Wana Decrypt0r

Threat Actor updated 23 days ago (2024-11-29T14:21:55.287Z)
Download STIX
Preview STIX
Wana Decrypt0r, also known as WCry, WannaCry, WanaCrypt, and Wana Decryptor, is a threat actor responsible for a widespread ransomware campaign that severely impacted systems worldwide in May 2017. This malicious entity utilizes a variety of tactics to execute its intentions, including embedding an encrypter as a resource within an initial dropper, which contains a decryption application ("Wana Decrypt0r 2.0"), a password-protected zip file containing a copy of Tor, and several individual files with configuration information and encryption keys. The malware communicates with victims through various messages, such as "Ooops, your files have been encrypted!" or "Pay now, if you want to decrypt ALL your files!", and demands payment in Bitcoin. The ransomware operates by encrypting files on the victim's computer and then demanding a specific amount of money, typically in Bitcoin, to decrypt and release the encrypted files. The ransom demand interface prompts the victim to send a certain worth of Bitcoin to a specified address, threatening that all files will remain encrypted unless the ransom is paid. It uses commands like "cmd.exe /c start /b vssadmin.exe Delete Shadows /All /Quiet" and "wbadmin delete catalog -quiet", among others, to manipulate system settings and hinder recovery efforts. In cases where the "Wana Decrypt0r" program fails to execute, the malware displays a bitmap image contained in "b.wnry" on the desktop. The image serves as another method of communicating the ransom demand to the victim. Despite the significant damage caused by the Wana Decrypt0r ransomware campaign, cybersecurity researchers from SecureWorks® Counter Threat Unit® (CTU) and other organizations are continually investigating and developing measures to counter this and similar threats.
Description last updated: 2024-05-04T20:07:03.271Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
WannaCry is a possible alias for Wana Decrypt0r. WannaCry is a notorious malware that gained global attention in 2017 when it was responsible for the biggest ransomware attack to date. The malware, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites. Once inside a system, WannaCry can
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Wana Decrypt0r Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more