The Evolution of WannaCry

Josh Lemon
Article by Josh Lemon

Digital Forensics and Incident Response Managing Director & Certified SANS Instructor

Following a presentation I did for a SANS community night in Melbourne Australia recently, I had a lot of attendees ask if I could provide the graphical timeline that I presented which showed the events leading up to the discovery of WannaCry in May 2017. Below is that timeline with events unique to the WannaCry variant that got a lot of attention in the mainstream news in May 2017. I've tried not to dive too far down the rabbit hole of the EternalBlue exploit, and its use in other malware - which is most certainly occurring in the wild. I've tried to stick with the WannaCry ransomware variant and its development over the course of 2017. If new information comes to light about WannaCry and its development, or a friendly reader notices I've missed something, I'll add it back into this timeline with an "update" tag.

16th January 2017

US-CERT released a new SMB Security Best Practices article on their website telling the public that "...legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems." and urging users that they should be "disabling SMBv1".

US-CERT SMB Security Best Practices article

9th February 2017 - 16:58 (UTC)

A malware researcher, known as "S!Ri", tweets about the first discovery of a new ransomware variant using the ".wcry" extension to encrypt files on disk

S!Ri Twitter post on wcry

14th March 2017

Microsoft publishes a Security Bulletin MS17-010 for a Critical vulnerability that "could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server". Microsoft acknowledge "the security community" for providing details of the vulnerability, and omit any acknowledgement from their Acknowledgements - 2017 page.

Microsoft Security Bulletin MS17-010

MS Security Bulletin MS17-010

Microsoft Acknowledgments Page

MS Acknowledgments Page

26th March 2017 - 13:06 (UTC)

Karsten Hahn, a Malware Analyst at GData, tweet about a new variant of ransomware that uses the file "!WannaCryptor!.bmp" as the ransom message on infected machines.

Karsten Hahn Twitter post on WannaCryptor

15th April 2017

The group, known as Shadow Brokers, release a number of exploitation tools and techniques on Steemit containing an exploit code-named "ETERNALBLUE" that is capable of "Remote Exploit via SMB & NBT (Windows XP to Windows 2012)"

Shadow Brokers post on Steemit

10th May 2017

Exploit developer Juan Sacco publishes an exploit for a Remote Code Execution (RCE) vulnerability patched as part of Microsofts update MS17-010.

Exploit-DB MS17-010

11th May 2017 - 15:24 (UTC)

The Malware Hunter Team tweet a message about a newly discovered version of WannaCry. This is the new version of WannaCry containing the EternalBlue exploit (released on 15th April 2017) integrated into it, and also scans for other machines vulnerable to the EternalBlue exploit (patched as part of MS17-010 on 14th March 2017) to infect with this variant of WannaCry. However, at the time of this tweet, the worm-like behaviour and destructive nature are not known.

Malware Hunter Team WannaCry Tweet

11th May 2017 - 21:31 (UTC)

The WannaCry sample identified by Malware Hunter Team appears on VirusTotal with only 13 out of 61 AntiVirus engines detecting it as malicious the first time it is uploaded.

WannaCry Detection on VirusTotal

12th May 2017 - 13:35 (UTC)

The Lancashire Evening Post are the first to report on WannaCry impacting the NHS in London.

Lancashire Evening Post NHS Story

12th May 2017

US-CERT release their first version of an Alert article titled Indicators Associated With WannaCry Ransomware. A number of changes are made to this alert in the proceeding days as indicators for the ransomware are updated.

US-CERT Indicators Associated With WannaCry Ransomware

15th May 2017 - 00:02 (UTC)

Neel Mehta, a researcher at Google, tweets a message about a similarity in the use of an SSL suite between, the WannaCry sample from February 2017 and, a malicious backdoor tool used in February 2015 by the APT known as Lazarus group. This does not directly link the sample used in the WannaCry variant from May 2017.

Neel Mehta Attribution Tweet

(UPDATED) 14th June 2017 - 21:56 (UTC)

The Washington Post published an article saying that the NSA has an internal report that shows with "moderate confidence" North Korea were behind WannaCry, however they only cite an "individual familiar with the report" as evidence.

Washington Post Story

Slightly modified versions of WannaCry are discovered following this, however these are suspected of being altered by researchers trying to test and understand the ransomware, and cybercriminals trying to make money off the WannaCry outbreak. No significant code change in any of the new WannaCry ransomware samples is discovered.