CRITICAL SEVERITY
WannaCry Ransomware
2017
ransomware
Global ransomware attack exploiting Windows SMB vulnerability, affecting 200,000+ computers.
healthcaregovernmentcorporate
!What Happened
WannaCry spread using EternalBlue exploit targeting unpatched Windows systems. NHS hospitals severely impacted.
⚡Vulnerability Exploited
MS17-010 (EternalBlue) - Windows SMB v1 RCE
→Attack Flow
1
recon
Network Scanning
Scanning for port 445
[SCAN] Scanning network for port 445...
[FOUND] 150+ vulnerable hosts
2
exploitation
EternalBlue Exploit
Exploiting SMB vulnerability
[EXPLOIT] Sending EternalBlue payload...
[SUCCESS] RCE achieved
3
installation
DoublePulsar Install
Installing backdoor
[INSTALL] Deploying DoublePulsar...
4
actions
File Encryption
Encrypting files with AES
[CRYPTO] Encrypting...
[RANSOM] Demanding BTC
💥Impact
$4-8 billion damages. NHS disrupted.
Records Compromised
0
Financial Cost
$4.2 billion (global estimate)
🔧Technical Details
Target System
Windows Server
server • Windows 7
SMB
Attacker Profile
Attacker
workstation • Linux
Vulnerability / CVE
MS17-010 (EternalBlue) - Windows SMB v1 RCE
📅Attack Timeline
Initial Attack
2017
Attack initiated and vulnerability exploited
Discovery & Impact
Shortly after 2017
$4-8 billion damages. NHS disrupted.
Response & Mitigation
Remediation Phase
MS17-010 patch. Kill switch registered.
🎯Is This Attack Still Relevant Today?
Ransomware attacks like WannaCry Ransomware remain one of the most prevalent cyber threats today. The techniques pioneered in this attack are still actively used, with modern variants incorporating double extortion, RaaS (Ransomware-as-a-Service), and targeting critical infrastructure.
⚠️ Still Active Threat
💡Key Takeaways
- •Patch management critical. Disable SMBv1.
- •Regular backups stored offline are critical for ransomware recovery
- •Network segmentation can limit the spread of ransomware
- •Timely patching of known vulnerabilities is crucial
- •Key defense: Apply MS17-010 Patch - Completely prevents SMB exploitation
Defense Applied
MS17-010 patch. Kill switch registered.
Lessons Learned
Patch management critical. Disable SMBv1.
Attacker Tools
EternalBlue
NSA SMB exploit
Defense Options
Apply MS17-010 Patch
Install Windows security update KB4012212 to fix EternalBlue vulnerability
Disable SMBv1 Protocol
Turn off legacy SMB version 1 on all systems
Network Segmentation
Isolate critical file servers from workstation network
Offline Backup & Restore
Maintain air-gapped backups for ransomware recovery
Legacy Antivirus (2016)
Signature-based antivirus with outdated definitions
MITRE ATT&CK
Tactics
Initial AccessImpact
Techniques
T1210T1486