WannaCry: The Global Pandemic

Malmon Profile

Classification: Worm/Ransomware ⭐⭐⭐
Discovery Credit: Multiple security researchers, May 2017
First Documented: WannaCry outbreak, May 12, 2017
Threat Level: Advanced (Global infrastructure impact)

Malmon Card Reference

WannaCry

Worm/Ransomware
⭐⭐⭐
WannaCry

WannaCry is a devastating ransomware worm that caused global chaos in May 2017. Exploiting the EternalBlue vulnerability, it spread rapidly across networks, encrypting files and demanding Bitcoin payments. It affected hospitals, businesses, and governments—highlighting the dangers of unpatched systems and state-developed exploits gone rogue.

🔥
Rapid Propagation
Self-replicating worm spreading via SMB vulnerabilities with automatic network traversal
EternalBlue Exploit
Uses NSA-developed exploit for Windows SMB protocol with devastating effectiveness
🔮
Kill Switch Vulnerability
Can be instantly neutralized if specific domain registration weakness is discovered
⬆️
Global Pandemic Worm
Achieves worldwide propagation with critical infrastructure impact
💎
Network Segmentation
Contained by proper network isolation and SMB protocol restrictions
🔍4
🔒7
📡10
💣9
🥷6
Discovered By:Security Community
Habitat:Unpatched Windows networks, SMB-enabled systems
Property Icons:
🔍Detection
🔒Persistence
📡Spread
💣Payload
🥷Evasion

Technical Characteristics

MITRE ATT&CK Mapping

  • Initial Access: T1566.001 (Spearphishing Attachment)
  • Lateral Movement: T1210 (Exploitation of Remote Services)
  • Impact: T1486 (Data Encrypted for Impact)

Detailed ATT&CK Analysis

🎯 MITRE ATT&CK Technique Analysis

Technique Tactic Description Mitigation Detection
T1566.001
Spearphishing Attachment		 Initial Access Initial infection vector through malicious email attachments Email security, user training, attachment scanning Email analysis, attachment behavior monitoring
T1486
Data Encrypted for Impact		 Impact Encrypts files and demands ransom payment for decryption Backup systems, file monitoring, user training File modification monitoring, encryption behavior, ransom notes
T1210
Exploitation of Remote Services		 Lateral Movement Uses EternalBlue exploit to spread via SMB vulnerabilities Patch management, network segmentation, SMB hardening Network monitoring, exploit detection, vulnerability scanning
IM Facilitation Notes:
  • Use these techniques to guide player investigation questions
  • Help players connect evidence to specific ATT&CK techniques
  • Highlight type effectiveness relationships in responses
  • Encourage discussion of real-world mitigation strategies

Core Capabilities

EternalBlue Exploitation:

  • Exploits MS17-010 SMB vulnerability for rapid network spread
  • No user interaction required for propagation
  • Targets Windows systems with unpatched SMB services
  • +3 bonus to network propagation in vulnerable environments

Ransomware Payload:

  • Encrypts files with strong cryptographic algorithms
  • Demands Bitcoin payment for decryption keys
  • Creates distinctive ransom note and desktop wallpaper
  • +2 bonus to business disruption and panic generation

Kill Switch Vulnerability (Hidden Ability):

  • Contains hardcoded domain check that acts as emergency brake
  • If specific domain resolves, malware stops spreading
  • Discovered by security researcher Marcus Hutchins
  • Can be instantly neutralized if weakness is discovered and exploited

Type Effectiveness Against WannaCry

Understanding which security controls work best against hybrid Worm/Ransomware threats like WannaCry:

Trojan
Weak to: Detection
Resists: Training
Worm
Weak to: Isolation
Resists: Backup
Ransomware
Weak to: Backup
Resists: Encryption
Rootkit
Weak to: Forensics
Resists: Detection
APT
Weak to: Intelligence
Phishing
Weak to: Training
Botnet
Weak to: Coordination
Infostealer
Weak to: Encryption

Key Strategic Insights for IMs:

  • Most Effective: Network Isolation (stops spread), Backup Systems (counters encryption), Patch Management (prevents initial exploitation)
  • Moderately Effective: Behavioral Analysis (detects both worm and ransomware activities), System Restoration
  • Least Effective: Signature Detection (especially for zero-day exploits), User Education (no user interaction required)

Hybrid Type Considerations:
Teams must address both rapid network spread AND file encryption - guide them to use multi-layered approaches.

Vulnerabilities

Network Segmentation Weakness:

  • Spread limited by network boundaries and firewall rules
  • Cannot cross properly segmented network zones
  • -3 penalty when networks have effective micro-segmentation

Patch Management Defense:

  • MS17-010 patch completely prevents exploitation
  • Vulnerable only to systems missing critical security updates
  • Organizations with current patching are immune to initial infection

Facilitation Guide

Pre-Session Preparation

Choose WannaCry When:

  • Intermediate to advanced teams ready for complex, multi-vector threats
  • Network security education is a primary learning objective
  • Business continuity and crisis management concepts should be demonstrated
  • Global incident coordination scenarios are desired
  • Patch management and vulnerability response need emphasis

Avoid WannaCry When:

  • New teams who haven’t mastered basic incident response coordination
  • Individual endpoint focus sessions where network propagation isn’t relevant
  • Limited time sessions where complexity might prevent completion

Session Structure Guidance

Discovery Phase (Round 1) Facilitation

Initial Symptoms to Present:

  • “Multiple departments reporting computers locked with ransom messages”
  • “IT help desk overwhelmed with calls about encrypted files”
  • “Network performance severely degraded across all locations”
  • “Security systems detecting massive SMB traffic spikes”

IM Question Progression:

  1. “What pattern connects locked computers across multiple departments?”
  2. “How might malware spread so quickly through the network?”
  3. “What would cause both file encryption AND network performance issues?”
  4. “What makes this different from typical malware infections?”

Expected Player Discovery Path:

  • Detective: Analyzes ransom notes, discovers file encryption patterns
  • Protector: Identifies SMB exploitation attempts and system vulnerabilities
  • Tracker: Maps rapid network propagation and lateral movement
  • Communicator: Assesses massive business impact and stakeholder panic
  • Crisis Manager: Coordinates response to organization-wide emergency
  • Threat Hunter: Discovers connection to global campaign and threat intelligence

Evolution Trigger - Global Scale: Introduce: “News reports showing this same attack hitting hospitals, governments, and companies worldwide…”

Investigation Phase (Round 2) Facilitation

Impact Assessment Questions:

  • “How do you assess damage when the entire network is potentially compromised?”
  • “What critical systems and data are at risk from continued spreading?”
  • “How do you coordinate response when your normal communication systems are affected?”

Attack Vector Deep Dive:

  • “How did one vulnerability create such widespread impact?”
  • “What does this tell us about our network architecture and segmentation?”
  • “Why were some systems affected while others remained safe?”

Kill Switch Discovery:

  • “Your threat intelligence team reports something unusual about this malware’s behavior…”
  • “What if there was a way to stop the spread without removing the malware?”
  • “How might threat actors build emergency stops into their own malware?”

Response Phase (Round 3) Facilitation

Multi-Vector Response Strategy:

  • “How do you address both the immediate ransomware impact AND prevent further spreading?”
  • “What’s your priority - stopping spread, recovering data, or maintaining business operations?”
  • “How do you coordinate response across multiple affected locations?”

Global Coordination Element:

  • “Other organizations worldwide are sharing information about this attack - how do you participate?”
  • “What information would you share, and what would you want from others?”

Advanced Facilitation Techniques

Managing Complexity

For Intermediate Groups:

  • Focus on either ransomware OR worm aspects, not both simultaneously
  • Provide more guidance about SMB vulnerability and exploitation concepts
  • Emphasize team coordination over technical complexity

For Advanced Groups:

  • Include attribution discussion (North Korea/Lazarus Group connections)
  • Discuss policy implications of nation-state ransomware
  • Explore supply chain and critical infrastructure impacts

Global Incident Simulation:

  • Introduce time pressure from media attention and regulatory scrutiny
  • Include coordination with external agencies and industry partners
  • Simulate decision-making about public disclosure and threat intelligence sharing

Real-World Learning Connections

Critical Infrastructure Protection:

  • How single vulnerabilities can have cascading global effects
  • The importance of network segmentation and defense in depth
  • Business continuity planning for widespread system compromise

Vulnerability Management:

  • The critical importance of timely security patching
  • How threat actors weaponize disclosed vulnerabilities
  • Risk assessment and patch prioritization strategies

Crisis Communication:

  • Managing stakeholder communication during widespread outages
  • Coordinating with law enforcement and regulatory agencies
  • Public communication strategies during global incidents

International Cooperation:

  • How cybersecurity incidents require global coordination
  • Information sharing protocols and threat intelligence networks
  • Attribution challenges and geopolitical implications

Assessment and Learning Objectives

Success Indicators

Team Successfully:

  • Recognizes dual worm/ransomware nature requiring different response strategies
  • Understands network propagation concepts and containment approaches
  • Coordinates response to organization-wide emergency with external coordination
  • Demonstrates understanding of vulnerability management and patching importance
  • Addresses both immediate impact and long-term prevention strategies

Advanced Learning Indicators:

  • Discusses attribution and nation-state threat actor implications
  • Explores policy and regulatory responses to global cyber incidents
  • Considers supply chain and critical infrastructure protection strategies
  • Demonstrates understanding of international cybersecurity cooperation

Post-Session Reflection Questions

  • “How did the dual nature of this threat (worm + ransomware) complicate response?”
  • “What would effective network segmentation have done to limit impact?”
  • “How do you balance transparency with security during global incidents?”
  • “What lessons does WannaCry teach about vulnerability management?”

Community Contributions and Extensions

Advanced Scenarios

  • WannaCry 2.0: What if the kill switch hadn’t existed?
  • Critical Infrastructure Variant: Power grid or healthcare-specific impacts
  • Attribution Investigation: Following intelligence leads to threat actor identification
  • Policy Response: Developing organizational and industry responses to global threats

Real-World Applications

  • Vulnerability Management Programs: Using WannaCry timeline to improve patching
  • Network Architecture Review: Segmentation strategies to prevent worm propagation
  • Crisis Communication Planning: Stakeholder management during widespread outages
  • International Cooperation: Participating in global threat intelligence sharing

WannaCry represents the perfect storm of technical vulnerability, widespread deployment, and global impact. It teaches critical lessons about how individual organizational security connects to global cybersecurity resilience.