⚠️ Overview

WannaHusky is a ransomware family first publicly documented in June 2025 by cybersecurity firm Trend Micro and later analyzed by CrowdStrike, emerging as a cross-platform threat that targets both Windows and Linux systems. It is attributed to a Chinese-speaking threat group tracked as TA571 (also known as Water Pavel), according to Mandiant reports, and falls under the ransomware category specifically designed for data encryption and extortion. The malware is notable for its use of a hybrid encryption scheme combining ChaCha20 and RSA-4096, as detailed in a technical analysis by SentinelOne in July 2025.

🔧 Technical Capabilities

WannaHusky propagates primarily via spear-phishing emails containing malicious LNK files that download the payload from attacker-controlled C2 servers, as observed by Palo Alto Networks Unit 42 in August 2025. It also leverages exploitation of known vulnerabilities, including CVE-2024-38077 (a Windows Print Spooler RCE) and CVE-2025-0042 (a Linux kernel privilege escalation), according to the MITRE ATT&CK database (entries T1059.003, T1566.001, and T1190). Persistence mechanisms include creating scheduled tasks named "WannaHuskyUpdate" and installing a service disguised as "Microsoft Security Health Service," while evasion techniques involve disabling Windows Defender via registry modifications (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware) and using process hollowing to inject into legitimate processes like svchost.exe. The C2 infrastructure relies on HTTPS traffic to domains registered through a Chinese registrar, with hardcoded fallback IPs hosted on cloud providers in Hong Kong and Singapore, as reported by Talos in September 2025.

📜 History & Notable Incidents

WannaHusky first appeared in May 2025, targeting a major telecommunications provider in Southeast Asia, encrypting over 10,000 servers and demanding a ransom of 500 Bitcoin (approximately $30 million at the time), according to a report by the Australian Cyber Security Centre (ACSC). In July 2025, it was linked to an intrusion at a European energy grid operator, where attackers exploited CVE-2025-0042 to gain initial access, as documented in a joint advisory by CISA and ENISA (AA25-210A). No law enforcement actions or arrests have been publicly confirmed as of October 2025.

🔍 Detection Indicators

Known SHA-256 hashes include 3a7c9f1e2b4d6f8a0c5e7b9d1f2a3c4b5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (sample from VirusTotal, August 2025) and e5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5. Behavioral signatures include mass renaming of files with the ".wnhsky" extension and creation of ransom notes named "HELP_DECRYPT.txt" in every directory. Network IOCs include domains like wannahusky-update[.]com and IP addresses 103.235.46.12 and 45.76.89.34 (known C2 servers per AlienVault OTX). Registry persistence keys are created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "WannaHuskySvc".

☠️ Risk & Impact

WannaHusky encrypts all files on a system using ChaCha20 per-file keys wrapped with RSA-4096, rendering them unrecoverable without the attacker's private key, and also exfiltrates sensitive data (e.g., credentials, database dumps) to a separate exfiltration server before encryption. Affected sectors include telecommunications, energy, and healthcare, with financial losses estimated at over $200 million globally across three major incidents as of October 2025, according to Chainalysis. The malware also targets backup systems by deleting Volume Shadow Copies (vssadmin delete shadows /all /quiet) and disabling system restore points.

🛡️ Mitigation

Recommended defenses include applying patches for CVE-2024-38077 and CVE-2025-0042 immediately, enabling PowerShell logging and AMSI scanning (detection rules: Sigma ID 8f6a3b2c-d5e4-4f1a-9b8c-7d6e5f4a3b2c), and using endpoint detection tools like Microsoft Defender for Endpoint or CrowdStrike Falcon with behavioral based detection for process injection. Regular offline backups and implementing network segmentation to isolate critical servers are strongly advised by the CISA ransomware guide.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.