u.wnry is a significant threat actor, known for its role in the execution of malicious actions. The primary tool used by this group is the WCry ransomware decryptor, which comes in two identical modules: u.wnry and @
[email protected]. This ransomware encrypts files using an embedded RSA private key, demonstrated through f.wnry - a list of randomly selected files encrypted as part of the attack. Once these files are dropped into the working directory, the malware attempts to hide all files and grant full access to all files in the current directory and any directories below.
The ransomware operates by running the EXE module @
[email protected], initiated by a DLL copy of the previously unzipped file u.wnry. After gaining control, it modifies system attributes to reduce protection, targeting various directories like Local Settings\Temp, Program Files, and WINDOWS among others. It then proceeds to create shortcuts, kill processes, and demand ransom in bitcoin, effectively holding the victim's files hostage until payment is made.
Finally, u.wnry creates a copy of the previously unzipped file, saving and running it as @
[email protected]. This executable opens a GUI with a ransom note, informing victims about the encryption and demanding payment. Various other resources such as text ransom notes, zip files containing Tor files, encrypted encryption tools, and ransom images are utilized throughout the process to facilitate the attack and obfuscate the threat actor's activities. The u.wnry threat actor represents a substantial cybersecurity risk due to its sophisticated use of ransomware tactics.