Chapter 40 Β· Helper 3

Real-World Examples

Classic multi-stage attack chains and the exam scenarios that test whether you can identify malware types in context.

WannaCry 2017 β€” Ransomware at Global Scale

In May 2017, a ransomware campaign called WannaCry infected over 200,000 systems across 150 countries within a matter of days. It is the most widely cited ransomware example because it demonstrated how ransomware and a worm can combine into a single devastating attack.

The worm component: WannaCry spread using a Windows vulnerability called EternalBlue β€” an exploit developed by the U.S. National Security Agency and leaked publicly. EternalBlue targeted the SMB (Server Message Block) protocol used for file sharing in Windows environments. A vulnerable system exposed to the network could be infected with no user interaction whatsoever β€” no email to click, no file to open. The worm scanned networks for vulnerable machines and automatically installed itself.

The ransomware component: Once the worm installed itself, it deployed the ransomware payload: files were encrypted with RSA-2048 public-key encryption, and a ransom demand appeared demanding payment in Bitcoin. The OS remained functional; only data files were encrypted. The demand was approximately $300 per system, increasing to $600 after a time limit.

Why it spread so fast: The EternalBlue vulnerability had been patched by Microsoft in March 2017 β€” two months before WannaCry launched. Organizations that had applied the patch were not vulnerable. Organizations that had not patched were exposed to a self-spreading, zero-user-interaction infection. In the NHS (UK National Health Service), unpatched Windows XP systems β€” operating system past end-of-life with no available patch β€” accounted for much of the damage. Hospitals cancelled appointments and diverted ambulances.

The backup lesson: Organizations with current offline backups were able to wipe and restore. Organizations without backups faced a choice: pay the ransom or lose the data permanently.

Exam takeaways: (1) WannaCry = worm + ransomware. The worm is the delivery mechanism; ransomware is the payload. (2) Self-propagating ransomware does not require any user action to spread β€” it exploits network-facing vulnerabilities. (3) A patch released two months earlier would have stopped most infections β€” unpatched systems are the vulnerability. (4) Offline backups are the only reliable recovery path when ransomware encrypts all accessible data.

The Classic Multi-Stage Attack Chain

The WannaCry attack was unusual because the worm and ransomware were combined. More commonly, sophisticated attacks use a multi-stage chain where different malware types serve different phases of the attack. Understanding this chain is critical for the exam β€” questions will describe behaviors at different stages and ask what type of malware is responsible.

Stage 1 β€” Initial Access (Trojan or drive-by): An attacker sends a phishing email with a link to a compromised website. When the victim visits the site, a drive-by download exploits a browser vulnerability and executes a small piece of code. Or the victim is convinced to install what appears to be a legitimate software update β€” a Trojan horse. The result is the same: a foothold on the victim's machine.

Stage 2 β€” Persistence and Concealment (Rootkit/Backdoor): The initial payload installs a backdoor β€” a remote access mechanism that calls home to the attacker's infrastructure β€” and a rootkit that hides both the backdoor and its network connections from the OS and security software. The attacker can now return to this machine at any time without re-exploiting a vulnerability.

Stage 3 β€” Credential Harvesting (Keylogger): A keylogger begins recording every keystroke on the system. Over days or weeks, it captures login credentials for internal systems, VPN credentials, privileged account passwords, and banking credentials. These are transmitted silently to the attacker.

Stage 4 β€” Lateral Movement: Using the stolen credentials, the attacker authenticates to other internal systems. The attacker may deploy the worm component here to auto-propagate to adjacent machines on the same network segment.

Stage 5 β€” Final Payload (Ransomware or Data Exfiltration): After mapping the environment and establishing footholds across multiple systems, the attacker deploys the final payload across all compromised machines simultaneously β€” ransomware that encrypts everything at once, or a bulk data exfiltration of the highest-value files before triggering the ransomware.

Key insight: At any stage, the visible behavior reflects only the active malware type β€” but the full chain is operating. An antivirus alert on the keylogger at Stage 3 does not mean Stage 2 (the rootkit) has been found or removed. Incident response requires treating a malware detection not as a resolved incident but as evidence of a potentially deeper compromise.

Exam Scenario 1 β€” Identifying Malware Type by Behavior

Scenario: A user reports that their computer is running slowly and they are seeing frequent pop-up advertisements even when no browser is open. An antivirus scan detects a program that was installed when the user downloaded a free video converter three weeks ago. The program has been transmitting usage data to an external server. Which malware type BEST describes this program?

Answer: This is most consistent with spyware (or potentially adware/bloatware, depending on classification). The indicators are: (1) installed bundled with a free application without the user's awareness of its true purpose β€” consistent with Trojan delivery mechanism; (2) transmitting data to an external server without consent β€” the defining characteristic of spyware; (3) generating pop-up advertisements β€” a characteristic of adware, which is closely related to spyware. On the exam, the key distinguishing factor is the unauthorized data transmission: software that secretly monitors and reports user activity is classified as spyware regardless of how it was delivered. Pop-up advertisements alone would suggest adware/bloatware; the combination of pop-ups plus data transmission points to spyware.

Exam Scenario 2 β€” Ransomware Response

Scenario: A hospital administrator receives a call that staff cannot open patient records. An IT technician investigates and finds that files in the patient records system have unfamiliar extensions and cannot be opened. A text file on the desktop reads: "Your files have been encrypted. Send 10 Bitcoin to receive the decryption key. You have 72 hours." The hospital's Windows workstations and servers are otherwise functional. What type of malware is this, what is the attacker's goal, and what is the correct immediate response?

Answer: This is ransomware. The indicators are: (1) files encrypted with changed extensions β€” data encryption is the signature behavior; (2) OS remains functional β€” deliberate design to allow the victim to act on the ransom demand; (3) explicit monetary demand in exchange for decryption key β€” extortion model.

The attacker's goal is financial extortion. They do not want to destroy the hospital's systems; they want the hospital to pay for the decryption key. Patient data is particularly high-value leverage because hospitals have strong operational and patient-safety incentives to restore access quickly.

Correct immediate response: (1) Isolate affected systems from the network immediately to prevent further encryption spread. (2) Identify the scope β€” which systems are affected, when encryption began. (3) Check backup availability β€” is there a recent, clean backup that pre-dates the encryption? If an offline backup exists from before the infection, the recovery path is to wipe and restore from the backup, not to pay the ransom. (4) Do not pay the ransom unless there is no backup and no other recovery option β€” payment does not guarantee decryption, may mark the organization as a paying target, and may violate sanctions depending on the attacker's jurisdiction. (5) Preserve forensic evidence (encrypted files, ransom note, network logs) for law enforcement and insurance purposes.

Exam Scenario 3 β€” The Drive-by Download

Scenario: A security analyst is reviewing logs and finds that a workstation was infected with malware at 10:43 AM. The user reports that at approximately that time they were browsing industry news websites. The user did not click any download links and did not open any email attachments. The antivirus alert identifies the malware as a downloader that attempted to retrieve a secondary payload. What infection vector BEST explains this incident?

Answer: This is a drive-by download. The key indicator is the combination of: (1) infection occurred while visiting a legitimate-appearing website; (2) the user did not click any links or open attachments β€” no deliberate user action; (3) infection was triggered simply by loading the page. Drive-by downloads exploit vulnerabilities in the browser, browser plugins, or JavaScript engine to execute malicious code without user interaction beyond loading the page. The "downloader" malware type identified in the alert is consistent with a drive-by delivery mechanism: stage 1 code is small and designed only to download and execute the actual payload (stage 2). The correct remediation includes: patching the browser immediately, investigating whether the secondary payload was successfully downloaded and executed, checking for persistence mechanisms (rootkit, scheduled tasks), and reviewing whether other systems visited the same compromised site.

Exam Scenario 4 β€” Logic Bomb Discovery

Scenario: A software developer was terminated from their position six weeks ago following a performance review. A routine security audit of the company's codebase discovers a code block in the payroll processing application that the developer authored. The code checks whether the developer's employee ID is still present in the HR database β€” and if the ID is not found (i.e., the developer's account has been deleted), it executes a routine that overwrites the payroll database with random data. What type of malware is this, and what should the organization do?

Answer: This is a logic bomb. The characteristics are: (1) dormant code β€” it has not executed yet; (2) trigger condition β€” the condition "developer's employee ID is absent from the HR database" defines when it fires; (3) destructive payload β€” overwriting the payroll database with random data constitutes sabotage; (4) planted by an insider β€” logic bombs are commonly created by disgruntled employees who embed them in legitimate code before departure. Response: (1) Immediately remove or disable the malicious code block from the codebase. (2) Audit all other code authored by the same developer for additional logic bombs. (3) Preserve the code as forensic evidence for legal proceedings β€” this likely constitutes a criminal computer fraud offense. (4) Verify that the trigger has not already partially fired. (5) Review access controls β€” the developer should have had no active access to the codebase after termination. The root cause may include improper offboarding (access not revoked at termination) or insufficient code review processes.