Hands-on Cybersecurity Studies: Multi-Perspective Analysis of the WannaCry Ransomware
In-depth analysis of malware provides strategy to defend against future attacks.
Ransomware is malware that obstructs a user from accessing digital assets through various mechanisms. These assets are held hostage and inaccessible until the user pays a ransom. In most cases, this is accomplished using encryption where, once the malicious program executes, it will target and encrypt certain files and will release the decryption key at the time of payment. Some ransomware instances target only certain common user-generated files such as media and documents. In this case, system files and others required for the operating system to function correctly (user authentication, process execution, etc.) are unaffected. Others encrypt much more and seek to lock out entire systems.
The spread of ransomware is accomplished through various channels including business applications, USB drives, websites, and especially email. From 2016–2018, the number of emails carrying ransomware increased by 6,000%.
WannaCry is ransomware that was originally released in May 2017. WannaCry demanded ransoms be paid in the form of bitcoin, in attempts to preserve anonymity. Although different for variants of WannaCry, the initial amount started at $300 worth of bitcoin and increased to $600 after 72 h. After 7 days, the files were permanently inaccessible.
While the WannaCry binary file can be spread through email—in which case, a user downloads and executes the file— it can also spread without human intervention because it takes advantage of unpatched Windows Operating Systems that have the Server Message Block version 1 (SMBv1) service enabled (typically used for file sharing). Certain variants of WannaCry would test, before spreading, whether a Domain Name Server (DNS) entry to a specific URL could be resolved. If resolved, then the malware would halt; otherwise, it would spread. This was known as the WannaCry kill switch and was identified a few days after its launch, which helped to slow the spread of the malware. However, hours later, other variants, with the removed kill switch, were released and continued to spread and infect victim machines.
This research involves a multi-perspective analysis of the WannaCry ransomware in the form of a cybersecurity exercise. The setup, configuration, and analysis is based on Colin Hardy’s walkthrough of identifying different ways of finding the malware’s kill switch - the mechanism that makes the ransomware stop spreading. A sandbox environment was set up to run and investigate the WannaCry ransomware sample consisting of:
Ubuntu 16 LTS laptop with 7th generation i7 processor and 16 GB RAM
VirtualBox 5.2.6
Two Windows 7 Professional 64-bit Virtual Machines
IDA Pro Free (version 5.0)
Wireshark (version 2.6.6)
WannaCry malware variant with MD5 Hash:db349b97c37d22f5ea1d1841e3c89eb4
VirtualBox was used to create a virtual machine with an unpatched version of Windows 7 (containing MS17010) called victim. The WannaCry malware was copied onto the desktop and a text file named TextFile.txt was created on the desktop that contained the following string: “This is just some random text. Nothing encrypted”. A cloned copy of this machine was created and called clean.
The Internet Information Services (IIS) web server that comes with Windows 7 Professional was then installed and the patch for MS17-010 was applied on clean. Both virtual machines were configured to use a single common VirtualBox internal network named intnet_WannaCry. This allowed the virtual machines to communicate only with each other and not with any outside devices.
As part of WannaCry’s kill switch validation logic, when it is first instantiated, it will attempt to query a DNS address only if the machine has an active network interface card with an IP address. Since network analysis is one perspective of the exercise, IP addresses were set up on both the victim and clean machines (11.0.0.100 and 11.0.0.101, respectively). As the final setup step, a snapshot of both virtual machines was captured.
This work was done by Adriana Escobar de la Torre and Salamah Salamah of the University of Texas at El Paso, and Jaime C. Acosta for the Army Research Laboratory. ARL-0220
This Brief includes a Technical Support Package (TSP).
Hands-On Cybersecurity Studies: Multi-Perspective Analysis of the WannaCry Ransomware
(reference ARL-0220) is currently available for download from the TSP library.
Don't have an account?
More From SAE Media Group
Automotive Engineering
Cybersecurity Expert Says Crowdstrike and CDK Global Incidents Serve as Wake-Up Calls
Aerospace & Defense Tech Briefs
The FACE™ of Military Modernization
Tech Briefs
Facility Focus: Georgia Tech Research Institute
Aerospace & Defense Tech Briefs
Developing and Validating Statistical Cyber Defenses
Aerospace & Defense Tech Briefs
Cloud Security & Compliance
Aerospace & Defense Tech Briefs
Automation Streamlines Accreditation to Speed Aerospace and Defense Technology Deployment
Automotive Engineering
Cybersecurity Firm Enlists AI in Battle as Threats Increase
Off-Highway Engineering
Securing CAN Networks in Commercial Vehicles
Medical Design Briefs
Securing the Future of Healthcare through the Right Cybersecurity Architecture
Aerospace & Defense Tech Briefs
Low-Cost Ground Sensor Network for Intrusion Detection
Aerospace & Defense Tech Briefs
DPA Countermeasures — Theory vs. Practice
Aerospace & Defense Tech Briefs
Information Warfare: Staying Protected at the Edge
Tech Briefs
Hacker-Resistant Cloud Software System
Medical Design Briefs
Proactive Cybersecurity Saves Healthcare Organizations from Data Breaches
Aerospace & Defense Tech Briefs
Robotic Combat Vehicles: Putting the Brains Behind the Brawn
Off-Highway Engineering
AI Moves into Military Boards and Subsystems
Aerospace & Defense Tech Briefs
In-Network Processing on Low-Cost IoT Nodes for Maritime Surveillance
Off-Highway Engineering
Allison Advances Commercial-Vehicle Electronic Controls
Aerospace & Defense Tech Briefs
Operating System Software
Aerospace & Defense Tech Briefs
Cyber Risk Assessment and Scoring Model for Small Unmanned Aerial Vehicles
Aerospace & Defense Tech Briefs
Deterministic and Modular Architecture for Embedded Vehicle Systems
Automotive Engineering
'Function on Demand' Brings Opportunities, Security Challenges
Automotive Engineering
OTA Will Drive Cybersecurity Programs
Overview
The technical report titled "Hands-on Cybersecurity Studies: Multi-Perspective Analysis of the WannaCry Ransomware," authored by Jaime C Acosta, Adriana Escobar de la Torre, and Salamah Salamah, was published by the US Army Research Laboratory in January 2019. This report provides a detailed examination of the WannaCry ransomware, which emerged in May 2017 and caused significant disruptions globally due to the exploitation of unpatched software vulnerabilities.
The report begins with an introduction to the WannaCry ransomware, outlining its operational mechanics and the impact it had on various organizations. It emphasizes the importance of understanding such malware to develop effective countermeasures. The authors present a structured educational exercise designed to help readers set up and analyze the ransomware. This exercise includes multiple perspectives, such as system observation, network packet analysis, and reverse engineering, allowing participants to gain a comprehensive understanding of the malware's behavior and effects.
Key components of the report include a step-by-step guide for conducting the analysis, which is divided into activities. Activity 1 focuses on the analysis of the ransomware, where participants learn to identify its characteristics and operational patterns. Activity 2 involves implementing a "kill switch," a critical mechanism that can halt the spread of the malware. This practical approach not only enhances theoretical knowledge but also equips participants with hands-on experience in dealing with real-world cybersecurity threats.
The report also discusses near-term fixes to mitigate the spread of WannaCry, highlighting the importance of immediate responses to cyber threats. Additionally, it outlines longer-term strategies and best practices for organizations to protect themselves against similar malware in the future. These recommendations include regular software updates, employee training on cybersecurity awareness, and the implementation of robust security protocols.
Overall, the report serves as a valuable resource for cybersecurity professionals, educators, and students, providing insights into the WannaCry ransomware and practical exercises to enhance cybersecurity skills. It underscores the necessity of proactive measures in cybersecurity and the continuous need for education and preparedness in the face of evolving cyber threats. The document is approved for public release, ensuring that its findings and recommendations are accessible to a wider audience.
Top Stories
INSIDERRF & Microwave Electronics
FAA to Replace Aging Network of Ground-Based Radars
PodcastsDefense
A New Additive Manufacturing Accelerator for the U.S. Navy in Guam
NewsSoftware
Rewriting the Engineer’s Playbook: What OEMs Must Do to Spin the AI Flywheel
Road ReadyPower
2026 Toyota RAV4 Review: All Hybrid, All the Time
INSIDERDefense
F-22 Pilot Controls Drone With Tablet
INSIDERRF & Microwave Electronics
L3Harris Starts Low Rate Production Of New F-16 Viper Shield
Webcasts
Energy
Hydrogen Engines Are Heating Up for Heavy Duty
Energy
SAE Automotive Podcast: Solid-State Batteries
Power
SAE Automotive Engineering Podcast: Additive Manufacturing
Aerospace
A New Approach to Manufacturing Machine Connectivity for the Air Force
Software
Optimizing Production Processes with the Virtual Twin
