The Anatomy of a Cyber Attack: Unraveling the 2017 WannaCry Ransomware

A Comprehensive Step-by-Step Guide to Understanding One of History’s Most Notorious Cyber Attacks

Photo by Nahel Abdul Hadi on Unsplash

Cyber-attacks threaten our digital security constantly. As these threats evolve in their complexity, the methods and motivations behind them become increasingly advanced.

A clear example is the infamous WannaCry ransomware attack of May 2017, which impacted over 200,000 computers across 150 countries.

This blog post unravels the anatomy of a cyber attack by dissecting the WannaCry incident, revealing a step-by-step breakdown of the attack process, and highlighting the vital lessons we can learn from it.

Reconnaissance: Identifying the Target

Every cyber attack, including the WannaCry incident, starts with a phase called reconnaissance. Attackers collect information about potential targets during this stage, seeking out vulnerabilities and weaknesses.

In the WannaCry situation, the attackers exploited a Microsoft Windows vulnerability known as EternalBlue, which the hacking group Shadow Brokers had leaked. This vulnerability allowed the attackers to focus on computers running unsupported or outdated versions of Windows.

Weaponization: Crafting the Malware

During the weaponization phase of a cyber attack, the attackers meticulously and strategically create a malicious payload or tool. This tool is not just a random piece of malicious code; it is carefully designed and constructed to exploit the specific vulnerabilities that have been identified in the target systems.

In the case of the WannaCry incident, the creators went beyond simply developing a piece of ransomware. They crafted a complex program that behaved like a worm, enabling it to self-propagate across networks. This particular design allowed the ransomware to move laterally through interconnected systems, encrypting files and demanding a ransom in Bitcoin from the affected users.

The weaponization stage of the WannaCry attack showcases the careful planning and technical expertise that went into the creation of the malware. By understanding the underlying architecture, the attack vectors, and the potential for widespread damage, the attackers were able to produce a tool that would cause havoc on a global scale.

Delivery: Sending the Malware

The delivery phase of a cyber attack involves much more than merely sending malware to a target. It requires a calculated approach, an in-depth understanding of the target’s behavior, and crafting a method that will most likely result in a successful infection.

In the case of the WannaCry attack, the delivery was not a simple, blunt-force attempt to infect computers. Rather, the attackers used email phishing campaigns. These emails were not randomly generated messages; they were carefully crafted to resemble legitimate communications, complete with convincing subject lines and content.

This strategic use of phishing allowed the attackers to reach a vast number of potential victims, making it a critical component of the attack’s success.

The WannaCry attackers’ focus on delivery underscores the importance of this phase in a successful cyber attack. By understanding their targets and employing a well-thought-out delivery method, they were able to breach defenses and set the stage for the subsequent phases of the attack.

Exploitation: Activating the Malware

The exploitation phase of WannaCry involved activating the malware, a key step where the ransomware began its destructive path. Utilizing the EternalBlue vulnerability, WannaCry spread swiftly across networks without needing human intervention.

Once inside a system, it started encrypting files, effectively locking users out of their own data. The automatic nature of this phase demonstrated the efficiency and ruthlessness of WannaCry’s design.

By seamlessly exploiting a known weakness, it was able to invade countless systems, emphasizing the importance of securing vulnerabilities and the devastating consequences of failing to do so.

Installation: Gaining Access

The installation phase of a cyber attack is not merely about embedding malware into a system; it’s about securing ongoing access and spreading the infection to other vulnerable targets. During the WannaCry attack, this phase played a crucial role in the malware’s rapid proliferation.

Once the ransomware infected a computer, it didn’t remain stagnant. Instead, it replicated itself, identifying and moving on to other vulnerable systems within the network. This ability to self-replicate allowed WannaCry to spread like wildfire, infecting entire organizations in certain instances.

The WannaCry incident serves as a sobering example of how a single infected computer can become a gateway for widespread disruption, underscoring the importance of robust network security and vigilant monitoring.

Command and Control: Managing Remotely

While the WannaCry attack itself did not prominently feature a command and control (C2) phase, this element is often a vital component of sophisticated cyber attacks.

A C2 phase allows attackers to control infected systems remotely, orchestrating them according to their desires. They may update the malware, alter its behavior, or use the infected systems for additional malicious activities.

In some cases, this phase can turn infected computers into ‘zombies’ within a larger botnet, directed by the attacker’s commands. Although not a central aspect of the WannaCry incident, the command and control concept underscores the multi-faceted nature of cyber threats and the long-term control attackers may seek over their victims’ systems.

Actions on Objectives: Realizing Goals

The final phase, actions on objectives, represents the realization of the attacker’s ultimate goal. For WannaCry, this meant the successful execution of an extortion scheme on an unprecedented scale.

Victims found their computer screens displaying a threatening demand for payment in Bitcoin, with the promise of file decryption upon payment.

This phase wasn’t merely about the immediate financial gain for the attackers, estimated at around $140,000. It also caused widespread fear, chaos, and business interruption. Some organizations had to cease operations temporarily, leading to further financial and reputational loss.

The effectiveness of WannaCry in achieving its objectives highlights the importance of understanding the ultimate goals of cyber attacks.

Aftermath and Lessons Learned

The WannaCry incident served as an alarm bell for numerous organizations and governments. Its global impact stirred immediate demands for stronger cybersecurity measures, stressing the importance of regular updates, patches, and awareness training.

Key lessons include:

  • Patch Management: Regular system updates and patches can prevent known vulnerabilities from being exploited.
  • Backup and Recovery: Regular backups can limit the effects of ransomware, enabling systems to be restored without paying a ransom.
  • User Education: Training users to recognize and avoid phishing emails can create a critical defense line against numerous cyber attacks.


Unravelling the anatomy of the WannaCry cyber attack provides an illustrative example of how a seemingly simple but well-coordinated attack can lead to global ramifications. It emphasizes the importance of a robust cybersecurity strategy, which focuses on prevention, detection, and response. By understanding the steps involved in a cyber attack, organizations can better prepare and defend themselves in an increasingly risky digital landscape.