Wana Decrypt0r

Threat Actor updated 4 months ago (2024-05-04T20:18:49.714Z)
Download STIX
Preview STIX
Wana Decrypt0r, also known as WCry, WannaCry, WanaCrypt, and Wana Decryptor, is a threat actor responsible for a widespread ransomware campaign that severely impacted systems worldwide in May 2017. This malicious entity utilizes a variety of tactics to execute its intentions, including embedding an encrypter as a resource within an initial dropper, which contains a decryption application ("Wana Decrypt0r 2.0"), a password-protected zip file containing a copy of Tor, and several individual files with configuration information and encryption keys. The malware communicates with victims through various messages, such as "Ooops, your files have been encrypted!" or "Pay now, if you want to decrypt ALL your files!", and demands payment in Bitcoin. The ransomware operates by encrypting files on the victim's computer and then demanding a specific amount of money, typically in Bitcoin, to decrypt and release the encrypted files. The ransom demand interface prompts the victim to send a certain worth of Bitcoin to a specified address, threatening that all files will remain encrypted unless the ransom is paid. It uses commands like "cmd.exe /c start /b vssadmin.exe Delete Shadows /All /Quiet" and "wbadmin delete catalog -quiet", among others, to manipulate system settings and hinder recovery efforts. In cases where the "Wana Decrypt0r" program fails to execute, the malware displays a bitmap image contained in "b.wnry" on the desktop. The image serves as another method of communicating the ransom demand to the victim. Despite the significant damage caused by the Wana Decrypt0r ransomware campaign, cybersecurity researchers from SecureWorks® Counter Threat Unit® (CTU) and other organizations are continually investigating and developing measures to counter this and similar threats.
Description last updated: 2024-05-04T20:07:03.271Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
WannaCry
2
WannaCry is a type of malware, specifically ransomware, that emerged as one of the most significant cybersecurity threats in 2017. It exploited Windows' SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), allowing it to spread across networks and encrypt files,
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Wana Decrypt0r Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
GovCERT CH
2 years ago
WannaCry? It is not worth it!
MITRE
2 years ago
WCry (WannaCry) Ransomware Analysis
MITRE
2 years ago
WannaCry Malware Profile | Mandiant
MITRE
2 years ago
A Technical Analysis of WannaCry Ransomware | LogRhythm