WannaCry
WannaCry is a self-replicating Windows ransomware worm, also referred to as WanaCry, WanaCrypt, WanaCrypt0r, WanaCrypt0r 2.0, WCry, and Wanna Decryptor. It encrypts files, appends the .WCRY extension in reported samples, drops a decryptor and multilingual ransom notes, changes the victim wallpaper, and demanded Bitcoin payments, commonly reported as $300 with the price doubling after three days and files becoming unrecoverable after seven days; some analyzed samples displayed $600. It spread rapidly in May 2017, infecting hundreds of thousands of systems across more than 150 countries, with reporting citing more than 45,000 attacks in the first hours and more than 230,000 computers infected overall.
The malware used the EternalBlue exploit against Microsoft Windows SMB vulnerabilities disclosed via the Shadow Brokers leak and patched by Microsoft in MS17-010 in March 2017. It was wormable and propagated laterally from host to host within networks without requiring user interaction on vulnerable systems. Content also notes possible initial infection via phishing email attachments in some environments, after which the malware attempted to spread further across the local network. A hard-coded domain acted as a kill switch for parts of the outbreak, and registration of that domain by MalwareTech significantly slowed new infections.
WannaCry targeted Windows systems, including older and unpatched versions, and had major impact on organizations worldwide. Reported victims included the UK National Health Service, Telefónica, FedEx, and organizations across Russia, Ukraine, Taiwan, Spain, Portugal, India, Germany, Turkey, and elsewhere. The NHS was especially affected, with hospitals and GP surgeries experiencing cancelled operations, diverted ambulances, inaccessible patient records, disrupted phone and email systems, and reversion to paper processes. The content attributes WannaCry to North Korean hackers and links it to the Lazarus Group in sanctions-related references.
Behaviorally, WannaCry used Tor for command-and-control traffic and routed a custom cryptographic protocol over Tor circuits. It targeted a broad range of file types including office documents, archives, databases, source code, media, certificates, email stores, graphics, and virtual machine files. It also scanned for newly attached drives every few seconds and encrypted files on attached devices when found. To inhibit recovery, it used vssadmin, wbadmin, bcdedit, and wmic to delete Volume Shadow Copies, backup catalogs, and disable operating system recovery features. Reported mutexes include Global\MsWinZonesCacheCounterMutexA and Global\MsWinZonesCacheCounterMutexA0. Reported Bitcoin wallets include 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY. Reported Tor hidden service domains include gx7ekbenv2riucmf.onion, 57g7spgrzlojinas.onion, Xxlvbrloxvriy2c5.onion, 76jdd2ir2embyv47.onion, cwwnhwhlz52maqm7.onion, and sqjolphimrr7jqw6.onion.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically. The leaked EternalBlue exploit later became the foundation for some of the most destructive cyberattacks ever recorded. North Korean hackers used it in the WannaCry ransomware outbreak, while Russian operators incorporated it into the NotPetya malware campaign. | The leaked EternalBlue exploit later became the foundation for some of the most destructive cyberattacks ever recorded. North Korean hackers used it in the WannaCry ransomware outbreak...
BlueKeep (CVE-2019-0708) exists within the Remote Desktop Protocol (RDP) used by the Microsoft Windows OSs listed above. An attacker can exploit this vulnerability to perform remote code execution on an unprotected system.
a ransomware campaign with a bite, named WannaCry, autonomously infected vulnerable systems leveraging an exploit leaked on the internet. | This port is important because the SMB service that listens on it is what the initial exploit targets (MS17-010,CVE-2017-0143).
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The agency established sanctions for paying ransoms to specific threat groups identified by OFAC and designated sanctions against actors linked to Cryptolocker, SamSam, WannaCry (linked to the Lazarus Group) and Dridex (linked to Evil Corp.).
WannaCry paralysed computers running mostly older versions of Microsoft Windows by encrypting users' computer files and displaying a message demanding anywhere from $US300 to $US600 to release them; failure to pay would leave the data mangled and likely beyond repair.
The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers... The Spanish CERT has called it a “massive ransomware attack” that is encrypting all the files of entire networks and spreading laterally through organizations.
The exploit chains in play included EternalBlue, DoublePulsar, and WannaCry, all tools that have been publicly known and patchable for years.
The WannaCry attack was a massive ransomware cyberattack... This ransomware leverages an NSA exploit known as EternalBlue... Wincry was the base of the encryption, but two additional exploits, EternalBlue and DoublePulsar, were used by the malware to make it a cryptoworm.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesThe prototype worm does not exploit zero-day vulnerabilities. It only targets publicly disclosed but unpatched bugs, misconfigurations, and recurring weakness classes.
One NHS worker, who asked to remain anonymous, said the attack began at about 12.30pm and appeared to have been the result of phishing. “The computers were affected after someone opened an email attachment.
“The computers were affected after someone opened an email attachment. We get a lot of spam and it looks like something was sent to all the trusts in the country.”
Execution
3 techniquesThe content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information.
The unprecedented attacks, using software called WanaCrypt0r 2.0 or WannaCry, exploits a vulnerability in Windows. Microsoft released a patch – a software update that fixes the problem – for the flaw in March, but computers that had not installed the security update were vulnerable.
Persistence
3 techniquesThe malware’s current working directory is saved to the “wd” registry value under the \SOFTWARE\WanaCrypt0r key... If WCry is running with elevated privileges, the key is created in the HKLM registry hive; otherwise, it is created in the HKCU hive.
Service Creation: The malware creates a service with a randomly generated name using Windows APIs (e.g., CreateServiceA). This enables it to restart automatically after a system reboot.
Privilege Escalation
2 techniquesService Creation: The malware creates a service with a randomly generated name using Windows APIs (e.g., CreateServiceA). This enables it to restart automatically after a system reboot.
Stealth
2 techniquesUpon starting, the worm attempts an HTTP connection to www . iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea . com. If the connection is successful, then the worm stops running and exits. The threat actors may have added this HTTP connection test to prevent automated sandboxes from running and analyzing the malware.
Hiding Artifacts: By using the attrib +h command, WannaCry hides its operational files, making detection difficult for traditional security software.
Defense Impairment
1 techniqueDiscovery
4 techniquesScanning for Targets: Once executed, WannaCry scans local networks for vulnerable devices, attempting to exploit them without user interaction.
The content repeatedly describes malware and threat actors identifying, monitoring, or enumerating connected peripheral devices such as USB mass storage, Bluetooth devices, printers, smart card readers, cameras, Apple devices, VGA/display devices, and removable drives.
There are a few other computers on the same network... this folder happened to be shared, discoverable, writable
Upon starting, the worm attempts an HTTP connection to www . iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea . com. If the connection is successful, then the worm stops running and exits. The threat actors may have added this HTTP connection test to prevent automated sandboxes from running and analyzing the malware.
Lateral Movement
4 techniques...a folder publicly shared on the local network (read+write)... another user on my network that is compromised and this folder happened to be shared, discoverable, writable
Among the exposed tools was EternalBlue, a collection of Windows zero-day vulnerabilities that enabled attackers to infiltrate systems, move laterally across networks, and spread malware automatically.
Less than four hours later, the ransomware had infected NHS computers, albeit originally only in Lancashire, and spread laterally throughout the NHS’s internal network.
Command and Control
4 techniquesAttempts to reach external IPs for command and control.
WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit. Tor encapsulates traffic in multiple layers of encryption, using TLS by default.
WCry installs the Tor network anonymity software on the infected system... Tor establishes a SOCKS5 proxy server on the loopback interface (127.0.0.1) that listens on TCP port 9050. WCry connects to this proxy and attempts to contact the configured C2 hidden services.
The SMB worm delivers itself to the compromised system as a DLL file payload. After the DLL is executed with a single exported function named PlayGame, it writes a copy of the original SMB worm to C:\Windows\mssecsvc.exe and then executes this file. The SMB worm then drops a secondary payload from its resources section to C:\Windows\tasksche.exe and executes this file.
Impact
4 techniquesNorth Korean hackers used it in the WannaCry ransomware outbreak...
WCry terminates several services so that their data stores can be encrypted: taskkill.exe /f /im mysqld.exe ... sqlwriter.exe ... sqlserver.exe ... MSExchange* ... Microsoft.Exchange.*
WCry executes the following single command... to complicate system and data recovery... vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Patient records, appointment schedules, internal phone lines and emails were rendered inaccessible and connections between computers and medical equipment were brought down.
IOCs tracked for this family
30 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A fast-spreading ransomware worm cited as an example of malware that exploited known, patchable vulnerabilities and caused global disruption.
Ransomware outbreak that used EternalBlue for propagation.
Propagating ransomware referenced as an example of a global cyber event that disrupted many organizations and raised major cyber insurance and systemic-risk concerns.
Ransomware worm deployed using EternalBlue.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.