Example – 01 WannaCry Ransomware with Diamond Model

WannaCry in Diamond Model

In this blog post, will explain how wanna cry ransomware event can be mapped with Diamond model.

Check this blog post for an overview of Diamond model.

WannaCry ransomware is a consequence of MS-17-010, a vulnerability in Server Message Block V 1.0 which was exploited using Eternal Blue exploit. This caused a lot of impact to users with outdated version of windows OS and those who had not patched MS-17-010.

Ransomware started to spread through a malicious email, a classic exploit delivery method. Once on network, lateral movement infected other systems which were vulnerable.

Applying Diamond model to this event,

Core Features

Adversary – Attacker with eternal blue exploit coupled with malware which encrypts data

Capability – Encrypt Data, Move laterally exploiting vulnerability,

Victim – Windows OS vulnerable to MS-17-010

Infrastructure – Mail, Malicious PDF

Socio-Political – Money, attackers exploited users to make money. Intent was behind money. Fake promises were made to decrypt data once payment was made. — Technical Meta feature – Exploits MS-17-010 using eternal blue exploit and encrypts user data. Moves laterally infecting other systems through vulnerable SMB shares.

Meta Features

Timestamp – May 2017 Phase – Exploit Result – Success ( impact on availability, user data is encrypted) Direction – Infrastructure to Victim Methodology – Phishing , Malware Resources – Vulnerable WindowsOS, Eternal blue exploit, malicious pdf

Part 1 of this blog explains Diamond model for intrusion analysis.


  1. WannaCry ransomware

#Threatintel #DiamondModel

— By Fabian Darius