OpenCourser brand icon
Sign in
Sorry, this page is no longer available
We may earn an affiliate commission when you visit our partners.
Course image
Udemy logo

Cyber Security Incident Response Wannacry Ransomware

4.2 Filled star Filled star Filled star Filled star Empty star
Based on 152 ratings
see reviews
Balazs Lendvay

Wannacry has been one of the most famous ransomware in computer history (so far) which allows us to investigate how it worked and identify indicators of compromise. The goal of the course is not to protect against Wannacry, but to provide you with a methodology to be able to quickly assess the behavour of a suspicious application in a computer. The tools we are using in this course are free for personal use, but there are way more other solutions you can use for the same purpose.

Read more

Wannacry has been one of the most famous ransomware in computer history (so far) which allows us to investigate how it worked and identify indicators of compromise. The goal of the course is not to protect against Wannacry, but to provide you with a methodology to be able to quickly assess the behavour of a suspicious application in a computer. The tools we are using in this course are free for personal use, but there are way more other solutions you can use for the same purpose.

At the end of this training you will have a solid understanding how the ransomware works and how to protect you environment, also you will be able to use the tools to identify and analyse other malicious tools. You will not be a malware analyst, this is not the course for that. This course will give you the steps to be able to do incident response in a quick manner and see what areas you need to develop yourself using other courses. Deep malware analysis is a very interesting area, but not necessarily the part of the incident response team. There are companies specialized in malware analysis, or people specializing in malware analysis. One can spend hours, days, weeks, months analyzing a single malware. This course aims for quick response.

Enroll now

What's inside

Learning objectives

  • Investigate and understand the behavior of the wannacry ransomware in a lab environment using your own computer if you will.
  • Triage and identify indicators of compromise.
  • Live-analysis of the infected lab machine for windows artifacts
  • Static-analysis of the identified executable and artifacts
  • Sandbox analysis of the malicious activity, including network activity, processes, services, autoruns
  • Create a summary report of the incident and identify remediation recommendations

Syllabus

Disabling some features in Windows to enable Wannacry to infect.

Configure shared folders for file transfer and tool install.

Installing a firewall in the lab to provide DHCP etc.
Read more

Introduction to the training and the instructor.

Short introduction to the Wannacry ransomware and it's impact.

Introduction to our scenario we will walk through in the training.

Please see the supporting material attached. Download this before proceeding to the next section.

The info.txt has most of the links and commands you might need to use during the course.

The zip file contains the evidences and supporting material including the presentation. Password is: "wannacry".

Introduction to the section.

Downloading a hex editor.

Downloading the necessary tools to install Windows 10.

Installing Windows 10 in the lab envrionment.

Downloading the Windows 7 installer ISO.

Installing Windows 7 in the lab environment.

Downloading the installer ISO.

Installing OPNsense in the lab environment.

Analysis using a hex editor HxD.

Getting the Wannacry malware sample from multiple sources.

Making sure the lab environment is ready to be infected with Wannacry.

Infect the Windows 10 with Wannacry.

Downloading the tools for taking a memory image.

Taking a memory snapshot.

Downloading the disk imaging tool.

Taking a disk image using FTK Imager.

Downloading the Microsoft Sysinternals Suite.

Quick analysis of the Windows 10 machine. Network connections, processes, services, autoruns.

Gathering system information for the report.

Windows 10 analysis file and process information #1.

Windows 10 analysis file and process information #2.

Windows 10 analysis file and process information #3.

Autoruns analysis.

Downloading the tools for static exe file information extraction.

Static exe file analysis.

Getting the password for the embedded payload in the Wannacry executable.

Downloading Registry editing tools.

Analysing the registry using the registry explorer tools.

Downloading network capturing and registry snapshot tools.

Preparing the lab for the sandbox analysis.

Executing Wannacry in the lab and capturing the activity.

Prepare the sandbox analysis results for analysis.

Analysing network traffic capture.

Analysing procmon capture.

Analysing registry changes.

Using Redline automated forensics tool to capture the system activity.

Analysing Redline capture.

Download fakenet networking tool.

Analysing the killswitch domain in the network traffic.

Analysing one more executable in the Windows 7.

List of remediation actions that would prevent Wannacry from encrypting the files or spreading.

Summary of the activities performed by Wannacry.

Closing thoughts and thanks for taking this training!

Traffic lights

Read about what's good
what should give you pause
and possible dealbreakers
Provides a methodology for quickly assessing the behavior of suspicious applications, which is crucial for effective incident response
Uses free tools for personal use, allowing learners to gain practical experience without incurring additional costs
Focuses on quick incident response rather than deep malware analysis, aligning with the immediate needs of incident response teams
Requires learners to set up a lab environment with Windows 7 and Windows 10, which may require specific software and hardware
Walks through disabling Windows features to enable Wannacry infection, which may be risky if not performed in a properly isolated lab environment
Covers static and dynamic analysis, including network activity, processes, services, and autoruns, which are essential skills for incident responders

Save this course

Create your own learning path. Save this course to your list so you can find it easily later.
Save

Reviews summary

Wannacry incident response practice course

According to learners, this course offers a highly practical, hands-on approach to incident response using the Wannacry ransomware as a case study. Students learn to use industry-relevant tools like FTK Imager, Sysinternals, Procmon, and Redline in a step-by-step lab environment to identify indicators of compromise, analyze artifacts, and perform quick triage. The course provides a solid methodology for rapid incident response. However, some students found the lab environment setup challenging, requiring significant prior knowledge of virtualization and networking.
Focuses on quick incident response.
"It's definitely geared towards incident response, not malware analysis, which is what I needed."
"It's clear this is for quick IR, not deep dive malware reverse engineering..."
"As stated, this isn't malware analysis, focus is speed."
Practical steps for quick incident response.
"The methodology taught is actionable and relevant for quick response."
"Provided a solid introduction to incident response techniques using the Wannacry case study."
"The focus on quick triage and IOC identification is spot on for IR."
Gain experience with key IR tools.
"Using real tools like FTK Imager and Sysinternals gave me practical experience..."
"Useful demonstrations of Procmon and Redline are very practical."
"Analyzing the network traffic with Fakenet and understanding the killswitch was a key takeaway."
Learn IR by doing in a practical lab.
"The hands-on lab environment setup was challenging but incredibly rewarding."
"Walking through the Wannacry incident response steps using real tools like FTK Imager and Sysinternals gave me practical experience..."
"Learning by doing the steps gave me practical experience I couldn't get elsewhere."
Need prior IT/VM/networking knowledge.
"The instructions assume a bit too much prior knowledge of VMs and networking."
"Needed prior knowledge of virtualization and networking."
"Very difficult to follow if you don't have a strong background in virtualization and network configuration."
Lab environment setup can be difficult.
"My main challenge was getting the lab network configured correctly, which required some troubleshooting..."
"The lab setup was a major pain."
"Struggled with setting up the VMs and network."

Activities

Be better prepared before your course. Deepen your understanding during and after it. Supplement your coursework and achieve mastery of the topics covered in Cyber Security Incident Response Wannacry Ransomware with these activities:
Review Networking Fundamentals
Strengthen your understanding of networking concepts to better analyze Wannacry's network activity and communication.
Browse courses on TCP/IP
Show steps
  • Review the OSI model and key network protocols.
  • Practice subnetting and IP addressing exercises.
  • Research common network security vulnerabilities.
Review Windows Operating System Internals
Solidify your knowledge of Windows internals to effectively analyze system artifacts and identify malicious activity during incident response.
Browse courses on Windows Registry
Show steps
  • Study the structure and function of the Windows Registry.
  • Learn how to identify suspicious processes and services.
  • Understand the Windows boot process and autorun mechanisms.
Practice Static Analysis Techniques
Sharpen your static analysis skills to quickly extract valuable information from Wannacry samples and understand their functionality.
Show steps
  • Use a hex editor to examine the file headers and structure.
  • Extract strings and identify potential indicators of compromise.
  • Disassemble the code and analyze the control flow.
Four other activities
Expand to see all activities and additional details
Show all seven activities
Follow a Tutorial on Memory Forensics
Learn how to analyze memory dumps to uncover hidden processes, injected code, and other malicious artifacts related to Wannacry.
Show steps
  • Download and install a memory forensics tool like Volatility.
  • Follow a tutorial to analyze a memory dump from an infected machine.
  • Identify suspicious processes, network connections, and injected code.
Review: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Expand your knowledge of malware analysis techniques to better understand the inner workings of Wannacry.
View Practical Malware Analysis: The Hands-On Guide... on Amazon
Show steps
  • Read the chapters on static and dynamic analysis.
  • Practice the techniques described in the book on Wannacry samples.
  • Compare your findings with the course materials.
Write a Blog Post on Wannacry Remediation
Reinforce your understanding of Wannacry remediation techniques by creating a blog post that summarizes key steps and best practices.
Show steps
  • Research common remediation actions for Wannacry.
  • Write a clear and concise blog post explaining the steps.
  • Include practical tips and recommendations for preventing future infections.
Build a Yara Rule for Wannacry Detection
Apply your knowledge of Wannacry's characteristics to create a Yara rule that can detect its presence on a system.
Show steps
  • Identify unique strings and patterns in the Wannacry sample.
  • Write a Yara rule that matches these characteristics.
  • Test the rule against a variety of samples to ensure accuracy.

Career center

Learners who complete Cyber Security Incident Response Wannacry Ransomware will develop knowledge and skills that may be useful to these careers:
Incident Responder
An incident responder is responsible for managing and coordinating the response to security incidents. This often involves analyzing the scope and impact of an incident, containing the damage, and restoring systems to normal operation. This course, which delivers a methodology to quickly assess suspicious application behavior, is directly relevant to the role of an incident responder. The course helps an incident responder in quickly assessing the behavior of suspicious applications. Further, it shows how to perform live analysis of infected machines, conduct static analysis of executables, and create comprehensive incident reports. This course's focus helps build a foundation for rapidly identifying and responding to security incidents.
See salaries and explore the career path for Incident Responder
Security Operations Center Analyst
A security operations center analyst monitors security systems and responds to security alerts. The analyst investigates suspicious activity, analyzes security events, and escalates incidents as needed. This course, which gives guidance on how to quickly assess the behavior of suspicious applications, directly applies to the daily work of a security operations center analyst. The analyst can use the techniques taught in the course to quickly triage alerts, identify indicators of compromise, and determine the scope and impact of security incidents. This course's emphasis on quick response methodologies may be particularly valuable in a fast-paced security operations center environment.
See salaries and explore the career path for Security Operations Center Analyst
Threat Intelligence Analyst
A threat intelligence analyst gathers and analyzes information about cyber threats to help organizations better understand and defend against attacks. This course, which examines the Wannacry ransomware, may assist a threat intelligence analyst in understanding the characteristics, behavior, and impact of ransomware. Knowing how to analyze malware samples, identify indicators of compromise, and track threat actors will strengthen the ability to provide timely and relevant threat intelligence to stakeholders. This course's incident response methodology may be particularly useful.
See salaries and explore the career path for Threat Intelligence Analyst
Security Analyst
A security analyst protects computer systems and networks from cyber threats. This role involves monitoring for security breaches, investigating incidents, and implementing security measures to safeguard data. This course, focusing on the Wannacry ransomware, will equip a security analyst with hands on experience in analyzing malicious software behavior and identifying indicators of compromise, which are crucial skills for effectively responding to and mitigating security incidents. By learning how to triage, analyze, and create remediation recommendations, one becomes better equipped to defend against evolving cyber threats. The course's emphasis on quick response methodologies could be very valuable.
See salaries and explore the career path for Security Analyst
Information Assurance Analyst
An information assurance analyst ensures the confidentiality, integrity, and availability of information systems. This involves assessing security risks, developing security plans, and implementing security controls. This course, which provides a methodology to quickly assess suspicious application behavior, may assist an information assurance analyst in better identifying and mitigating security risks. Learning how to analyze malware behavior, identify indicators of compromise, and develop remediation recommendations can inform the development of more effective security plans and controls. This course's approach to incident response may also be valuable.
See salaries and explore the career path for Information Assurance Analyst
Cloud Security Engineer
A cloud security engineer implements and manages security controls in cloud environments. This role involves configuring cloud security services, monitoring cloud resources for security threats, and responding to security incidents in the cloud. Since this course provides training on responding to the Wannacry ransomware threat, a cloud security engineer may benefit from this course, as the methodologies for assessment of an infected machine are explored. Furthermore, remediation recommendations may be applicable in a cloud environment. The course's emphasis on quick response methodologies may be especially relevant to cloud environments.
See salaries and explore the career path for Cloud Security Engineer
Penetration Tester
A penetration tester, sometimes called an ethical hacker, attempts to find and exploit vulnerabilities in computer systems and networks. This course may provide a penetration tester with insights into the tactics, techniques, and procedures used by ransomware attackers. Learning how Wannacry infects systems, communicates with command and control servers, and encrypts files will allow for a more effective simulation of ransomware attacks during penetration tests. As penetration testers must stay up-to-date on the latest threats and attack methods, this course may be valuable.
See salaries and explore the career path for Penetration Tester
Digital Forensics Analyst
A digital forensics analyst investigates computer-based crimes and security incidents. This involves collecting and analyzing digital evidence, reconstructing events, and preparing reports for legal proceedings. This course, which focuses on analyzing the Wannacry ransomware, may equip a digital forensics analyst with skills in malware analysis and incident response. Learning how to perform static and dynamic analysis of malicious executables, identify network activity, and analyze system artifacts will help in conducting thorough investigations and uncovering critical evidence.
See salaries and explore the career path for Digital Forensics Analyst
Vulnerability Analyst
A vulnerability analyst identifies and assesses security vulnerabilities in computer systems and networks. This involves conducting vulnerability scans, performing penetration testing, and recommending remediation measures. Knowledge of how ransomware like Wannacry exploits vulnerabilities, provided by taking a course such as this, may help a vulnerability analyst to better understand the risks associated with different vulnerabilities. Further, it helps one to prioritize remediation efforts. Learning how to analyze malware behavior and identify indicators of compromise may give you insights into the types of vulnerabilities that attackers are actively exploiting.
See salaries and explore the career path for Vulnerability Analyst
Network Security Engineer
A network security engineer designs, implements, and manages network security infrastructure. Their tasks include configuring firewalls and intrusion detection systems, monitoring network traffic for malicious activity, and responding to security incidents. This course may assist a network security engineer with insights into how ransomware like Wannacry exploits network vulnerabilities. Learning how to analyze network traffic, identify malicious processes, and implement remediation measures will strengthen a network security engineer's ability to secure networks against evolving cyber threats.
See salaries and explore the career path for Network Security Engineer
Cybersecurity Consultant
A cybersecurity consultant advises organizations on how to improve their security posture. This includes assessing risks, recommending security solutions, and developing security policies and procedures. This course, focused on the Wannacry ransomware, may help a cybersecurity consultant understand the impact of ransomware attacks and recommend appropriate security measures. Understanding how to identify indicators of compromise, perform live analysis, and develop remediation recommendations would allow a cybersecurity consultant to provide more informed and effective advice to clients. The course's incident response methodology may be very helpful to this role.
See salaries and explore the career path for Cybersecurity Consultant
Information Security Manager
An information security manager oversees an organization's information security program. This includes developing and implementing security policies, managing security risks, and ensuring compliance with security regulations. This course may help an information security manager better understand the technical aspects of incident response and the tools and techniques used by security analysts. Gaining hands-on experience with analyzing malware behavior and identifying indicators of compromise may strengthen the ability of an information security manager to make informed decisions about security investments and policies.
See salaries and explore the career path for Information Security Manager
System Administrator
A system administrator is responsible for maintaining and managing computer systems and servers. This includes installing and configuring software, monitoring system performance, and ensuring system security. The skills taught in this course may allow a system administrator to better detect and respond to security incidents like ransomware infections. Knowing how to identify indicators of compromise, perform live analysis of infected machines, and implement remediation measures may better equip a system administrator to protect systems from attacks.
See salaries and explore the career path for System Administrator
Compliance Officer
A compliance officer ensures that an organization complies with relevant laws, regulations, and internal policies. This includes developing and implementing compliance programs, conducting audits, and investigating compliance violations. Training that helps you to understand the technical aspects of cybersecurity and incident response may allow a compliance officer to better assess an organization's security posture and ensure compliance with security regulations. Learning about the impact of ransomware attacks and the measures needed to prevent and respond to them would inform compliance efforts.
See salaries and explore the career path for Compliance Officer
Security Software Developer
A security software developer designs and develops security software applications. The course provides insights into the behavior of ransomware like Wannacry which can inform the development of more effective security tools. The course may deepen the understanding of how malware operates, what vulnerabilities it exploits, and how it can be detected and prevented. One must have deep knowledge of software development and computer science to succeed in this role.
See salaries and explore the career path for Security Software Developer

Reading list

We've selected one books that we think will supplement your learning. Use these to develop background knowledge, enrich your coursework, and gain a deeper understanding of the topics covered in Cyber Security Incident Response Wannacry Ransomware.
Cover image
Practical Malware Analysis
Save
Comprehensive guide to malware analysis, covering static and dynamic analysis techniques. It provides a solid foundation for understanding how malware works, which is essential for incident responders. The book's hands-on approach aligns well with the course's focus on practical skills, and it delves deeper into malware analysis than the course intends, making it valuable for further learning. It commonly used textbook for malware analysis courses.
Practical Malware Analysis: The Hands-On Guide to...
Paperback
$$
Practical Malware Analysis: The Hands-On Guide to...
Kindle Edition
$$

Share

Help others find this course page by sharing it with your friends and followers:
Facebook
LinkedIn
Reddit
X
Link
Email

Similar courses

Similar courses are unavailable at this time. Please try again later.
Course image
Rating
4.2 Filled star Filled star Filled star Filled star Empty star
Effort
5.5 total hours
Via
Udemy
Instructor
Balazs Lendvay
Language
English
Traffic lights
Read about what's good
what should give you pause
and possible dealbreakers
Provides a methodology for quickly assessing the behavior of suspicious applications, which is crucial for effective incident response
Uses free tools for personal use, allowing learners to gain practical experience without incurring additional costs
Focuses on quick incident response rather than deep malware analysis, aligning with the immediate needs of incident response teams
Requires learners to set up a lab environment with Windows 7 and Windows 10, which may require specific software and hardware
Walks through disabling Windows features to enable Wannacry infection, which may be risky if not performed in a properly isolated lab environment
Covers static and dynamic analysis, including network activity, processes, services, and autoruns, which are essential skills for incident responders
Share this
Share to help others discover this course.
Facebook LinkedIn X Reddit Link Email
Begin learning today
Enroll now to gain full access to Cyber Security Incident Response Wannacry Ransomware.
Enroll now
Save for later
Add this course to your list. Find it anytime.
Save
Our mission

OpenCourser helps millions of learners each year. People visit us to learn workspace skills, ace their exams, and nurture their curiosity.

Our extensive catalog contains over 50,000 courses and twice as many books. Browse by search, by topic, or even by career interests. We'll match you to the right resources quickly.

Find this site helpful? Tell a friend about us.

Affiliate disclosure

We're supported by our community of learners. When you purchase or subscribe to courses and programs or purchase books, we may earn a commission from our partners.

Your purchases help us maintain our catalog and keep our servers humming without ads.

Thank you for supporting OpenCourser.

© 2016 - 2025 OpenCourser