Wana Decrypt0r

Wana Decrypt0r, also known as WCry, WannaCry, WanaCrypt, and Wana Decryptor, is a threat actor responsible for a widespread ransomware campaign that severely impacted systems worldwide in May 2017. This malicious entity utilizes a variety of tactics to execute its intentions, including embedding an encrypter as a resource within an initial dropper, which contains a decryption application ("Wana Decrypt0r 2.0"), a password-protected zip file containing a copy of Tor, and several individual files with configuration information and encryption keys. The malware communicates with victims through various messages, such as "Ooops, your files have been encrypted!" or "Pay now, if you want to decrypt ALL your files!", and demands payment in Bitcoin. The ransomware operates by encrypting files on the victim's computer and then demanding a specific amount of money, typically in Bitcoin, to decrypt and release the encrypted files. The ransom demand interface prompts the victim to send a certain worth of Bitcoin to a specified address, threatening that all files will remain encrypted unless the ransom is paid. It uses commands like "cmd.exe /c start /b vssadmin.exe Delete Shadows /All /Quiet" and "wbadmin delete catalog -quiet", among others, to manipulate system settings and hinder recovery efforts. In cases where the "Wana Decrypt0r" program fails to execute, the malware displays a bitmap image contained in "b.wnry" on the desktop. The image serves as another method of communicating the ransom demand to the victim. Despite the significant damage caused by the Wana Decrypt0r ransomware campaign, cybersecurity researchers from SecureWorks® Counter Threat Unit® (CTU) and other organizations are continually investigating and developing measures to counter this and similar threats.