Establish Cybersecurity Governance - Board-level oversight and adequate budget
  • Conduct Regular Testing - Vulnerability assessments and penetration testing

    • Key Takeaways

    1. Patch Management is Non-Negotiable: WannaCry exploited a vulnerability patched two months prior
    2. Legacy Systems Create Risk: End-of-life systems became single points of failure
    3. Defense in Depth: Layered defenses limited impact for prepared organizations
    4. Backups Must Be Resilient: Offline and immutable backups are essential
    5. Security is Business Priority: Requires board attention and adequate resources

    References and Resources

    Official Government and Vendor Advisories

    Microsoft Security Bulletins

    US Government Resources

    UK Government Resources

    CVE and Vulnerability Databases

    Security Vendor Analysis

    Best Practices and Guidelines

    Contact Information for Reporting

    United States

    United Kingdom

    Knowledge Assessment Quiz

    Test your understanding of the WannaCry ransomware attack. Select the best answer for each question and click "Submit Quiz" to see your score.

    Question 1: What was the primary vulnerability exploited by WannaCry?

    Question 2: How was the initial spread of WannaCry significantly slowed?

    Question 3: Which nation-state is WannaCry attributed to?

    Question 4: What was the estimated global economic impact of WannaCry?

    Question 5: Which is NOT a recommended mitigation against WannaCry-style attacks?

    Quiz Results