014
EXH-0142017Fictional reconstruction
The Kill Switch
May 12, 2017. NHS trusts see BSOD cascades. A worm encrypting files at line speed is spreading through SMBv1 using an exploit stolen from Equation Group, until someone registers a nonsense domain.
Type
Classic
Difficulty
Intermediate
Era
2010s
Time
10 min
Briefing
Binary execution is disabled on this VM. You have `strings-wannacry.txt` and a CISA flash summary. No EternalBlue replay.
Your role
Malware reverse engineer extracting static strings from a captured sample.
Objective
Identify the MS17-010 / EternalBlue class vulnerability, the ransomware family name, and the accidental kill-switch mechanism from strings alone.
Terminal environment
- user
- analyst
- host
- forensics-04
- cwd
- /malware-lab/quarantine
- steps
- 3
Enter the terminalAbout 10 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.