| Category | Details | References |
|---|---|---|
| Actors | ||
| First Observed | May 2017 | 1 |
| Threat Actors | North Korea | 2 |
| Environment | ||
| Platforms | Windows | 1 |
| Artifacts | ||
| Extensions | .wannacry .wcry .Wnry .wncry | 3 4 5 |
| Ransomware Notes | info.hta | 6 |
| Services It Disables | ||
| Other Observables | Various YARA rules in existence | 7 |
| Automation | ||
| Automatically Gains Access | Yes, via EternalBlue SMB exploit | 8 |
| Automatically Escalates Privileges | No. Not needed because it encrypts only local files. | |
| Requires Human Interaction | No. Encrypts and spreads automatically. But does install DoublePulsar backdoor that could later be used by a human. | 9 10 |
| Automatic Exfiltration | No | |
| Automatic Propagation | Yes. Exploits other computers using EternalBlue. | 11 |
Please note, this page was last updated at 2023-03-14 20:21.
-
https://www.csoonline.com/article/3227906/wannacry-explained-a-perfect-ransomware-storm.html ↩ ↩2
-
https://www.pcrisk.com/removal-guides/15883-wannacry-ransomware ↩
-
https://fileinfo.com/extension/wcry#:~:text=A%20WCRY%20file%20is%20a,ransomware%20infection%20utilized%20by%20cybercriminals ↩
-
https://www.secureworks.com/research/wcry-ransomware-analysis ↩
-
https://www.pcrisk.com/removal-guides/15883-wannacry-ransomware ↩
-
https://www.google.com/search?q=wannacry+ransomware+yara+rules ↩
-
https://www.csoonline.com/article/3227906/wannacry-explained-a-perfect-ransomware-storm.html ↩
-
https://usa.kaspersky.com/resource-center/threats/ransomware-wannacry ↩
-
https://www.bitsight.com/blog/understanding-doublepulsar-wannacry-across-industries-is-key-to-protecting-supply-chain ↩