Guide | How To How WannaCry works (on an unpatched Windows system) and trying to avoid it.

The associated guide may contain user-generated or external content.

Winter Soldier

Level 25
Thread author
Top Poster
Feb 13, 2017
Here some basical steps about WCRY behavior and some tips.

1) You get the malware via social engineering attack, phishing mails, etc.

2) The malware installs itself on the PC taking advantage of the well-known EternalBlue flaw and puts mssecsvc.exe in the C:\windows directory.

3) It installs itself as a service, by proceeding to execute two activities in parallel, using different executables.

4) The first task is to encrypt certain types of files: · GitHub.

5) The second one will propagate the malware on any LAN by exploiting the vulnerability in the SMB protocol with the TCP ports 445 and 139.This second component also scans the network looking for new targets to infect via SMB port 445.

6) It runs in Ring 0, then it can potentially cause more damage compared just to the encryption activity.
When we refer to the level of privileges with which an application is executed, we use the term “Ring”. With “Ring 0” are identified the processes running in kernel-mode and with “Ring 3” the “user mode” applications (such as the browser).
When the CPU operates in kernel mode, it has access to all registers and the entire memory system.
In contrast, when the CPU operates in user mode, it is allowed to access only those memory areas that are usable in “user mode”.

The code that runs in kernel mode may have non-discriminatory access to all areas of the system, to be able to run programs.

7) It drops DoublePulsar backdoor.

Trying to defend yourself.

- Performing reliable backup to easily restore your systems and your data in case of encryption, is the essential step!

- Check for security Windows update released with security bulletin MS17-010, March 14, 2017

Microsoft Security Bulletin MS17-010 - Critical

- Needless to say, use good antivirus/security apps, there are so many posts here on MT.

- The ransomware initial vector spreads via phishing, therefore, do not open links/attachments from suspicious emails and scan them on VirusTotal.

- The ransomware attacks also network share and cloud backups, then update the copy of the backups and keep sensitive data isolated and offline.

Stay Safe :)
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.