The Ransomware Outbreak

Target: Global Enterprise Network

Impact: Global Data Encryption

Operational Briefing

Unleash or defend against the EternalBlue exploit. Experience the rapid propagation of a wormable ransomware that crippled the NHS and organizations worldwide.

The Full Story

On May 12, 2017, the WannaCry ransomware attack began. Within hours, it had infected over 200,000 computers across 150 countries. It demanded ransom payments in Bitcoin.

The attack was unique because it combined ransomware with a worm capability, allowing it to spread automatically without user interaction. It hit the UK's National Health Service (NHS) particularly hard, forcing ambulances to divert and surgeries to be cancelled.

Technical Analysis

The Exploit

EternalBlue (MS17-010): A vulnerability in Microsoft's SMBv1 protocol allowed remote code execution. This exploit was allegedly developed by the NSA and leaked by the Shadow Brokers group.
DoublePulsar: A backdoor tool used to inject the ransomware payload.
The Kill Switch: A security researcher (Marcus Hutchins) discovered the malware checked for a specific unregistered domain. Registering this domain effectively stopped the global spread.

Available Modes

Offensive

Replicate the attack vector

Defensive

Harden systems & patch

Analysis

Forensic investigation

Event Timeline

April 2017

Shadow Brokers leak EternalBlue exploit.

May 12, 2017

WannaCry infections begin globally.

May 12, 2017

Kill switch domain registered, slowing spread.

May 15, 2017

New variants released without kill switch.

#Ransomware#SMB#Worm