Even years later, the name WannaCry sends a chill down the spine of security professionals. In May 2017, this ransomware worm erupted globally, locking down an estimated 230,000 computers in 150 countries over a devastating four-day period. From hospitals and universities to major corporations, its impact was swift and severe. Victims’ computers were locked, with the attackers demanding a ransom in Bitcoin to release their files.
While WannaCry is a part of cybersecurity history, the lessons it taught us about threat detection and incident response are more relevant than ever. The reality is, the vulnerability it exploited still exists on unpatched systems today. Let’s dissect how this attack worked and, more importantly, explore the advanced detection techniques that can prepare us for the next major worm event.
The engine behind WannaCry was a powerful zero-day remote code execution vulnerability known as $MS-17-010$, or more famously, “EternalBlue”. This exploit was believed to have been stolen from the Equation Group, a sophisticated nation-state actor, by a threat group called The Shadow Brokers.
Here’s a quick timeline of the key events:
Summer 2016: The Shadow Brokers first appear, claiming to have Equation Group malware.
April 14, 2017: The group leaks the EternalBlue exploit to the public. This would become the foundation for WannaCry.
May 2017: The WannaCry ransomware attack begins.
Interestingly, Microsoft had already released patches for the vulnerability a month before the public leak. However, the slow pace of patching across the globe left millions of systems exposed, highlighting a critical weakness in enterprise security that persists to this day.
What made WannaCry so devastating was its “worm” capability. It didn’t rely on phishing emails or user interaction to spread. Once it infected a single vulnerable computer, it used the EternalBlue exploit to actively hunt for other machines on the local network that had the same vulnerability.
This vulnerability was in Server Message Block version 1 (SMBv1), a protocol present on nearly all versions of Windows at the time, from Windows 95 up to modern server editions. Because SMB is a core protocol for file sharing and other essential services on Windows domains and even in industrial control systems, you couldn’t just turn it off. This allowed the malware to spread with incredible speed inside corporate networks.
The attack also leveraged another leaked tool called Double Pulsar, which functioned as a backdoor to gain persistence on an infected system and spread further.
When an attack is moving this fast, simply relying on file hashes and antivirus signatures isn’t enough. True threat hunting requires digging deeper into network traffic to find the subtle clues the malware leaves behind. Here are the key network-level indicators that were, and still are, the most effective ways to spot a WannaCry infection.
The attackers used specific, and typically unused, fields within the SMB protocol for command and control. One of the most revealing indicators was the $Multiplex ID$ field in SMB packets. The malware used this to check if another machine was already infected:
Infected to Clean ($Multiplex ID: 65$): If an infected host scanned another machine and the response packet had a Multiplex ID of 65, it meant the source was infected, but the destination was not yet compromised. This is a clear signal of an active infection attempt.
Infected to Infected ($Multiplex ID: 81$): If the response came back with a Multiplex ID of 81, it was a confirmation that both the source and destination hosts were already infected with WannaCry.
Trans2 Function: An Anomalous RequestAnother powerful indicator was the malware’s use of the
$Trans2$ SMB function code. This is a function that is not commonly used in normal network operations. Monitoring for a sudden spike or any unusual usage of the
$Trans2$ function call could serve as a statistical anomaly, immediately flagging traffic as suspicious and likely related to WannaCry.
The malware also contained hard-coded IP addresses it would attempt to connect to via SMB. One of these static paths was a Tree Connect request for $192.168.56.20\IPC$. Seeing this specific path in your SMB logs or network traffic is another dead giveaway that a host on your network is infected and attempting to spread.
In a strange twist, the initial WannaCry variant contained a unique kill switch. The malware would query a long, nonsensical domain name. If the domain was unregistered and the query failed, the infection would proceed. If, however, the domain was registered and returned a response, the malware would stop itself and exit.
This was likely intended as an anti-sandbox technique by the malware authors. A security researcher named Marcus Hutchins (MalwareTech) discovered this, registered the domain, and pointed it to a sinkhole server. This single action stopped the spread of the original WannaCry worm in its tracks, a massive win for the security community.
WannaCry was a wake-up call. It demonstrated that we must be prepared to look beyond endpoint alerts and dig into the fundamental protocols that run our networks.
Know Your Core Protocols: SMB is essential for business operations. Are you capable of deep packet inspection and log analysis for protocols like SMB, DNS, and RDP?
Enhance Your Playbooks: Your incident response plans and threat hunting playbooks must include steps for analyzing low-level network data, not just reacting to EDR alerts.
Hunt for Anomalies: Don’t just look for known bad signatures. Look for unusual behavior, like the use of rare function codes ($Trans2$) or communication checks ($Multiplex ID$). This is the essence of proactive threat hunting.
By understanding the technical anatomy of major attacks like WannaCry, we can build a more resilient defense and be better prepared for whatever comes next.
Our products are designed to work with
you and keep your network protected.