Named attack · kill-chain walkthrough
WannaCry
EternalBlue worm ransomware — global outbreak May 2017
Formally attributed to North Korea's Lazarus Group by the U.S. (Tom Bossert, WSJ Dec 2017), U.K. NCSC, and confirmed via DOJ indictment of Park Jin Hyok (Sep 2018).
WannaCry exploited CVE-2017-0144 (EternalBlue), an NSA-developed SMB exploit leaked by ShadowBrokers in April 2017 and left unpatched on vast swaths of Windows infrastructure. The worm self-propagated across port 445 with zero user interaction, encrypting ~200,000 systems across 150 countries in under 96 hours. A researcher's accidental killswitch domain registration halted the first wave; no supply chain or credential theft was needed — raw exploit-and-encrypt at scale.
scene 00 / 07
- Phase 01 · Initial AccessTA0001
EternalBlue turns every unpatched Windows SMB port into an open door
- WannaCry scanned port 445 across LAN segments and the public internet with no user interaction required.
- It exploited CVE-2017-0144, a critical heap buffer overflow in the SMBv1 protocol handler (srv.sys). Microsoft patched it as MS17-010 on March 14 2017 — nearly two months before the outbreak.
- The exploit was originally developed by the NSA (codenamed EternalBlue) and publicly leaked by the ShadowBrokers on April 14 2017.
- Millions of Windows 7, Windows XP, and Windows Server 2003/2008 endpoints remained unpatched at outbreak time, including NHS England hospitals running legacy imaging systems.
Techniques - Phase 02 · ExecutionTA0002
Shellcode installs the worm and encryptor as Windows services — no user clicks
- EternalBlue shellcode dropped a copy of the WannaCry binary via the SMB exploit; it was then executed in kernel context.
- The worm component (mssecsvc.exe) was installed and started as the Windows service 'mssecsvc2.0'.
- A second executable (tasksche.exe) was registered as a service and handled file encryption on the local host.
- Both services ran under SYSTEM, giving the malware unrestricted access to the file system.
Indicators - Phase 03 · Defense EvasionTA0005
A DNS killswitch gates execution — accidentally tripped by MalwareTech on day one
- Before beginning encryption, WannaCry issued an HTTP GET to a hard-coded, unregistered domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.
- If the domain resolved (i.e., received any HTTP 200 response), the malware exited immediately — functioning as an execution guardrail intended to defeat sandbox analysis.
- UK researcher Marcus Hutchins ('MalwareTech') registered the domain for ~$10.69 at approximately 15:03 UTC on May 12 2017, inadvertently triggering the killswitch and halting the first global wave.
- The mechanism is classified as T1480 (Execution Guardrails) because the operator could revoke the check by changing the domain or binary; new variants without the killswitch appeared within days.
Techniques - Phase 04 · PersistenceTA0003
The worm registers itself as a Windows service to survive reboots
- mssecsvc.exe was installed as service name 'mssecsvc2.0' with display name 'Microsoft Security Center (2.0) Service'.
- On already-compromised hosts WannaCry also leveraged DoublePulsar — a second NSA implant leaked by ShadowBrokers — as a kernel-level backdoor for maintaining access.
- DoublePulsar allowed subsequent shellcode injection into processes without touching the disk after the initial exploit.
- Phase 05 · DiscoveryTA0007
The worm enumerates every reachable network host looking for port 445
- After executing on a host, the worm component generated pseudo-random IP ranges and performed TCP SYN scans against port 445.
- It targeted both the local subnet (ensuring rapid intranet spread) and external, internet-routable addresses (ensuring global propagation).
- No credential enumeration or Active Directory reconnaissance was necessary — the exploit required only an open SMB port.
- Phase 06 · Lateral MovementTA0008
EternalBlue re-fires across every reachable host — DoublePulsar chains on
- For each new target found via discovery, the worm re-ran the full EternalBlue exploit over SMB port 445.
- On hosts where a previous infection had installed DoublePulsar, the backdoor was used to inject additional shellcode in-memory without writing to disk.
- The combination of a fast internet-wide scanner and a reliable unauthenticated RCE yielded exponential propagation: hundreds of thousands of hosts in hours.
- NHS England, FedEx, Renault, Deutsche Bahn, and Russia's Interior Ministry were among confirmed victims of lateral spread.
Techniques - Phase 07 · ImpactTA0040
AES-128 + RSA-2048 encryption across ~200,000 systems in 150 countries
- tasksche.exe encrypted user files with AES-128 per-file keys, each wrapped with an RSA-2048 public key controlled by the operators, appending the .WNCRY extension.
- Ransom notes demanded $300 USD in Bitcoin, doubling to $600 after 72 hours, with permanent deletion threatened after 7 days.
- Approximately 200,000 systems in 150 countries were encrypted within the first 96 hours. NHS England was forced to cancel ~19,000 appointments; Renault halted production at multiple plants.
- Total estimated damages exceeded $4 billion USD according to U.S. government assessments cited at the time of the DOJ indictment.
- Attribution to North Korea's Lazarus Group was formally announced by the U.S. (December 2017) and U.K. NCSC, and reinforced by the DOJ indictment of Park Jin Hyok in September 2018.
TechniquesIndicators
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
Adversary
- Lazarus Group (HIDDEN COBRA)
Capability
- T1210
- T1569.002
- T1480
- T1543.003
- T1014
- +1 more
Infrastructure
- iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Victim
- See narrative above
Primary sources
- TA17-132A — Multiple Ransomware Infections Reported · CISA (US-CERT) · 2017-05-12
- Customer guidance for WannaCrypt attacks · Microsoft MSRC · 2017-05-12
- North Korean cyber attack on the UK: attribution statement (WannaCry) · NCSC (U.K.) · 2017-12-19
- Park Jin Hyok criminal complaint (DOJ) · U.S. Department of Justice · 2018-09-06
- G0032 — Lazarus Group · MITRE ATT&CK
- S0366 — WannaCry · MITRE ATT&CK