The (makes me) Wannacry Investigation

On May 12, 2017 a virulent new strain of ransomware known as Wannacry hit hundreds of thousands of computers affecting all types of organisations across the globe. While it is well understand how Wannacry spread using EternalBlue, there was little information on how the attack initially began.

It is often the case that tracking the activity of an attacker back in time can be invaluable for learning more about how the attacker operates, and potentially identifying any mistakes made. This proved true with WannaCry 1.0.

This talk aims to present a walk-through of Symantec’s investigation into Wannacry and how we were able to identify links to previously identified malware families and tools used in attacks against Sony Pictures Entertainment in November, 2014 to ultimately identify who was behind the attack.


Alan is a senior threat intelligence analyst on the attack investigations team in Symantec. Alan is responsible for leading and documenting investigations into high profile attacks affecting Symantec customers and acting as a liaison between LE and Symantec.

Print Friendly, PDF & Email