AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

WannaCry Global Ransomware Outbreak

WannaCry showed how ransomware could combine worm-like propagation with destructive business impact, quickly affecting organizations across sectors and geographies.

CISAConfidence: medium
T1210T1105T1486T1490

How The Activity Unfolds In ATT&CK

WannaCry is the classic outbreak pattern: remote propagation, payload transfer, encryption, and recovery pressure. It is less subtle than espionage activity, but the ATT&CK flow is useful because it shows why impact can arrive quickly after exploitation.

  1. T1210 Exploitation Of Remote Services. The activity spreads through vulnerable remote service exposure.
  2. T1105 Ingress Tool Transfer. Components move into newly affected systems as the outbreak propagates.
  3. T1486 Data Encrypted For Impact. Files are encrypted to create operational disruption.
  4. T1490 Inhibit System Recovery. Ransomware pressure depends on limiting simple recovery paths.

Defender Readout

This entry stays in the top set because it is still a reference case for patch exposure, lateral propagation, ransomware blast radius, and recovery planning.

Evidence And Mapping Rationale

T1210Exploitation of Remote Services
WannaCry ransomware

CISA's alert centers on the outbreak; exploitation of remote services is the behavior used to explain its worm-like spread.

T1105Ingress Tool Transfer
Indicators Associated With WannaCry

Malware components and payload movement fit ATT&CK ingress transfer during propagation.

T1486Data Encrypted for Impact
ransomware

The core user-facing effect was encryption of victim data for impact.

T1490Inhibit System Recovery
ransomware

Recovery inhibition is a common ransomware impact behavior documented in analysis of the outbreak.