WannaCry: The Ransomware That Used a WiFi-Adjacent Exploit
Table of Contents
The Shadow Brokers Leak
The WannaCry story begins not with ransomware, but with a data leak. In April 2017, a group calling themselves the Shadow Brokers released a collection of hacking tools allegedly stolen from the NSA's Tailored Access Operations unit. Among these tools was an exploit called EternalBlue.
EternalBlue targeted a vulnerability in Microsoft's Server Message Block (SMB) protocol, specifically SMBv1. The vulnerability (CVE-2017-0144) allowed remote code execution on any Windows machine with SMBv1 enabled and port 445 exposed. Microsoft had already released a patch - MS17-010 - on March 14, 2017, one month before the Shadow Brokers release. But millions of systems had not applied it.
The Shadow Brokers also released DoublePulsar, a backdoor implant that could be installed via EternalBlue. Together, these tools provided a complete exploitation chain: EternalBlue gained initial access, and DoublePulsar provided persistent remote control.
EternalBlue Explained
EternalBlue exploited a buffer overflow in how SMBv1 handled transaction requests. The vulnerability existed in the Windows SMB server's handling of Transaction 2 (Trans2) requests, specifically in the way it processed the data buffer size field.
graph TD
subgraph "EternalBlue Exploit Chain"
A[Attacker] --> B[Send Crafted SMBv1 Packet]
B --> C[Target Port 445]
C --> D[Buffer Overflow in Trans2]
D --> E[Kernel Memory Corruption]
E --> F[Remote Code Execution]
F --> G[DoublePulsar Backdoor Installed]
G --> H[Full System Control]
end
subgraph "What Made It Devastating"
I[No Authentication Required]
J[No User Interaction Needed]
K[Kernel-Level Access]
L[Wormable - Self-Propagating]
end
EternalBlue exploit chain - from a single SMB packet to full system compromise
By sending a specially crafted series of SMBv1 packets to port 445, an attacker could trigger a heap buffer overflow in the Windows kernel. This overflow allowed the attacker to write arbitrary code into kernel memory and execute it with SYSTEM privileges - the highest level of access on a Windows machine.
The exploit required no authentication, no user interaction, and no special conditions. Any Windows machine with SMBv1 enabled and port 445 reachable was vulnerable. This made it "wormable" - malware could use it to spread automatically from machine to machine across a network.
May 12, 2017
WannaCry began spreading on Friday, May 12, 2017. The ransomware combined EternalBlue for propagation with a standard encryption payload. Once it landed on a machine, it encrypted files using AES-128 and RSA-2048, appending the .WCRY extension. It then displayed a ransom note demanding $300 in Bitcoin, rising to $600 after three days.
The speed of propagation was unprecedented. Within hours, WannaCry had infected systems in over 150 countries. By the end of the first day, estimates put the number of infected machines at over 200,000. The worm spread through internal networks and across the internet simultaneously, finding exposed SMBv1 services on both fronts.
graph TD
subgraph "WannaCry Propagation"
A[Initial Infection Vector] --> B[WannaCry Payload Executes]
B --> C[Encrypt Local Files]
B --> D[Scan Local Network for Port 445]
B --> E[Scan Random Internet IPs for Port 445]
D --> F[Exploit via EternalBlue]
E --> F
F --> G[Install DoublePulsar]
G --> H[Download WannaCry Payload]
H --> B
end
subgraph "Encryption"
C --> I[AES-128 File Encryption]
I --> J[RSA-2048 Key Encryption]
J --> K[Ransom Note Displayed]
end
WannaCry propagation and encryption - each infected machine became a launchpad for further infections
Organizations affected included Telefonica in Spain, FedEx in the United States, Deutsche Bahn in Germany, PetroChina, and Renault. But the most devastating impact was on the United Kingdom's National Health Service.
The NHS Impact
WannaCry hit the NHS at a particularly vulnerable moment. Many NHS trusts were running Windows XP, an operating system that Microsoft had stopped supporting with security patches in April 2014 - three years before WannaCry. While Microsoft issued an emergency patch for XP after WannaCry began spreading, most NHS systems were already compromised by then.
The operational impact was severe. At least 80 out of 236 NHS trusts in England were affected, along with 603 primary care organizations. Hospitals in multiple regions diverted ambulances to unaffected facilities. Non-emergency surgeries were cancelled. Doctors could not access patient records. Diagnostic equipment connected to infected networks went offline.
A National Audit Office report later found that the NHS had been warned about cybersecurity vulnerabilities before the attack. Patch management was inconsistent across trusts, and many organizations had not implemented basic security measures like network segmentation or removing end-of-life operating systems from clinical networks.
The total cost to the NHS was estimated at 92 million pounds, including IT recovery, lost output from cancelled appointments, and the emergency response. More importantly, the attack demonstrated that cyberattacks on healthcare infrastructure could directly threaten patient safety.
The Accidental Kill Switch
On the same day WannaCry began spreading, a 22-year-old security researcher known as MalwareTech (later identified as Marcus Hutchins) discovered an unexpected feature in the ransomware's code. Before encrypting files, WannaCry attempted to connect to a specific unregistered domain name. If the connection succeeded, the malware stopped executing. If it failed (because the domain did not exist), WannaCry proceeded with encryption.
Hutchins registered the domain for approximately $10.69, and suddenly WannaCry stopped encrypting files on new infections worldwide. The domain check was a kill switch - likely intended by the malware's developers as an anti-analysis measure (sandbox environments often resolve all domains to an internal IP, so the check would succeed in a sandbox, causing the malware to exit before analysts could study its behavior).
The kill switch did not help systems already infected, and it did not prevent variants that removed the domain check from appearing later. But it dramatically slowed the initial wave and prevented what could have been significantly worse damage.
Propagation Mechanics
WannaCry's propagation worked on two levels simultaneously. On local networks, the worm scanned for other machines with port 445 open and attempted the EternalBlue exploit against each one. This allowed rapid lateral movement within organizations - once a single machine was infected, the entire flat network was at risk.
On the internet, WannaCry generated random IP addresses and attempted to connect to port 445. This was less efficient than local network scanning (most random IPs do not have port 445 exposed), but the sheer volume of infected machines scanning simultaneously meant new victims were found continuously.
The combination of internet-facing and lateral propagation created a feedback loop. Internet scanning found entry points into new organizations, and lateral movement compromised the internal network. Each newly compromised machine then began its own internet scanning, finding more organizations.
Attribution and Aftermath
In December 2017, the United States, United Kingdom, Australia, Canada, New Zealand, and Japan formally attributed WannaCry to North Korea, specifically the Lazarus Group (also known as Hidden Cobra). The attribution was based on code similarities between WannaCry and previous Lazarus Group tools, shared infrastructure, and signals intelligence.
Despite infecting hundreds of thousands of machines, WannaCry generated relatively little ransom revenue - approximately $140,000 in Bitcoin. The ransomware's payment mechanism was poorly designed: all victims were directed to one of three hardcoded Bitcoin wallets, making it difficult for the attackers to determine which victims had paid and should receive decryption keys. This suggested that WannaCry may have been deployed prematurely or that ransom collection was not the primary objective.
The three creators of WannaCry were charged by the US Department of Justice in September 2018. Park Jin Hyok, a North Korean programmer, was specifically named. The charges remain unsealed, and Park is believed to be in North Korea.
The Patch Management Lesson
The most painful lesson of WannaCry is that the patch was available before the attack. Microsoft released MS17-010 on March 14, 2017. WannaCry struck on May 12, 2017. Organizations had two months to apply a critical security update - and hundreds of thousands of systems were still unpatched.
graph LR
subgraph "The WannaCry Timeline"
A[Mar 14 - MS17-010 Patch Released] --> B[Apr 14 - Shadow Brokers Leak EternalBlue]
B --> C[May 12 - WannaCry Strikes]
C --> D[May 12 - Kill Switch Activated]
D --> E[May 13 - Emergency XP Patch]
E --> F[Dec 2017 - North Korea Attribution]
end
WannaCry timeline - a two-month patching window was missed by hundreds of thousands of systems
The reasons for delayed patching are familiar: fear of breaking production systems, lack of testing environments, understaffed IT teams, legacy systems that cannot be updated, and organizational inertia. But WannaCry demonstrated the cost of these delays in concrete terms: cancelled surgeries, halted production lines, and billions of dollars in damages.
For security professionals conducting network assessments, identifying unpatched systems is a foundational task. Tools like the BLEShark Nano help map the wireless network environment during physical security assessments, revealing devices that may be running outdated firmware or connecting to networks without proper segmentation. Understanding what is on your network - and what state it is in - remains the essential first step in preventing the next WannaCry.
Get the BLEShark Nano - $36.99+