Hands-on Cybersecurity Studies: Multi-Perspective Analysis of the WannaCry Ransomware

In-depth analysis of malware provides strategy to defend against future attacks.

Ransomware is malware that obstructs a user from accessing digital assets through various mechanisms. These assets are held hostage and inaccessible until the user pays a ransom. In most cases, this is accomplished using encryption where, once the malicious program executes, it will target and encrypt certain files and will release the decryption key at the time of payment. Some ransomware instances target only certain common user-generated files such as media and documents. In this case, system files and others required for the operating system to function correctly (user authentication, process execution, etc.) are unaffected. Others encrypt much more and seek to lock out entire systems.

WannaCry Infection Notice Window

The spread of ransomware is accomplished through various channels including business applications, USB drives, websites, and especially email. From 2016–2018, the number of emails carrying ransomware increased by 6,000%.

WannaCry is ransomware that was originally released in May 2017. WannaCry demanded ransoms be paid in the form of bitcoin, in attempts to preserve anonymity. Although different for variants of WannaCry, the initial amount started at $300 worth of bitcoin and increased to $600 after 72 h. After 7 days, the files were permanently inaccessible.

While the WannaCry binary file can be spread through email—in which case, a user downloads and executes the file— it can also spread without human intervention because it takes advantage of unpatched Windows Operating Systems that have the Server Message Block version 1 (SMBv1) service enabled (typically used for file sharing). Certain variants of WannaCry would test, before spreading, whether a Domain Name Server (DNS) entry to a specific URL could be resolved. If resolved, then the malware would halt; otherwise, it would spread. This was known as the WannaCry kill switch and was identified a few days after its launch, which helped to slow the spread of the malware. However, hours later, other variants, with the removed kill switch, were released and continued to spread and infect victim machines.

This research involves a multi-perspective analysis of the WannaCry ransomware in the form of a cybersecurity exercise. The setup, configuration, and analysis is based on Colin Hardy’s walkthrough of identifying different ways of finding the malware’s kill switch - the mechanism that makes the ransomware stop spreading. A sandbox environment was set up to run and investigate the WannaCry ransomware sample consisting of:

  • Ubuntu 16 LTS laptop with 7th generation i7 processor and 16 GB RAM

  • VirtualBox 5.2.6

  • Two Windows 7 Professional 64-bit Virtual Machines

  • IDA Pro Free (version 5.0)

  • Wireshark (version 2.6.6)

  • WannaCry malware variant with MD5 Hash:db349b97c37d22f5ea1d1841e3c89eb4

VirtualBox was used to create a virtual machine with an unpatched version of Windows 7 (containing MS17010) called victim. The WannaCry malware was copied onto the desktop and a text file named TextFile.txt was created on the desktop that contained the following string: “This is just some random text. Nothing encrypted”. A cloned copy of this machine was created and called clean.

The Internet Information Services (IIS) web server that comes with Windows 7 Professional was then installed and the patch for MS17-010 was applied on clean. Both virtual machines were configured to use a single common VirtualBox internal network named intnet_WannaCry. This allowed the virtual machines to communicate only with each other and not with any outside devices.

As part of WannaCry’s kill switch validation logic, when it is first instantiated, it will attempt to query a DNS address only if the machine has an active network interface card with an IP address. Since network analysis is one perspective of the exercise, IP addresses were set up on both the victim and clean machines ( and, respectively). As the final setup step, a snapshot of both virtual machines was captured.

This work was done by Adriana Escobar de la Torre and Salamah Salamah of the University of Texas at El Paso, and Jaime C. Acosta for the Army Research Laboratory. ARL-0220

This Brief includes a Technical Support Package (TSP).
Document cover
Hands-On Cybersecurity Studies: Multi-Perspective Analysis of the WannaCry Ransomware

(reference ARL-0220) is currently available for download from the TSP library.

Don't have an account? Sign up here.