Ransomware Analysis
WannaCry Ransomware
In May 2017, a devastating ransomware attack spread rapidly across the globe, locking critical systems and demanding Bitcoin payments. This challenge explores the inner workings of one of the most infamous cyber threats in history. Analyze how the ransomware exploited system vulnerabilities, encrypted data, and propagated through networks. Use your investigation skills to uncover key technical and impact-related details of the attack.
Question1.
What vulnerability did WannaCry exploit?
Question2.
What encryption algorithm did WannaCry use?
Question3.
What patch did Microsoft release to fix the vulnerability?
Question4.
What was the kill switch domain for WannaCry?
Question5.
What is a best practice to prevent ransomware attacks?
Question6.
Which group was attributed to the WannaCry attack?
Question7.
How much ransom was demanded per infected system?
Question8.
What was the file extension of encrypted files?
Question9.
What was the name of the main WannaCry ransomware executable that displayed the ransom note and handled file encryption?
Question10.
What was the SMB port exploited by WannaCry?
Question11.
On what date did the WannaCry attack begin?
Question12.
When was the kill switch discovered?
Question13.
What was the name of the researcher who discovered the kill switch?
Question14.
What was the CVE identifier for the EternalBlue vulnerability?
Question15.
What Windows component did WannaCry exploit to propagate?
Question16.
What was the key lesson learned from the WannaCry attack?
š¾BlackCat Ransomware Attack ā ALPHV Group
BlackCat, also known as ALPHV, emerged as a powerful RaaS group in late 2021.Written in Rust, it allowed cross-platform attacks, often starting with stolen credentials and abuse of RDP for lateral movement. Affiliates used tools like Mimikatz for LSASS dumps and privilege escalation via token impersonation.They targeted Windows and ESXi servers, disabling VSS to prevent recovery.
The malware used AES-CTR encryption and custom packing to evade detection. Persistence was maintained through WMI events, and automation was handled via Empire PowerShell. Attackers uploaded staged data (T1074) to Mega, then launched a dual extortion campaign by threatening a data leak. Files were marked with the .ALPHV extension, and AV services like MsMpEng were terminated. Remote access was maintained using C2 over HTTPS.
Attribution was difficult due to the affiliate model, and most ransoms were paid in Monero. Global takedown was delayed because of jurisdiction limitations, allowing the group to remain active across sectors.
Question1.
What initial access technique did the threat actors use in most BlackCat intrusions?
Question2.
Which well-known remote desktop protocol was commonly abused for lateral movement?
Question3.
Which programming language was the BlackCat ransomware strain written in?
Question4.
What was the encryption mode used by BlackCat to make decryption more difficult?
Question5.
Which cloud storage service was often used for data exfiltration in BlackCat attacks?
Question6.
Which MITRE ATT&CK technique ID best maps to data staging before exfiltration?
Question7.
Which Windows service was disabled by the malware to prevent recovery?
Question8.
What protocol did BlackCat actors use to remotely control infected machines?
Question9.
Which dual extortion technique did BlackCat leverage post-encryption?
Question10.
What type of obfuscation made detection by EDR solutions harder?
Question11.
Which Linux variant was also targeted by BlackCat actors in enterprise environments?
Question12.
Which tool was used to extract credentials from LSASS memory?
Question13.
Which privilege escalation method was most common in BlackCat’s Windows attacks?
Question14.
Which PowerShell framework did some affiliates use to automate attack steps?
Question15.
Which antivirus process was frequently terminated using scripts?
Question16.
Why was attribution of BlackCat difficult despite global infections?
Question17.
Which file extension did BlackCat often append to encrypted files?
Question18.
Which fileless persistence method helped BlackCat maintain long-term access?
Question19.
What was the common ransom payment method used by BlackCat?
Question20.
Which legal gap allowed BlackCat operations to avoid early takedown?