f.wnry

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
f.wnry is a threat actor involved in the execution of malicious activities, specifically ransomware attacks. The modus operandi involves encrypting an Advanced Encryption Standard (AES) key with a randomly generated RSA key. This process is initiated by writing the file path to the file f.wnry. If the f.wnry file doesn't exist during initialization, the malware generates a random number provided the file size is less than 209,715,200 bytes. However, if the random number isn't a multiple of 100 or if the f.wnry file already exists on the system, the malware proceeds to encrypt the AES key. The encrypted files are then stored in a list within the f.wnry file. These files are chosen at random and encrypted using an embedded RSA private key. This process allows the WCry ransomware to demonstrate decryption capabilities to its victims via the @[email protected] module, which is identical to u.wnry. It's worth noting that if a victim attempts to decrypt their files without paying the ransom, the malware will decrypt the files listed in the f.wnry file. The ransomware also uses various techniques to prevent recovery and ensure persistence. For instance, it deletes shadow copies and disables recovery options, making it harder for victims to restore their systems to a pre-infection state. Victims are then directed to pay a specified amount in Bitcoin to a given address. Failure to comply with these demands may result in the permanent loss of encrypted data. In summary, f.wnry represents a significant cybersecurity threat due to its sophisticated encryption methods and persistent tactics.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
u.wnry
1
u.wnry is a significant threat actor, known for its role in the execution of malicious actions. The primary tool used by this group is the WCry ransomware decryptor, which comes in two identical modules: u.wnry and @[email protected]. This ransomware encrypts files using an embedded RSA private key
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Ransomware
Malware
Encrypt
Ransom
Bitcoin
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WcryUnspecified
1
WCry, also known as WannaCry or WanaCryptor, is a self-propagating ransomware that was one of the most disruptive cyber attacks in history. This malware was a product of a North Korean cyber operation aimed at financial gain. The ransomware spreads through internal networks and over the public inter
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Wana Decrypt0rUnspecified
1
Wana Decrypt0r, also known as WCry, WannaCry, WanaCrypt, and Wana Decryptor, is a threat actor responsible for a widespread ransomware campaign that severely impacted systems worldwide in May 2017. This malicious entity utilizes a variety of tactics to execute its intentions, including embedding an
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the f.wnry Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
WCry (WannaCry) Ransomware Analysis
MITRE
a year ago
WannaCry Malware Profile | Mandiant