f.wnry is a threat actor involved in the execution of malicious activities, specifically ransomware attacks. The modus operandi involves encrypting an Advanced Encryption Standard (AES) key with a randomly generated RSA key. This process is initiated by writing the file path to the file f.wnry. If the f.wnry file doesn't exist during initialization, the malware generates a random number provided the file size is less than 209,715,200 bytes. However, if the random number isn't a multiple of 100 or if the f.wnry file already exists on the system, the malware proceeds to encrypt the AES key.
The encrypted files are then stored in a list within the f.wnry file. These files are chosen at random and encrypted using an embedded RSA private key. This process allows the WCry ransomware to demonstrate decryption capabilities to its victims via the @
[email protected] module, which is identical to u.wnry. It's worth noting that if a victim attempts to decrypt their files without paying the ransom, the malware will decrypt the files listed in the f.wnry file.
The ransomware also uses various techniques to prevent recovery and ensure persistence. For instance, it deletes shadow copies and disables recovery options, making it harder for victims to restore their systems to a pre-infection state. Victims are then directed to pay a specified amount in Bitcoin to a given address. Failure to comply with these demands may result in the permanent loss of encrypted data. In summary, f.wnry represents a significant cybersecurity threat due to its sophisticated encryption methods and persistent tactics.