Security Research Engineer at Ixia

WannaCry Ransomware 101

May 17, 2017 by Anthony Lecorchick

** Before reading any further please ensure MS17-010 patch has been applied to all your Windows Systems**


Our story begins in August 2016, when a hacker group called The Shadow Brokers made their first appearance, offering files claimed stolen from The Equation Group, a threat actor with suspected NSA ties. Back then, we covered the firewall exploits that were released. Currently, the Shadow Brokers have made five leaks, each containing more information or files from The Equation Group.

On April 14, 2017, The Shadow Brokers posted a leak titled “Lost in Translation.” It contained several exploits and tools, including the SMB exploit EternalBlue.

Server message block (SMB) is a protocol typically used for shared access, usually among Microsoft Windows machines. Typically, this is set up to work only between machines on the same local network, so using an exploit such as EternalBlue for a remote attack would not yield a large attack surface.



On May 12th, 2017, a large-scale ransomware attack began. WannaCry (also known as WannaCrypt, WanaCrypt0r, and Wana Decrypt0r) infected over 200,000 computers in at least 150 countries according to Europol. The initial infection vector is unknown, but may have been EternalBlue, some other exploit, or a phishing attack. Once a computer is infected, it attempts to leverage EternalBlue to further spread itself, both on the local network and on the Internet at large. Because SMB is often used to share within a network, once one machine on the network is infected, WannaCry may spread quickly and thoroughly within the network. Malwarebytes reports WannaCry also installs DoublePulsar, a kernel-level backdoor.

Encrypted files have the extension changed to WNCRY and two additional files are dropped in every directory titled @Please_Read_Me@.txt and @WanaDecryptor@.exe. @WanaDecryptor@.exe instructs the user on how they can recover their files, and presents a countdown for both the time the ransom will increase and when the user will lose any chance of decrypting their files. The malware will select one of three bitcoin addresses embedded in its encryptor and display it when demanding ransom. You can currently extract the bitcoin addresses from the initial infecting binary using simple shell scripts.


This screenshot is from the sample with the SHA256 hash ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, and as of today (May 17th) it has currently netted the malware author about 44 Bitcoins ($74,000). As you can see the, expiration on decrypting files is set a week from initial infection. This implies that May 19th could see a large swing in Bitcoin payments to these addresses if someone hasn't figured out a different way of recovering files.

At the time of writing, the spread of WannaCry has been temporarily slowed thanks to a killswitch found by MalwareTech. Before encrypting, WannaCry attempts to contact a hard-coded URL, and if connection is successful, it will not continue execution. While this stops this particular version of the malware, a new strain could be released, and it does not fix the vulnerability itself. Please make sure your systems have installed KB4013389 for MS17-010, which fixes the vulnerability exploited by EternalBlue.

Hashes analyzed:







Bitcoin Addresses Seen:







We will be releasing WannaCry variants, along with other popular new malware strains in our next ATI monthly malware package. This will enable you to test your inline network AV with the most current threats on the Internet and confirm that you are safe from this threat.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.