1

ASSIGNMENT 1
The WannaCry Case Study
CSI3350 Enterprise Security and Governance

Name:
Nathan Octavian Luminto
Student ID: 10628668

Lecturer:
John Han LEE
 2

Table of Contents

Introduction................................................................................................................................3
Chronology of National Health Service.....................................................................................4
Events.....................................................................................................................................4
The Aftermath........................................................................................................................4
How it happened........................................................................................................................4
Cyber Kill Chain:...................................................................................................................4
The Attacker...........................................................................................................................5
Unpatch system......................................................................................................................6
The Vulnerabilities.................................................................................................................6
The Response by NHS............................................................................................................7
Threat Actor............................................................................................................................7
How to prevent...........................................................................................................................7
Technical:...............................................................................................................................7
Political...................................................................................................................................8
Social......................................................................................................................................8
Importance of Cyber Security................................................................................................8
Conclusion..................................................................................................................................9
Reference List..........................................................................................................................10
 3

Executive Summary

In the modern society we are living, we are heavily dependent on technology of interactive
device. This device such as laptop, PC or mobile phone allows people to connect to internet,
a vast network connecting other device in worldwide scale. This allows users and people to
communicate people in remote area and in different country. Furthermore, this allows people
to business activity such meeting online, trading items, uploading and downloading file and
so on that this technology has become an essential for us to continue to grow for company to
grow and operate.

And because of the technology reliance, there will always be a cyber attack made by hacker
to disrupt the business operation. Hacker also wish to gain profit in their illegal hacking
activity, one of the major method to gain profit is ransomware. Ransomware is dangerous
software with the ability to encrypt or lock an important file and users cannot access the file
anymore unless the victim pays the ransom amount of money. There is a time limit for
victims to pay for the ransom or the file will be removed and deleted. This method is
effective in psychology to threatening people to pay the ransom not giving time for victims to
judge the situation calmly. Even though there are case where victim still can get their data
back after they pay the ransom, there are also many cases of a victim paying the ransom but
never being able to retrieve their data back. It’s most advisable that the victim does not pay
the ransom no matter what, it has no guarantee. The worst-case scenario in ransomware
would be losing the ransom file and losing the money victim pays for being desperate.
One of the most frightening incidents that happened in human history was ransomware called
WannaCry. On 12 May 2017, reports about WannaCry ransomware infected around 300000
devices from 150 Countries worldwide. Countries like Spanish, South Korea, Unite
Kingdom, Japan, Russia etc got infected by WannaCry disabling their business operating and
demanding the company to pay the ransomware.

This incident sample is what WannaCry has caused worldwide. Note that WannaCry is only
compatible with the Microsoft Windows operating system but many company use Microsoft
software because it is a adopted standard software to run their business. The infected devices
worldwide were using Windows OS. This paper will cover a scenario where an imaginary
organization that specialized in mining operation in Perth had been infected by WannaCry
and the cyber security consultant will elaborate the root cause of this incident and provide
recommendation to prevent further ransomware attack.

Chronology of National Health Service

Events
Friday 12 May 2017 is the date of the WannaCry outbreak in NHS. It was a normal routine
for the hospital to manage and treat patients. Staff would use an electronic device to store
 4

The Aftermath
The result is all the ransom data was able to recover and no patients were harmed but there is

How it happened

To explain reader how this incident happen, I would like to explain how the attack happen
using the Martin Lockheed Cyber Kill Chain methodology. This is a framework that will tell
how the attacker plan their attack phase by phase so allow me to explain how the attack plan.
Cyber Kill Chain:

[Link]:
Usually, attacker needs to scan first to understand the system before attacking like Nmap,
Nessus, Metasploit. The attacker learn the ip address, the port, the infrastructure so they can
plan their attacker before launching a cyber attack.
2. Weaponization:
The EternalBlue could be used for exploiting SMB protocol in Microsoft windows
vulnerability to spread the malware and the DoublePulsar was used to maintain persistent
access for an attacker to control. Thus, ransomware combines with these two codes to
become WannaCry which is specifically to target unpatched Windows 7 and Windows
Server.
3: Delivery:
In this phase the attacker will convert this malicious code into a link. In the Perth Office
Case, the attacker impersonate as companies top executive or an employee from mining site
to request help from the Perth Office by using corpoerate format email and corporate
language to make it sound authenticate. The attacker will try to persuade the victim to click
the link so once the link is clicked, the malware will begin to spread into victim device.
4. Exploitation:
Once the WannaCry has reached the N3 (NHS Server), EternalBlue will open the path for the
ransomware to vulnerable connected system.
5. Installation:
After EternalBlue open the path for ransomware to run, it is time for DoublePulsar turn to act,
this code will be installed within a system. This where the attacker gain Remote Code
Execution
6. Command on Control:
Once the attacker gained Remote Code Execution on a compromised system, the attacker
now can spread more malware to a vulnerable device. When devices were successfully got
infected, the ransomware will be launched, encrypting files and demanding the victim to pay
the ransom.
7. Action on Objective:
 5

The objective for every ransomware are always the victim paying the ransomware. The
attacker successfully installed the ransomware to the victim and now the attacker just need to
pressure the victim to pay the ransom and the attacker will achieve his goal.

The Attacker
WannaCry was created by the group called Lazarus Group. This group was hired by the
government in North Korea to spread this malware worldwide. The attacker uses a
vulnerability of the Windows operating system, It’s called EternalBlue. The exploit was
targeting the Windows Server Message Block (SMB) protocol. This exploit was found by
NSA back in 2007. NSA kept this exploit from the public for leverage purposes.
Unfortunately, this exploit was then leaked to an obfuscated website by a group name
Shadow Brokers. And it was then Lazarus Group found this exploit and weaponize it creating
a variant ransomware called WannaCry.
Root Cause of the incident
There are various cause
Unpacth System
The examination result is that 90% of operating system device used in NHS is Windows 7
and the rest 5% use Windows XP. The first problem was using old software to run the
system. Windows XP was guaranteed to be infected by WannaCry because this OS is longer
patched by Microsoft Several MRI Scanner were run by Windows XP which is an open target
for the attacker.
It was reported in 2014 that the Department had plans to replace Windows XP with a better
OS, and they had an IT worker's assistant to help migrate the OS until 2015. But the fact
there are still 5% of devices using Windows XP proves that it is hard to replace old operating
systems without guidance and help. Another issue is why some Windows 7 were able to get
infected and not get infected. It is the negligence of patching OS. Less than half of Windows
7 devices were unpatched. Another software they failed to update regularly was not updating
their endpoint security software such as antivirus. Method of patching and updating software
is a simple act for anyone to perform and this could have reduced the WannaCry outbreak if
the staff could performed regularly.

The Vulnerabilities.
SMB protocol allows the functionality to share files and access devices such as a printer for
Microsoft Windows via a network. SMB was still version 1, meaning the staff did not
upgrade this software, this make the attacker able to scan all the vulnerable systems more
easily to infect thus why the attacker choose Windows XP and unpatched Windows 7 are
their primary target.
The WannaCry was able to deliver to NHS because it was reported that the SMB was using
port 445 for the requested file and the port was unpatched. The attacker uses this port to
remotely run the code freely. The port is not the reason it is accessible to anyone but rather it
was unpatched that makes the attacker easy to infiltrate
 6

Another important to note is SMB record files’ properties on the file system. When a user
request file, this property is called FileExtended Attribute (FEA) in another word a
description of data request.
There were three bugs that EternalBlue were able to exploit to invade N3 starting from FEA.
1. Math error
When a user requests a file, the FEA involves math to identify memory allocation.
Attempting to make a math error, making the server miscalculate the size of the
request, and when the request is unable to identify it, the function still trying
constantly to find the memory. More data adding will overflow to the nearest memory
location thus this is how EternalBlue was able to create buffer overflow via arbitrary
code.
2. Trigger of buffer overflow
One more malicious code that aids WannaCry is DoublePulsar. DoublePulsar is a
backdoor that could bypass authentication and maintain remote access to control
malware. Once the backdoor was installed it can launch the ransomware control by an
attacker to begin encrypting files. In this case, after buffer overflow, attackers were
able to install DoublePulsar on a compromised area of the system and act as this place
a base to maintain remote access control allowing the attacker to do more malicious
remote code execution.
3. Heap Spray
It is used to send a lot of gibberish data to the device in an attempt to overload the
memory so victims are unable to access it anymore while the attacker could interact
with the device. This was used to infect more devices.

The Response by NHS

It was also stated that the Department of Health had made a guideline to handle cyber in 2016
but it was never used to train the staff. The department didn’t consider training because they
didn’t consider cyber attacks as a risk for patients before. As the result, a lot of staff that did
not practice the guideline, were unable to act when the WannaCry invaded the NHS server.
Though there are hospitals whose electronic devices are unaffected by the ransom and there
are some reasons how it can avoid the attack. The staff in the unaffected trust were able to
respond fast in dealing with this situation, they immediately turn the device off and
disconnect it from the network. There might have been still staff willing to study the
guideline on preparing against cyber attacks. The other reason was there was an operating
system that was patched which make the operating system strong enough to ward off from
WannaCry. This helps stops the ransomware from spreading further devices and there are 136
trusts were able to ward off ransomware.
Threat Actor
Overall, the Lazarus Group was not only responsible for the growth of malware, but it is also
done by the negligence of staff and poor management to handle a dire situation. The CEO
and leaders were also responsible for not providing adequate funding and training against a
security issue.
 7

How to prevent

This section will display recommendations and solutions to increase the chance of defending
the user’s device from ransom attacks. The recommendation will be divided into 3 parts:
Technical, Politic, and Social:
Technical:
 Update operating system regularly
All systems are bound to be vulnerable if not treated well. Patching and updating
software will reward users to operate their devices safely and smoothly increasing
evasion of vulnerability exploitation.
 Apply IDS and Firewall
This software IDS could be used to alert material. It helps users to notify when there
is a problem in the system. A firewall could block malware that is commonly known
to increase network defense.
 Back up data regularly
Having a backup data can help save time and money in case error is experienced.
 Applying VLAN
The spread of ransomware due to unpatched devices was a logical concept. But
adding a segregated network could make the malware spread harder.
 Use 2 step authentication
Password is currently not an optimal solution with authentication. An attacker is
improving their skill every day it may take time to be able to gain your info even if
the password is strong. Having a distinguishing feature like face, and finger
recognition makes it even harder for the attacker to gain access.
 Hardening
Having a whitelist or blacklist access control to avoid the risk of going to an unsecure
website.
 Use endpoint security
Sophos, Avast, and Kaspersky are well-known companies with reputable software
protecting many users' devices. Having anti-malware helps increase users' defense
against malware.
 Apply a MS217-10 to Windows
It is a security patch for windows to protect against EternalBlue since EternalBlue is
still being operated to find more targets with unpatched OS.

Political
 Government should provide training for staff in preparation for cyber attack
 Implementing compliance regulation of IT to push an organization to have standard
system protection to better protect against cyber attack
 Organizations need to have robust cybersecurity measures to protect against cyber
threats.
 Government should increase cooperation with IT organizations to better handle and
understand technology.
 Government could invest in Cyber Security education to have better security system
society in the long run.
 8

Social
 A civil citizen could spread the event on social media to increase awareness for
everyone.
 Ask the IT community for a better understanding of the IT concept and implications.
 Persuading people to take cyber-attack seriously and be equipped with endpoint
security software.

Importance of Cyber Security

Every person will need an electronic medium to access the internet to perform activities
remotely, communicate with other people, conduct business, or gain vast knowledge, but
these media devices are in constant danger of cyber threats by criminals. Criminals want our
data because it contains a value that can earn them money. This is why cyber security plays
an important role in protecting our enhanced lifestyle.
Not to mention, the increase in AI technology has given society more features to enhance the
human experience, but at the same time, it will increase the surface area for attacks on
vulnerabilities. As long as technology is constantly developing, cyber security will be needed
to protect it.

Conclusion

This event of cyber attack has taught us not only to IT workers but to everyone including
people who lack an understanding of security to take this matter seriously. This attack was
due to the negligent act of updating their software regularly, the malware itself was not
sophisticated software that could bypass normal security endpoints. The important lesson was
to take care of your device. Patch and understand your device well. If things are confusing
about IT. Google search or asking the IT community to increase your understanding will
reward you to be able to access the internet smoothly and safely without worries. But this
worldwide event of WannaCry could be used for students or anyone who are still lacking the
concept of security to understand better network security fundamentals and hope to teach
other people to prevent and manage malware to decrease malware incident attack.
 9

Reference List

BBC News. (2017, May 15). Ransomware cyber-attack: Who has been hardest hit?
[Link]
National Health Service England. (2018). Lessons learned review of the WannaCry
ransomware cyber attack. [Link]
[Link]
Hern, A. (2017, October 27). NHS could have avoided WannaCry hack with 'basic IT
security', says report. The Guardiang.
[Link]
hack-basic-it-security-national-audit-office
BBC News. (2017, October 24). NHS hospitals hit by major cyber-attack.
[Link]
Acronis (2020, February 7). The NHS cyber attack.
[Link]
National Audit Office. (2017). Investigation: WannaCry cyber attack and the NHS.
[Link]
[Link]
Fruhlinger, J (2022, August 25). WannaCry explained: A perfect ransomware storm. CSO.
[Link]
[Link]#:~:text=How%20does%20WannaCry%20spread%3F,Message%20Block
%20(SMB)%20protocol.
Sentinel One (2019, May 27). EternalBlue Exploit: What It Is And How It Works.
[Link]
Dark Roast Security. (2018, January 16). Eternal Blue & DoublePulsar exploit. Medium.
[Link]
 10

Koczwara, M. (2019, January 26). Eternal blue DoublePulsar exploit.

Medium. [Link]
36b66f3edb44

Brenner, B. (2017, May 17). WannaCry: the ransomware worm that didn’t arrive on a
phishing hook [Link]
worm-that-didnt-arrive-on-a-phishing-hook/ = how it delivered
Tunggal, A, T. (2022, August 22). What is an SMB Port? A Detailed Description of Ports
445 + 139. UpGuard. [Link]
%20used%20by,use%20SMB%20like%20file%20sharing.
Root, E. (2022, August 23). The chronicle of WannaCry. Kaspersky Daily.
[Link]
%20WannaCry%20worm%20uses%20both,and%20displaying%20the%20ransom%20note.
NHS Digital. (2017, April 25). SMB EternalBlue and DoublePulsar Exploit.
[Link]
Garland, I. (2022, April 27). WannaCry ransomware: what it is and how to protect yourself.
Comparitech. [Link]
ransomware/#:~:text=Essentially%2C%20DoublePulsar%20allows%20hackers%20to,other
%20devices%20on%20the%20network.
Ellis, J. (2017). WannaCry ransomware and the lessons healthcare IT professionals to learn
[Link].
[Link]
34a93d8883_2_20170720WannaCryRansomwareandtheLessonsHealthcareITProfessionalsto
[Link]?response-content-disposition=inline%3Bfilename
%3D"2_20170720%20WannaCry%20Ransomware%20and%20the%20Lessons
%20Healthcare%20IT%20Professionals%20to%20Learn%[Link]"&response-content-
type=application
%2Fpdf&AWSAccessKeyId=AKIA3OQUANZMGCIZWZ6F&Expires=1677184967&Sign
ature=n%2Bm7cU8WuSeBqDvfbYADTKuCwPU%3D