WannaCry in Diamond Model

In this blog post, will explain how wanna cry ransomware event can be mapped with Diamond model.

WannaCry ransomware is a consequence of MS-17-010, a vulnerability in Server Message Block V 1.0 which was exploited using Eternal Blue exploit. This caused a lot of impact to users with outdated version of windows OS and those who had not patched MS-17-010.

Ransomware started to spread through a malicious email, a classic exploit delivery method. Once on network, lateral movement infected other systems which were vulnerable.

Applying Diamond model to this event,

Core Features

Adversary – Attacker with eternal blue exploit coupled with malware which encrypts data

Capability – Encrypt Data, Move laterally exploiting vulnerability,

Victim – Windows OS vulnerable to MS-17-010

Infrastructure – Mail, Malicious PDF

Socio-Political – Money, attackers exploited users to make money. Intent was behind money. Fake promises were made to decrypt data once payment was made. — Technical Meta feature – Exploits MS-17-010 using eternal blue exploit and encrypts user data. Moves laterally infecting other systems through vulnerable SMB shares.

Meta Features

Timestamp – May 2017 Phase – Exploit Result – Success ( impact on availability, user data is encrypted) Direction – Infrastructure to Victim Methodology – Phishing , Malware Resources – Vulnerable WindowsOS, Eternal blue exploit, malicious pdf

— By Fabian Darius