⚠️ Overview

WannaCryptor, commonly known as WannaCry, is a ransomware worm first discovered in May 2017 and attributed by the US Department of Justice and UK National Cyber Security Centre to the North Korean state-sponsored Lazarus Group (APT38). It belongs to the ransomware category and targeted Microsoft Windows systems worldwide, encrypting files and demanding Bitcoin payments for decryption keys.

🔧 Technical Capabilities

WannaCryptor propagates primarily by exploiting the EternalBlue vulnerability (CVE-2017-0144) in SMBv1 (Server Message Block) protocol, as detailed in the Shadow Brokers leak. It uses the DoublePulsar backdoor (CVE-2017-0145) as a secondary payload dropper. The worm spreads across networks autonomously via TCP port 445, scanning random IP addresses for vulnerable systems, and does not require user interaction. Once inside a network, it installs components to encrypt files with AES-128 and RSA-2048 encryption, appending .WNCRY extension, and displays a ransom note in multiple languages. Persistence is achieved through registry run keys (e.g., HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunmssecsvc2.0). Evasion includes a kill-switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) that, when registered, halts propagation—a feature discovered by researcher Marcus Hutchins.

📜 History & Notable Incidents

First observed globally on 12 May 2017, WannaCryptor infected over 230,000 computers in 150 countries within 24 hours, causing an estimated $4 billion in damages (per Cybereason). Notable victims include the UK National Health Service (NHS), which canceled 19,000 appointments, and Spain’s Telefónica, FedEx, and Renault. The attack exploited no CVE beyond those patched in Microsoft Bulletin MS17-010, but many organizations had not applied the March 2017 security update. No successful law enforcement actions have been publicly attributed; however, the US indicted a North Korean hacker in 2018 for related activities.

🔍 Detection Indicators

Known SHA-256 hashes include 24d004a104d4d54034dbcffc2a4b12a51a3a74f4a2b74b1e3cc8b7c5a1a1b73 (WannaCryptor binary) and various .WNCRY encrypted file hashes. Behavioral signatures include mass TCP port 445 scanning, creation of @[email protected] processes, and writing to directories like C:Windowsmssecsvc2.0. Network IOCs include outbound connections to the kill-switch domain and Tor onion addresses. Registry mutexes such as GlobalMsWinZonesCacheCounterMutexA are used to prevent multiple instances.

☠️ Risk & Impact

The ransomware encrypts all files on infected systems including documents, databases, and backups (excluding system files), rendering data inaccessible without payment of $300 to $600 in Bitcoin. The attack disproportionately affected healthcare, transportation, and manufacturing sectors due to legacy systems. Financial losses are estimated between hundreds of millions and billions globally, compounded by operational downtime and reputational harm—particularly for the NHS, which reported £92 million in direct costs.

🛡️ Mitigation

Defense relies on patching SMBv1 vulnerabilities via Microsoft’s MS17-010 update, disabling SMBv1 entirely where possible, and implementing network segmentation. Detection rules include Snort signature SID 41972 for EternalBlue exploitation, and endpoint monitoring for suspicious SMB traffic. Recommended security tools include Windows Defender Exploit Guard and third-party endpoint detection solutions. Regular offline backups and user training on phishing (although worm does not rely on email) are critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.