S0366: WannaCry
Analyst context for executives and security teams
WannaCry matters because it combines ransomware impact with worm-like network spread on Windows systems, using the SMBv1 EternalBlue exploit according to ATT&CK. For leaders, the practical lesson is not only “ransomware encrypts files,” but that an exposed or poorly segmented legacy service can turn one infection into a broad availability incident across business operations.
Executive priority
Prioritize this as a resilience and vulnerability-management validation case: confirm whether Windows environments still expose legacy SMBv1 paths, whether patch and segmentation controls would limit lateral spread, and whether recovery capabilities can survive ransomware behavior such as encrypted data, service disruption, and inhibited system recovery. It is also useful audit evidence for ransomware readiness, incident response planning, and cyber-physical risk discussions where Windows systems support operational environments.
Technical view
SOC, detection engineering, and IR teams should validate coverage around the ATT&CK-linked behaviors rather than relying on a single WannaCry signature. The supplied relationships connect WannaCry to discovery, WMI execution, exploitation of remote services, lateral tool transfer, Windows service creation, hidden files, permission changes, RDP hijacking, encrypted data for impact, service stop, and inhibit system recovery. Detection should focus on Windows host and network evidence for SMB-based lateral movement, suspicious service creation, recovery-control tampering, rapid file encryption activity, and unusual discovery activity. ATT&CK does not provide official detection text for this software object, so local telemetry validation is required.
Likely telemetry
- Windows endpoint process, service, file, and registry events
- SMB and internal network connection telemetry, especially host-to-host lateral traffic
- Windows Management Instrumentation activity logs where collected
- File creation, rename, permission, hidden attribute, and encryption-pattern telemetry
- Service stop or service configuration change events
Detection direction
- Validate whether detections cover the behavior chain: discovery, remote service exploitation, lateral transfer, service creation, recovery inhibition, and file encryption impact.
- Tune for internal SMB propagation patterns and unusual host-to-host connection fan-out; account for administrative file sharing and software deployment tools as likely false-positive sources.
- Correlate service creation or modification with unexpected binaries, hidden files, permission changes, and recovery-control tampering.
- Review whether WMI and RDP telemetry are actually collected and retained; these are common blind spots in Windows lateral-movement investigations.
- Use the Lazarus Group relationship as ATT&CK context only; do not treat it as attribution for a local incident without independent evidence.
Mitigation priorities
- Confirm Windows asset inventory, patch posture, and exposure of SMBv1/EternalBlue-relevant services.
- Reduce lateral movement paths with segmentation and restrictions on unnecessary file-sharing and remote administration services.
- Harden and monitor Windows service creation, WMI use, RDP access, and administrative shares.
- Protect recovery capabilities: maintain tested backups and monitor for actions that inhibit system recovery.
- Exercise incident response playbooks for fast containment of worm-like ransomware spread, including network isolation and business recovery decisions.
Analyst notes and limits
ATT&CK identifies WannaCry as Windows ransomware first seen in a global May 2017 attack affecting more than 150 countries, with worm-like spreading using SMBv1 EternalBlue. ATT&CK relationships also map it to multiple enterprise and ICS-relevant techniques, including exploitation of remote services, lateral tool transfer, data encryption for impact, service stop, and inhibit system recovery. The object is related to Lazarus Group in ATT&CK, but that relationship should be handled as intelligence context, not automatic incident attribution.
The supplied ATT&CK object has no official detection section and no explicit tactic list on the malware object itself. Telemetry and control guidance here is inferred from the official description and supplied ATT&CK relationships, so defenders must confirm applicability against their Windows estate, network architecture, logging coverage, and recovery design.
WannaCry
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1210 | Exploitation of Remote Services | WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network.CitationLogRhythm WannaCryCitationFireEye WannaCry 2017CitationUS-CERT WannaCry 2017 |
| Enterprise | T1489 | Service Stop | WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.CitationFireEye WannaCry 2017CitationSecureWorks WannaCry Analysis |
| Enterprise | T1083 | File and Directory Discovery | WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.CitationLogRhythm WannaCryCitationFireEye WannaCry 2017 |
| Enterprise | T1120 | Peripheral Device Discovery | WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.CitationFireEye WannaCry 2017 |
| Enterprise | T1486 | Data Encrypted for Impact | WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.CitationLogRhythm WannaCryCitationFireEye WannaCry 2017CitationSecureWorks WannaCry Analysis |
| Enterprise | T1047 | Windows Management Instrumentation | WannaCry utilizes |
| Enterprise | T1563.002 | RDP Hijacking Sub-technique | WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.CitationLogRhythm WannaCry |
| Enterprise | T1490 | Inhibit System Recovery | WannaCry uses |
| Enterprise | T1018 | Remote System Discovery | WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.CitationSecureWorks WannaCry Analysis |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | WannaCry will attempt to determine the local network segment it is a part of.CitationSecureWorks WannaCry Analysis |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | WannaCry uses |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | |
| Enterprise | T1543.003 | Windows Service Sub-technique | WannaCry creates the service "mssecsvc2.0" with the display name "Microsoft Security Center (2.0) Service."CitationLogRhythm WannaCryCitationFireEye WannaCry 2017 |
| Enterprise | T1570 | Lateral Tool Transfer | WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.CitationLogRhythm WannaCry |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 341f1fe9cc7d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
LogRhythm WannaCry
Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024.
Open source URL -
[2]
US-CERT WannaCry 2017
US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.
Open source URL -
[3]
Washington Post WannaCry 2017
Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.
Open source URL -
[4]
FireEye WannaCry 2017
Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
Open source URL -
[5]
SecureWorks WannaCry Analysis
Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.
Open source URL -
[6]
WCry
(Citation: LogRhythm WannaCry)(Citation: SecureWorks WannaCry Analysis)
-
[7]
WanaCry
(Citation: SecureWorks WannaCry Analysis)
-
[8]
WanaCrypt
(Citation: SecureWorks WannaCry Analysis)
-
[9]
WanaCrypt0r
(Citation: LogRhythm WannaCry)
-
[10]
mitre-attack S0366Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.