{ "id": "25d6ac81-3f3b-4e5a-852e-b89f9b77bb67", "created_at": "2026-04-06T00:15:16.37762Z", "updated_at": "2026-04-10T03:26:53.30622Z", "deleted_at": null, "sha1_hash": "856d9d72dac9d2c51a5f4f779cb6f22f6893ce43", "title": "How did the WannaCry ransomworm spread?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 736579, "plain_text": "How did the WannaCry ransomworm spread?\r\nPublished: 2017-05-18 · Archived: 2026-04-05 15:09:22 UTC\r\nSecurity researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on\r\ncomputers worldwide. News of the infection and the subsequent viral images showing everything from large\r\ndisplay terminals to kiosks being affected created pandemonium in ways that haven’t been seen since possibly the\r\nMyDoom worm circa 2004.\r\nNews organizations and other publications were inundating security companies for information to provide to the\r\ngeneral public – and some were all too happy to oblige. Information quickly spread that a malicious spam\r\ncampaign had been responsible for circulating the malware. This claim will usually be a safe bet, as ransomware is\r\noften spread via malicious spam campaigns. Admittedly, we also first thought the campaign may have been spread\r\nby spam and subsequently spent the entire weekend pouring through emails within the Malwarebytes Email\r\nTelemetry system searching for the culprit. But like many others, our traps came up empty.\r\nClaims of WannaCry being distributed via email may have been an easy mistake to make. Not only was the\r\nmalware outbreak occurring on a Friday afternoon, but around the same time a new ransomware campaign was\r\nbeing heavily distributed via malicious email and the popular Necurs botnet. We recently wrote about the Jaff\r\nransomware family and the spam campaign that was delivering it.\r\nSome may have seen the rash of news occurring on their feeds, an uptick in ransomware-themed document\r\nmalware in their honeypots, and then jumped to conclusions as a way to be first with the news.\r\nBut here at Malwarebytes we try not to do that. And now after a thorough review of the collected information, on\r\nbehalf of the entire Malwarebytes Threat Intelligence team, we feel confident in saying those speculations were\r\nincorrect.\r\nArticle continues below this ad.\r\nIndeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign.\r\nRather, our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing\r\nSMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also\r\nNSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry\r\nRansomware.\r\nWe will present information to support this claim by analyzing the available packet captures, binary files, and\r\ncontent from within the information contained in The Shadow Brokers dump, and correlating what we know thus\r\nfar regarding the malware infection vector.\r\nHere’s what we know\r\nhttps://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/\r\nPage 1 of 6\n\nEternalBlue\r\nEternalBlue is an SMB exploit affecting various Windows operating systems from XP to Windows 7 and various\r\nflavors of Windows Server 2003 \u0026 2008. The exploit technique is known as heap spraying and is used to inject\r\nshellcode into vulnerable systems allowing for the exploitation of the system. The code is capable of targeting\r\nvulnerable machine by IP address and attempting exploitation via SMB port 445. The EternalBlue code is closely\r\ntied with the DoublePulsar backdoor and even checks for the existence of the malware during the installation\r\nroutine.\r\nEternalBlue checks for DoublePulsar\r\nEternalBlue strings\r\nBits of information obtained by reviewing the EternalBlue-2.2.0.exe file help demonstrate the expected behavior\r\nof the software. The screenshot above shows that the malware:\r\nSends an SMB Echo request to the targeted machine\r\nSets up the exploit for the target architecture\r\nhttps://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/\r\nPage 2 of 6\n\nPerforms SMB fingerprinting\r\nAttempts exploit\r\nIf successful exploitation occurs, WIN\r\nPings the backdoor to get an SMB reply\r\nAnd if the backdoor is not installed, it’s game on!\r\nThe ability of this code to beacon out to other potential SMB targets allows for propagation of the malicious code\r\nto other vulnerable machines on connected networks. This is what made the WannaCry ransomware so dangerous.\r\nThe ability to spread and self-propagate causes widespread infection without any user interaction.\r\nDoublePulsar\r\nDoublePulsar is the backdoor malware that EternalBlue checks to determine the existence and they are closely tied\r\ntogether.\r\nThis particular malware uses an APC (Asynchronous Procedure Call) to inject a DLL into the user mode process\r\nof lsass.exe. Once injected, exploit shellcode is installed to help maintain persistence on the target machine. After\r\nverifying a successful installation, the backdoor code can be removed from the system.\r\nDoublePulsar Parameters\r\nThe purpose of the DoublePulsar malware is to establish a connection allowing the attacker to exfiltrate\r\ninformation and/or install additional malware (such as WannaCry) to the system. These connections allow an\r\nattacker to establish a Ring 0 level connection via SMB (TCP port 445) and or RDP (TCP port 3389) protocols.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/\r\nPage 3 of 6\n\nA high-level view of a compromised machine in Argentina (186.61.18.6) that attacked the honeypot:\r\nThe widely publicized kill-switch domain is present in the pcap file. As was reported, the malware made a DNS\r\nrequest to this site. Until @MalwareTech inadvertently shut down the campaign by registering the domain, the\r\nmalware would use this as a mechanism to determine if it should run.\r\nDNS lookup to Sinkhole\r\nThe SMB traffic is also clearly visible in the capture. These SMB requests are checking for vulnerable machines\r\nusing the exploit code above.\r\nSMB Requests\r\nThe exploit sends an SMB ‘trans2 SESSION_SETUP’ request to the infected machine. According to SANS, this is\r\nshort for Transaction 2 Subcommand Extension and is a function of the exploit. This request can determine if a\r\nsystem is already compromised and will issue different response codes to the attacker indicating ‘normal’ or\r\n‘infected’ machines.\r\nDiving into the .pcap a bit more, we can indeed see this SMB Trans2 command and the subsequent response code\r\nof 81 which indicates an infected system. If the attacker receives this code in response, then the SMB exploits can\r\nbe used as a means to covertly exfiltrate data or install software such as WannaCry.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/\r\nPage 4 of 6\n\nTrans2 Multiplex ID\r\nPutting it all together\r\nThe information we have gathered by studying the DoublePulsar backdoor capabilities allows us to link this SMB\r\nexploit to the EternalBlue SMB exploit. It’s really not hard to do so as both were patched. Without otherwise\r\ndefinitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating\r\nthat machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an\r\noperation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB\r\nexploits to deploy malware and propagate to other vulnerable machines within connected networks.\r\nDeveloping a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow\r\nfor the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware\r\nvariant.\r\nSo what did we learn?\r\nDon’t jump to conclusions. Malware analysis is difficult and it can take some time to determine attribution to a\r\nspecific group, and/or to assess the functionality of a particular campaign – especially late on a Friday (which\r\nBTW, can all you hackers quit making releases on Fridays!!). First, comes stopping the attack, second comes\r\nanalyzing the attack. Remember, patience is a virtue.\r\nUpdate, update, UPDATE! Microsoft released patches for these exploits prior to their weaponization. Granted,\r\npatches weren’t available for all Operating Systems, but the patch was available for the vast majority of machines.\r\nThis event even forced Microsoft to release a patch for the long-ago EOL Windows XP – which gets back to the\r\nfirst thing that was said. UPDATE! Why are there still machines on XP!? These machines are vulnerable (beyond\r\nthis attack) to the ransomware functionality of this attack and they need to be updated.\r\nDisable unnecessary protocols. SMB is used to transfer files between computers. The setting is enabled on many\r\nmachines but is not needed by the majority. Disable SMB and other communications protocols if not in use.\r\nNetwork Segmentation is also a valuable suggestion as such precautions can prevent such outbreaks from\r\nspreading to other systems and networks, thus reducing exposure of important systems.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/\r\nPage 5 of 6\n\nAnd finally, don’t horde exploits. Microsoft president Brad Smith used this event to call out the ‘nations of the\r\nworld’ to not stockpile flaws in computer code that could be used to craft digital weapons.\r\nThat reminds me of an article I wrote a few years ago (and which was substantially cut for length) about Hacking\r\nTeam and the government sanctioned use of exploits.\r\nHack Me: A Geopolitical Analysis of the Government Use of Surveillance Software\r\nI guess things haven’t changed…\r\nSource: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/\r\nhttps://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/\r\nPage 6 of 6\n\nThe purpose of the information and/or DoublePulsar malware install additional is to establish malware (such a connection as WannaCry) allowing the to the system. These attacker to exfiltrate connections allow an\nattacker to establish a Ring 0 level connection via SMB (TCP port 445) and or RDP (TCP port 3389) protocols.\n Page 3 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/" ], "report_names": [ "how-did-wannacry-ransomworm-spread" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434516, "ts_updated_at": 1775791613, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/856d9d72dac9d2c51a5f4f779cb6f22f6893ce43.pdf", "text": "https://archive.orkl.eu/856d9d72dac9d2c51a5f4f779cb6f22f6893ce43.txt", "img": "https://archive.orkl.eu/856d9d72dac9d2c51a5f4f779cb6f22f6893ce43.jpg" } }