u.wnry

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
u.wnry is a significant threat actor, known for its role in the execution of malicious actions. The primary tool used by this group is the WCry ransomware decryptor, which comes in two identical modules: u.wnry and @[email protected]. This ransomware encrypts files using an embedded RSA private key, demonstrated through f.wnry - a list of randomly selected files encrypted as part of the attack. Once these files are dropped into the working directory, the malware attempts to hide all files and grant full access to all files in the current directory and any directories below. The ransomware operates by running the EXE module @[email protected], initiated by a DLL copy of the previously unzipped file u.wnry. After gaining control, it modifies system attributes to reduce protection, targeting various directories like Local Settings\Temp, Program Files, and WINDOWS among others. It then proceeds to create shortcuts, kill processes, and demand ransom in bitcoin, effectively holding the victim's files hostage until payment is made. Finally, u.wnry creates a copy of the previously unzipped file, saving and running it as @[email protected]. This executable opens a GUI with a ransom note, informing victims about the encryption and demanding payment. Various other resources such as text ransom notes, zip files containing Tor files, encrypted encryption tools, and ransom images are utilized throughout the process to facilitate the attack and obfuscate the threat actor's activities. The u.wnry threat actor represents a substantial cybersecurity risk due to its sophisticated use of ransomware tactics.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Wcry
1
WCry, also known as WannaCry or WanaCryptor, is a self-propagating ransomware that was one of the most disruptive cyber attacks in history. This malware was a product of a North Korean cyber operation aimed at financial gain. The ransomware spreads through internal networks and over the public inter
f.wnry
1
f.wnry is a threat actor involved in the execution of malicious activities, specifically ransomware attacks. The modus operandi involves encrypting an Advanced Encryption Standard (AES) key with a randomly generated RSA key. This process is initiated by writing the file path to the file f.wnry. If t
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransom
Ransomware
Dropper
Loader
Windows
Malware
Encryption
Exploit
Bitcoin
Worm
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the u.wnry Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
A Technical Analysis of WannaCry Ransomware | LogRhythm
MITRE
a year ago
WCry (WannaCry) Ransomware Analysis
MITRE
a year ago
WannaCry Malware Profile | Mandiant
BAE Systems
a year ago
WanaCrypt0r Ransomworm