WCry/WannaCry Ransomware: a technical analysis

A useful article by Endgame

Amanda Rousseau has published on Endgame Blog a great technical analysis of WannaCry ransomware.

The most interesting section of the analysis is, in my point of view, the execution flow of the malware, that explain all the actions performed by the ransomware in the infection phase:

The WCry ransomware follows a flow similar to that of other ransomware as it damages a machine. The high level flow is as follows: It begins with an initial beacon, other researchers have already reported is basically a killswitch function. If it makes it past that step, then it looks to exploit the ETERNALBLUE/MS17–010 vulnerability and propagate to other hosts. WCry then goes to work doing damage to the system, first laying the foundations for doing the damage and getting paid for recovery, and once that’s done, WCry starts encrypting files on the system.

In the analysis, Amanda walks through each of these tasks: so, i suggest to take a look to the original article:



Despite its ability to propagate so quickly, the ransomware activities taken by this malware are not particularly interesting or novel. As I demonstrated in this malware, the killswitch in the execution flow provided a unique opportunity to slow down the ransomware. As security researcher MalwareTech discovered, and Talos described in detail, this malware was programmed to bail out upon a successful connection to that server, which stops the malware altogether. We should all thank MalwareTech for setting up the sinkhole, which caused this outbreak to slow sooner than it otherwise would have.

This malware is easy to modify. As mentioned above, other researchers are already finding variants in the wild.

If you’re running Windows and haven’t patched yet, now’s the time to do it.