Some Quick Malware Breakdowns!

Note: The information provided in these malware breakdowns is based on publicly available threat intelligence, observed behaviors, and independent research. Data is presented as an aggregate overview for educational and awareness purposes only.

Emotet

Malware Name

Emotet

APT Group

TA542 (Mummy Spider)

Target Sector

Finance, Government, Healthcare

Delivery Method

Phishing Emails → Malicious Macros

MITRE TTPs

T1566.001, T1059.005, T1218.011, T1105

Impact

Credential theft, lateral movement, ransomware delivery

First Observed

2014

Status

Disrupted 2021, reemerged 2022

Read More

🧠 Overview

Emotet is a modular banking trojan turned malware delivery platform that originated in 2014. Once focused on credential theft, it evolved into one of the most prolific
initial access threats, responsible for distributing TrickBot, QakBot, and Ryuk ransomware. Its polymorphic nature and adaptability made it a persistent global threat.

Aliases: Geodo, Heodo
First Observed: 2014
Active Years: 2014–2021 (takedown), resurfaced briefly 2021–2023

📜 History & Notable Campaigns

• 2014: Discovered as a banking trojan targeting financial data in Europe.
• 2016–2018: Transitioned to modular delivery system, gaining spambot and propagation capabilities.
• 2019–2020: At its peak, distributed malicious spam at global scale; hijacked legitimate email threads.
• Jan 2021: Infrastructure dismantled in a global law enforcement operation.
• Nov 2021–2023: Attempted comeback using TrickBot infrastructure; mostly thwarted due to stronger detection and response mechanisms.

🔗 Attack Chain Breakdown

• Initial Access: Phishing emails with malicious attachments or embedded links (T1566.001).
• Execution: Malicious VBA macros in Word/Excel files executed PowerShell or dropped DLLs (T1059.001, T1204.002).
• Persistence: Used registry keys and scheduled tasks to maintain access (T1547.001).
• Command & Control (C2): Custom encrypted protocol over HTTP/S; domains often generated via DGA (T1071.001, T1008).
• Lateral Movement & Delivery: Occasionally used stolen credentials or SMB for propagation; downloaded additional malware like TrickBot and Ryuk (T1105).

⚙️ Technical Highlights

• Modular architecture with dynamic plugin loading (spambot, email harvesting, credential theft).
• Polymorphic binary: payload changed frequently to evade signature-based detection.
• Reply-chain phishing: hijacked real email threads to boost legitimacy of phishing emails.
• DGA implementation allowed rapid domain rotation for resilient C2 communication.
• Self-spreading worm behavior on some networks using stolen credentials.

🎯 MITRE ATT&CK Techniques

• T1566.001 – Phishing: Spearphishing Attachment
• T1204.002 – User Execution: Malicious File
• T1059.001 – Command and Scripting Interpreter: PowerShell
• T1547.001 – Persistence via Registry Run Keys / Startup Folder
• T1071.001 – Application Layer Protocol: Web Protocols
• T1008 – Fallback Channels (DGA)
• T1105 – Ingress Tool Transfer

💡 Trivia & Interesting Facts

• Emotet hijacked real email conversations, quoting past messages to appear more legitimate.
• Payload file names sometimes included pop culture jokes like “invoice_fortnite_2020.xls”.
• At its peak, Emotet infrastructure spanned hundreds of servers across multiple regions.

EternalBlue

Malware Name

EternalBlue

APT Group

Shadow Brokers / NSA Leak

Target Sector

All (via SMB vulnerability)

Delivery Method

MS17-010 exploit for SMBv1

MITRE TTPs

T1210, T1220

Impact

Used in WannaCry, NotPetya outbreaks

First Observed

2017 (via NSA dump)

Status

Still seen on unpatched systems

Read More

🧠 Overview

EternalBlue is a Windows exploit developed by the NSA and leaked by the Shadow Brokers hacking group in 2017. It exploits a vulnerability in Microsoft’s SMBv1
protocol (MS17-010) to enable remote code execution. Although patched prior to the leak, many systems remained vulnerable for months and years after, making EternalBlue
a powerful tool for widespread attacks like WannaCry and NotPetya.

Aliases: MS17-010 Exploit
First Observed: April 2017 (leaked)
Targeted Platform: Windows (XP through Server 2016)

📜 History & Notable Campaigns

• April 2017: EternalBlue leaked as part of the “Lost in Translation” Shadow Brokers dump.
• May 2017: Used by WannaCry ransomware to cause a global outbreak, infecting 200,000+ systems.
• June 2017: Weaponized again in the NotPetya pseudo-ransomware attack, heavily affecting Ukraine and multinational corporations.
• 2018–2020: Continued abuse in cryptocurrency mining campaigns and lateral movement by various threat actors.

🔗 Attack Chain Breakdown

• Initial Access: Scanned the network or internet for systems with SMBv1 enabled and unpatched (T1046, T1595).
• Execution: Crafted malicious SMB packets to trigger buffer overflow and execute code (T1203).
• Persistence: Often established by deploying additional payloads such as backdoors or worms (T1055.001).
• Lateral Movement: Allowed rapid worm-like propagation across internal networks using SMB (T1021.002).
• Payload Delivery: Typically delivered ransomware (WannaCry, NotPetya) or cryptominers post-exploit (T1486, T1496).

⚙️ Technical Highlights

• Exploits a vulnerability in SMBv1 involving improper input validation (CVE-2017-0144).
• Works even without authentication—no credentials needed to gain control of vulnerable machines.
• Wormable by design—used to self-propagate payloads without user interaction.
• Often paired with DoublePulsar implant for in-memory DLL injection after exploitation.
• Still seen in legacy environments where SMBv1 is active or patching is incomplete.

🎯 MITRE ATT&CK Techniques

• T1203 – Exploitation for Client Execution
• T1021.002 – SMB/Windows Admin Shares
• T1055.001 – Process Injection: DLL Injection
• T1046 – Network Service Discovery
• T1486 – Data Encrypted for Impact
• T1595 – Active Scanning
• T1496 – Resource Hijacking (cryptomining campaigns)

💡 Trivia & Interesting Facts

• The EternalBlue exploit was reportedly stockpiled by the NSA for years before it was leaked.
• Its use in WannaCry helped spark a global debate on “government hoarding” of zero-day exploits.
• Despite being patched by Microsoft in March 2017 (before the leak), millions of machines remained vulnerable for years.
• EternalBlue has been called one of the most devastating exploits ever released into the wild.

Log4Shell

Malware Name

Log4Shell

APT Group

Multiple actors worldwide

Target Sector

All industries

Delivery Method

Vulnerable Log4j library exploit

MITRE TTPs

T1190, T1210

Impact

Remote Code Execution (RCE), backdoor access

First Observed

December 2021

Status

Still being exploited

Read More

🧠 Overview

Log4Shell (CVE-2021-44228) is a critical zero-day vulnerability discovered in the Apache Log4j 2 logging library. It allows remote code execution by injecting a specially
crafted JNDI lookup string into log messages. Due to Log4j's widespread use in enterprise applications, the vulnerability had global implications and was dubbed one of the
most severe software vulnerabilities of the decade.

Aliases: Log4j Vulnerability, CVE-2021-44228
First Public Disclosure: December 9, 2021
Affected Components: Apache Log4j 2.x (versions 2.0 to 2.14.1)

📜 History & Notable Campaigns

• Dec 2021: Disclosed by Alibaba Cloud to Apache; public exploitation began within hours of public release.
• Early 2022: Widely weaponized by ransomware groups, crypto miners, botnets (Mirai variants), and APTs.
• 2022–2023: Continued use in post-compromise activity by groups such as APT35, DEV-0401, and criminal syndicates.
• Ongoing: Exploitation attempts still occur in unpatched systems and legacy apps using outdated Log4j libraries.

🔗 Attack Chain Breakdown

• Initial Access: Attacker sends a log message containing a JNDI reference to an external malicious server (T1190).
• Execution: Log4j performs the lookup and fetches/executed code via LDAP or HTTP (T1203).
• Persistence: Often followed by dropped webshells or malware to establish a foothold (T1505.003, T1055).
• Command & Control: Shell access or remote payload execution via secondary backdoors (T1071.001).
• Impact: Ranged from cryptojacking and data theft to complete system compromise and lateral movement (T1486, T1210).

⚙️ Technical Highlights

• Vulnerability hinges on the JNDI feature allowing dynamic code loading via LDAP, RMI, or other services.
• Simple user-controlled strings (e.g., User-Agent, login fields) could trigger RCE — requiring no authentication.
• Mass scanning began hours after disclosure; some POCs were just one-line curl commands.
• Some attackers used DNS exfil tricks to confirm vulnerable targets before deploying payloads.
• Remediation required patching and disabling risky lookup functionality (e.g., log4j2.formatMsgNoLookups=true).

🎯 MITRE ATT&CK Techniques

• T1190 – Exploit Public-Facing Application
• T1203 – Exploitation for Client Execution
• T1055 – Process Injection
• T1505.003 – Server Software Component: Web Shell
• T1071.001 – Application Layer Protocol: Web Protocols
• T1486 – Data Encrypted for Impact
• T1210 – Exploitation of Remote Services

💡 Trivia & Interesting Facts

• The vulnerability was trivial to exploit — even Minecraft servers were reportedly compromised via chat messages.
• Google dubbed it the “most severe” issue in the last decade based on global risk and simplicity.
• Researchers developed creative detection methods including DNS canary domains and fake LDAP traps.
• Mitigation confusion led to a flurry of patch releases — versions 2.15, 2.16, and 2.17 were rapidly pushed.

Qakbot

Malware Name

Qakbot

APT Group

Unattributed

Target Sector

Finance, Legal, Healthcare

Delivery Method

Phishing emails with malicious attachments

MITRE TTPs

T1059.001, T1071.001, T1566.001

Impact

Credential theft, ransomware staging

First Observed

2007

Status

Disrupted August 2023

Read More

🧠 Overview

QakBot is a modular banking trojan that evolved into a versatile malware delivery platform. First detected in 2007, it was initially used to steal banking credentials but
grew into a full-service botnet capable of delivering ransomware, performing credential harvesting, and enabling lateral movement. Known for its adaptive phishing tactics,
QakBot was often deployed via Emotet and TrickBot infrastructure.

Aliases: QBot, Pinkslipbot
First Observed: 2007
Primary Functions: Credential theft, C2 communication, malware delivery

📜 History & Notable Campaigns

• 2007: First discovered as a banking credential stealer targeting Windows systems.
• 2016–2020: Increased modularity; began being delivered by other malware like Emotet.
• 2021: Major campaigns used hijacked email threads to trick recipients into downloading malicious attachments.
• 2023: Disrupted in an FBI-led operation (“Duck Hunt”), which hijacked QakBot’s infrastructure and pushed an uninstaller to infected machines.

🔗 Attack Chain Breakdown

• Initial Access: Phishing emails with HTML/ZIP attachments leading to malicious MSI or DLL payloads (T1566.001, T1204.002).
• Execution: DLLs executed via LOLBins (e.g., rundll32.exe) or MSI installers (T1218.011).
• Persistence: Registry run keys or scheduled tasks installed to maintain foothold (T1547.001).
• Command & Control: Encrypted traffic over HTTPS or custom protocols with rotating IP infrastructure (T1071.001).
• Post-Exploitation: Retrieved modules for credential dumping, lateral movement, or ransomware loader delivery (T1059.001, T1105).

⚙️ Technical Highlights

• Capable of harvesting browser session cookies and credentials from web forms.
• Modular architecture allowed attackers to tailor functionality dynamically.
• Used stolen email threads for reply-chain phishing, boosting trust in its delivery method.
• Implemented various sandbox and VM evasion techniques (e.g., sleep, mutex checks).
• Common precursor to ransomware deployments like Conti, ProLock, and Egregor.

🎯 MITRE ATT&CK Techniques

• T1566.001 – Phishing: Spearphishing Attachment
• T1204.002 – User Execution: Malicious File
• T1218.011 – Signed Binary Proxy Execution: Rundll32
• T1547.001 – Registry Run Keys / Startup Folder
• T1071.001 – Application Layer Protocol: Web Protocols
• T1059.001 – PowerShell
• T1105 – Ingress Tool Transfer

💡 Trivia & Interesting Facts

• Its name “QakBot” may come from obfuscated code using variable names like “qk” or “qb.”
• Despite its long lifespan, QakBot consistently adapted to remain effective against modern defenses.
• In 2023, the FBI replaced its payloads with a “QakBot uninstaller,” removing it from 700,000+ systems.
• Its infrastructure was highly dynamic, rotating C2 addresses and payload servers frequently to avoid takedown.

Sandworm

Malware Name

Sandworm

APT Group

GRU (Russia)

Target Sector

Energy, Infrastructure, Government

Delivery Method

Spearphishing, software supply chain

MITRE TTPs

T1203, T1195, T1485

Impact

Blackouts in Ukraine, widespread wiper malware

First Observed

2014+

Status

Ongoing (multiple campaigns)

Read More

🧠 Overview

Sandworm is the name of both an advanced persistent threat (APT) group and the malware/toolset associated with them. Widely attributed to Russia’s GRU military intelligence
unit (Unit 74455), Sandworm is responsible for some of the most disruptive cyberattacks in history, including the 2015 and 2016 Ukrainian power grid attacks and the global NotPetya
outbreak in 2017. The group employs a wide range of malware, from custom backdoors to destructive wipers and ransomware-like payloads.

Aliases: Voodoo Bear, BlackEnergy Group, TeleBots, Iron Viking
Russia
At least 2009

📜 History & Notable Campaigns

• 2014: Targeted NATO, EU, and U.S. energy companies using BlackEnergy malware.
• 2015: Caused a blackout in Ukraine using BlackEnergy3 and KillDisk — first confirmed malware-induced power outage.
• 2016: Used Industroyer to hit Ukraine’s power grid again — more advanced, protocol-aware malware.
• 2017: Launched NotPetya — a pseudo-ransomware attack that caused over $10 billion in damages globally.
• 2022–2023: Active during Russia’s invasion of Ukraine, using wipers (e.g., CaddyWiper, HermeticWiper) and targeting critical infrastructure.

🔗 Attack Chain Breakdown

• Initial Access: Phishing emails, credential harvesting, and supply chain compromises (T1566.001, T1195.002).
• Execution: Dropped payloads included BlackEnergy, KillDisk, and other modular tools (T1203).
• Persistence: Leveraged scheduled tasks, registry keys, and signed drivers (T1053.005, T1547.001).
• Command & Control: Custom protocols and dynamic C2 infrastructure using obfuscated traffic (T1071.001, T1001).
• Impact: Sabotage, power grid disruption, data wiping, pseudo-ransomware — high-consequence attacks (T1486, T1490).

⚙️ Technical Highlights

• Uses a diverse toolset: BlackEnergy, Industroyer, NotPetya, GreyEnergy, and various wipers.
• NotPetya appeared to be ransomware but had no recovery mechanism — pure destruction.
• Industroyer targeted ICS/SCADA protocols directly (IEC 101/104, OPC, etc.) — rare for malware.
• Known for long dwell time and stealth — often living in networks for months before triggering destruction.
• Adapted tooling with each campaign, reusing and modifying older malware into new variants.

🎯 MITRE ATT&CK Techniques

• T1566.001 – Phishing: Spearphishing Attachment
• T1195.002 – Supply Chain Compromise
• T1547.001 – Registry Run Keys / Startup Folder
• T1053.005 – Scheduled Task/Job: Scheduled Task
• T1071.001 – Application Layer Protocol: Web Protocols
• T1486 – Data Encrypted for Impact
• T1490 – Inhibit System Recovery
• T1001 – Data Obfuscation (for C2 and payload delivery)

💡 Trivia & Interesting Facts

• Sandworm’s NotPetya attack originally spread via a compromised Ukrainian tax software update (MeDoc).
• The 2015 Ukraine blackout involved switching off circuit breakers remotely and then launching KillDisk to delay recovery efforts.
• Many of Sandworm’s tools were signed with stolen certificates to avoid detection.
• Named after the giant creatures in Frank Herbert’s “Dune” — a nod to its buried and explosive potential.

Stuxnet

Malware Name

Stuxnet

APT Group

Likely Unit 8200 / US-IS

Target Sector

Industrial Control Systems (ICS)

Delivery Method

USB spread, multiple 0-days

MITRE TTPs

T1055, T1203, T1027

Impact

Sabotage of Iranian nuclear centrifuges

First Observed

2009

Status

Historic, foundational malware

Read More

🧠 Overview

Stuxnet is one of the most sophisticated pieces of malware ever discovered. Designed as a cyber-weapon, it specifically targeted industrial control systems (ICS), particularly
Siemens PLCs, with the goal of sabotaging Iran’s nuclear enrichment program. Widely attributed to a joint operation between the U.S. and Israel, Stuxnet marked a turning point in
cyberwarfare — showing how code could cause physical destruction in the real world.

Aliases: W32.Stuxnet, Olympic Games
First Observed: 2010 (discovered), believed to be active since 2007
Primary Target: Siemens Step7 systems on Windows machines connected to centrifuges

📜 History & Notable Campaigns

• 2007–2009: Believed to have been deployed via USB and targeted select systems in Iran’s Natanz facility.
• June 2010: Discovered by Belarusian antivirus firm VirusBlokAda after anomalies appeared on Iranian computers.
• 2010–2012: Security researchers dissect the code and uncover its ICS-targeting precision — first of its kind.
• Post-2012: Stuxnet’s code and tactics inspire future ICS attacks (e.g., Industroyer, Triton).

🔗 Attack Chain Breakdown

• Initial Access: Delivered via infected USB drives or shared network drives (T1091, T1200).
• Execution: Used zero-day exploits and signed drivers to escalate privileges and remain stealthy (T1068, T1218.011).
• Discovery: Searched for specific Siemens Step7 configurations connected to centrifuge control systems (T1046, T1018).
• Impact: Sent malicious commands to PLCs, subtly altering rotor speeds to cause physical degradation without triggering alarms (T0832, T0886).
• Cover Tracks: Replayed legitimate data to prevent operators from noticing the sabotage (T1070.001).

⚙️ Technical Highlights

• Exploited four zero-day vulnerabilities — an unprecedented number at the time.
• Used legitimate stolen digital certificates (from Realtek and JMicron) to appear trusted.
• Targeted only very specific ICS environments — an early example of precision cyberweapons.
• Had redundant propagation mechanisms: USB, SMB, WinCC, and RPC.
• Included rootkit capabilities to hide on both Windows systems and Siemens PLCs.

🎯 MITRE ATT&CK Techniques

• T1200 – Hardware Additions (USB infection)
• T1068 – Exploitation for Privilege Escalation
• T1218.011 – Signed Binary Proxy Execution: Rundll32
• T1091 – Replication Through Removable Media
• T1046 – Network Service Discovery
• T1018 – Remote System Discovery
• T1070.001 – Indicator Removal on Host: Clear Windows Event Logs

💡 Trivia & Interesting Facts

• Stuxnet is believed to have destroyed around 1,000 uranium centrifuges — without firing a single bullet.
• The name “Stuxnet” was derived from fragments found in the code — not the name used by its creators.
• Its discovery was accidental — the malware had unintentionally spread beyond its target and was eventually found in the wild.
• Stuxnet is widely credited with ushering in the era of cyber-physical warfare and inspired decades of ICS-targeted malware research.

TrickBot

Malware Name

TrickBot

APT Group

Wizard Spider

Target Sector

Financial, Education, Healthcare

Delivery Method

Malspam, Emotet delivery

MITRE TTPs

T1059.003, T1071.001, T1203

Impact

Credential harvesting, lateral movement, ransomware delivery

First Observed

2016

Status

Disrupted 2022

Read More

🧠 Overview

TrickBot is a modular banking trojan that evolved into a multi-functional malware platform capable of credential theft, lateral movement, and malware delivery. Originally
developed as a successor to Dyre, TrickBot became a key player in the cybercrime ecosystem, often working in tandem with Emotet and Ryuk. It was operated as a
malware-as-a-service (MaaS) and widely used by both criminal syndicates and ransomware operators.

Aliases: TrickLoader, Totbrick
First Observed: 2016
Initial Purpose: Banking credential theft and account takeover

📜 History & Notable Campaigns

• 2016: Emerged following the takedown of the Dyre banking trojan.
• 2017–2019: Frequently dropped by Emotet; expanded its feature set with modules for propagation, credential theft, and reconnaissance.
• 2020: Used to gain footholds for Ryuk ransomware deployments; became a major tool in targeted ransomware campaigns.
• Oct 2020: Microsoft and global partners attempted takedown of its infrastructure — disrupted but not fully disabled.
• 2022: TrickBot's operators (Wizard Spider) gradually shifted focus to the more advanced BazarLoader framework.

🔗 Attack Chain Breakdown

• Initial Access: Delivered via phishing emails or dropped by Emotet/QakBot (T1566.001, T1204.002).
• Execution: Malicious DLLs executed via rundll32.exe or PowerShell (T1218.011, T1059.001).
• Persistence: Created scheduled tasks and modified registry keys to remain active (T1053.005, T1547.001).
• Command & Control: Used web protocols with fallback IPs and hardcoded domains (T1071.001, T1008).
• Post-Exploitation: Downloaded modules for credential harvesting, Active Directory enumeration, and lateral movement (T1087, T1018, T1021.002).

⚙️ Technical Highlights

• Highly modular — included plugins for VNC, browser injection, credential theft, and more.
• Frequently used to map enterprise networks before launching ransomware (e.g., Ryuk, Conti).
• Included anti-analysis techniques and could detect virtualization or sandbox environments.
• Used “web injects” to modify banking portals and steal credentials in real-time.
• Had its own proprietary communication protocol with encryption and proxy support.

🎯 MITRE ATT&CK Techniques

• T1566.001 – Phishing: Spearphishing Attachment
• T1204.002 – User Execution: Malicious File
• T1218.011 – Signed Binary Proxy Execution: Rundll32
• T1053.005 – Scheduled Task
• T1547.001 – Registry Run Keys / Startup Folder
• T1071.001 – Application Layer Protocol: Web Protocols
• T1021.002 – SMB/Windows Admin Shares
• T1087 – Account Discovery
• T1018 – Remote System Discovery

💡 Trivia & Interesting Facts

• TrickBot originally used fake Office update lures with macro-laced documents to infect users.
• Its modular framework meant it could evolve quickly — over 20 different modules were seen in the wild.
• The name “Wizard Spider” refers to the criminal group behind TrickBot, also linked to Conti ransomware operations.
• Despite takedowns, TrickBot continued to operate in fragmented forms until its operators shifted to BazarLoader and newer tools.

WannaCry

Malware Name

WannaCry

APT Group

Lazarus Group (North Korea)

Target Sector

Healthcare, Finance, Government

Delivery Method

SMB Exploit via EternalBlue (MS17-010)

MITRE TTPs

T1210, T1486, T1059

Impact

Global ransomware outbreak affecting 200k+ systems

First Observed

May 2017

Status

Patchable but still seen in wild

Read More

🧠 Overview

WannaCry is a ransomware worm that caused a global cyber incident in May 2017. It exploited the EternalBlue vulnerability in Microsoft’s SMBv1 protocol to spread rapidly
across networks without human interaction. The ransomware encrypted files and demanded payment in Bitcoin, displaying a red warning screen to victims. Although a kill switch
temporarily halted its spread, WannaCry infected over 200,000 machines in more than 150 countries — including hospitals, transportation systems, and businesses.

Aliases: WCry, WannaCrypt, Wanna Decryptor
First Observed: May 12, 2017
Primary Impact: Mass disruption and file encryption across critical infrastructure and businesses

📜 History & Notable Campaigns

• May 2017: Global outbreak begins, with massive impact on the UK’s NHS, Telefónica, FedEx, and others.
• Day 1: MalwareTech researcher discovers and registers a hidden domain — the kill switch — halting further spread.
• Post-2017: Variants without the kill switch appeared but failed to reach the same scale.
• Attribution: U.S., UK, and others attributed the attack to North Korean APT group Lazarus.

🔗 Attack Chain Breakdown

• Initial Access: Exploited SMBv1 vulnerability (EternalBlue, CVE-2017-0144) on exposed or internal systems (T1210, T1203).
• Execution: Payload executed upon exploitation, encrypting files and displaying the ransom note (T1486).
• Lateral Movement: Spread automatically to vulnerable systems via SMB — no user interaction required (T1021.002).
• Impact: Encrypted files, disabled recovery functions, and caused mass outages (T1489, T1490).
• Persistence: Limited; primarily focused on rapid infection and impact rather than long-term access.

⚙️ Technical Highlights

• Used EternalBlue and DoublePulsar exploit chain to infect unpatched Windows systems.
• Encrypted files with .WNCRY extension; displayed a ransom note demanding $300–$600 in Bitcoin.
• Kill switch domain acted as a safeguard — if reachable, the malware would halt execution.
• Included functionality to delete shadow copies and disable recovery options using vssadmin and wbadmin.
• Caused estimated damages of over $4 billion globally despite generating relatively low ransom revenue.

🎯 MITRE ATT&CK Techniques

• T1203 – Exploitation for Client Execution
• T1210 – Exploitation of Remote Services
• T1021.002 – SMB/Windows Admin Shares
• T1486 – Data Encrypted for Impact
• T1489 – Service Stop
• T1490 – Inhibit System Recovery

💡 Trivia & Interesting Facts

• The red ransom screen featured a countdown timer and multilingual instructions for Bitcoin payment.
• WannaCry's spread was slowed dramatically after a researcher registered its hardcoded kill switch domain.
• Ironically, it spread primarily through organizations that had not applied a Microsoft patch released two months earlier.
• Despite its success as a worm, the payment system was poorly designed, and few victims actually received decryption keys.