Malware Families Case Studies

Understanding historical malware gives us insight into attacker techniques, evolution of threats, and lessons for defense. These case studies cover some of the most impactful malware in history.

MAY 2017

WannaCry

RANSOMWARE / WORM

SEVERITY

WannaCry was a devastating ransomware attack that spread globally in May 2017, exploiting the EternalBlue vulnerability (CVE-2017-0144) in Windows SMB protocol. It infected over 230,000 computers across 150 countries in just one day, causing an estimated $4-8 billion in damages.

230K+

SYSTEMS INFECTED

150

COUNTRIES

$4-8B

EST. DAMAGES

$300

RANSOM (BTC)

TECHNIQUES USED

EternalBlue Exploit File Encryption Registry Persistence Kill Switch Domain SMB Propagation

KILL CHAIN

Initial Access

SMB exploit (port 445)

Execution

Payload deployment

Persistence

Service installation

Lateral Move

Scan & spread

Impact

Encrypt & ransom

INDICATORS OF COMPROMISE

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com KILL SWITCH

mssecsvc.exe, tasksche.exe FILENAME

.WNCRY, .WNCRYT file extensions FILE EXT

TCP/445 scanning activity NETWORK

LESSONS LEARNED

✓ Patch critical vulnerabilities immediately - MS17-010 was released 2 months before the attack

✓ Network segmentation limits worm propagation

✓ Kill switches can stop malware - researcher @MalwareTechBlog discovered WannaCry's

✓ Air-gapped backups are critical for ransomware recovery

2014-2021

EMOTET

BANKING TROJAN / LOADER

SEVERITY

EMOTET evolved from a simple banking trojan to "the world's most dangerous malware" - a sophisticated botnet that served as a delivery platform for other malware. It pioneered thread hijacking in phishing and was finally disrupted by law enforcement in January 2021.

1.6M+

INFECTED MACHINES

7 Years

ACTIVE PERIOD

$2.5B+

EST. DAMAGES

BOTNETS (EPOCHS)

TECHNIQUES USED

Malicious Documents Heavy Obfuscation Thread Hijacking Scheduled Tasks Modular Payloads

Evolution: EMOTET transformed from a banking trojan (2014) → botnet (2017) → malware-as-a-service platform delivering TrickBot, Ryuk, and Qakbot.

INDICATORS OF COMPROMISE

Reply-chain phishing emails with .doc attachments DELIVERY

PowerShell download cradles EXECUTION

%LOCALAPPDATA%\[random]\[random].exe FILE PATH

Port 8080, 443 C2 traffic NETWORK

LESSONS LEARNED

✓ Disable Office macros by default - primary infection vector

✓ User awareness training for phishing recognition

✓ Email authentication (DMARC, DKIM, SPF) helps prevent spoofing

✓ International law enforcement cooperation can disrupt major botnets

2010

Stuxnet

CYBER WEAPON / WORM

SOPHISTICATION

Stuxnet was the first known cyber weapon designed to cause physical damage. It targeted Iranian nuclear enrichment facilities, specifically Siemens PLCs controlling uranium centrifuges. It destroyed approximately 1,000 centrifuges by causing them to spin at incorrect speeds while reporting normal operations.

ZERO-DAYS USED

~1,000

CENTRIFUGES DESTROYED

500KB

PAYLOAD SIZE

ORGANIZATIONS HIT

TECHNIQUES USED

4 Zero-Day Exploits Signed with Stolen Certs Air-Gap Jumping PLC Manipulation Process Hiding

Attribution: Widely believed to be a joint US-Israeli operation (codenamed "Olympic Games"). This was the first publicly known instance of a nation-state using malware to cause physical destruction.

LESSONS LEARNED

✓ Air-gapped networks are not immune - USB vectors can bridge gaps

✓ ICS/SCADA systems require specialized security approaches

✓ Nation-state actors have significant resources and patience

✓ Supply chain attacks can reach high-security targets

2009

Slowloris

DoS TOOL

SIMPLICITY

Slowloris is an elegant denial-of-service tool that exhausts web server connections by opening many connections and keeping them alive with partial HTTP requests. Unlike volumetric DDoS, it requires minimal bandwidth - a single machine can take down a vulnerable server.

~150

LINES OF CODE

Low

BANDWIDTH NEEDED

Apache

PRIMARY TARGET

2009

RELEASED

HOW IT WORKS

Partial HTTP Requests Connection Exhaustion Low & Slow Keep-Alive Abuse

ATTACK MECHANISM

Connect

Open HTTP connection

Partial Request

Send incomplete headers

Keep Alive

Send bytes periodically

Exhaust

Fill connection pool

Deny Service

Block new users

DETECTION INDICATORS

Many connections from single IP in TIME_WAIT NETWORK

Incomplete HTTP requests in logs LOG

Connection count near max limit SERVER

DEFENSES

✓ Use web servers with async I/O (Nginx, IIS) - not vulnerable

✓ Configure aggressive connection timeouts

✓ Rate limit connections per IP

✓ Use reverse proxy or load balancer in front of Apache

JUNE 2017

NotPetya

WIPER / PSEUDO-RANSOMWARE

SEVERITY

NotPetya was disguised as ransomware but was actually a destructive wiper. It spread via a compromised Ukrainian accounting software (M.E.Doc) and caused over $10 billion in damages worldwide. The "ransom" mechanism was non-functional - data destruction was the goal.

$10B+

TOTAL DAMAGES

$300M

MAERSK LOSS

65+

COUNTRIES HIT

Ukraine

PRIMARY TARGET

TECHNIQUES USED

Supply Chain Attack SMB Exploits Mimikatz (Credential Theft) MBR Overwrite False Flag (Ransomware)

Supply Chain Vector: NotPetya's initial infection came through a legitimate software update from M.E.Doc, a Ukrainian accounting application. This demonstrated how supply chain compromises can bypass traditional security.

LESSONS LEARNED

✓ Supply chain security is critical - vet software vendors

✓ Not all "ransomware" can be recovered from - some is pure destruction

✓ Geographic targeting can have global collateral damage

✓ Credential hygiene prevents lateral movement

Comparison Matrix

Malware	Type	Primary Vector	Goal	Attribution
WannaCry	Ransomware/Worm	SMB Exploit	Financial	North Korea (Lazarus)
EMOTET	Loader/Botnet	Phishing	MaaS Platform	Criminal (TA542)
Stuxnet	Cyber Weapon	USB/Supply Chain	Sabotage	US/Israel
Slowloris	DoS Tool	Direct Attack	Service Disruption	RSnake (researcher)
NotPetya	Wiper	Supply Chain	Destruction	Russia (Sandworm)

Module Complete!

You've studied historical malware families and their techniques. Continue to the next module to learn how to safely analyze malware in a sandbox environment.

Next: Sandbox Setup →

← Previous: Static Analysis Next Module →