WannaCry

Malware updated 19 hours ago (2024-11-20T18:14:18.519Z)
Download STIX
Preview STIX
WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143, to infect systems and encrypt data, demanding a ransom for its release. It spread rapidly across networks, affecting numerous sectors worldwide, with significant detections even years later; for instance, there were 2,678 WannaCry ransomware detections across African government sectors in Q1 2021. A unique feature of the WannaCry ransomware was its kill switch domain, an Internet connectivity check included by the author. This may suggest that the script was developed by a researcher or someone with an interest in threat intelligence. Despite the massive disruption caused by WannaCry, decryption tools have been developed to unlock the ransomware's encryption without paying the ransom. One such tool is 'wanakiwi', available on GitHub, which can help victims recover their files. The impact of WannaCry underscores the importance of robust cybersecurity measures, particularly in the context of increasing ransomware attacks. These attacks often exploit misconfigurations and overly permissive storage buckets in cloud environments. Therefore, assessing the overall cloud environment is key to protecting data against such threats. Furthermore, it highlights the need for regular software updates to patch vulnerabilities, as was demonstrated by the use of the EternalBlue exploit in the WannaCry attack.
Description last updated: 2024-11-15T16:08:45.980Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Wana Decrypt0r is a possible alias for WannaCry. Wana Decrypt0r, also known as WCry, WannaCry, WanaCrypt, and Wana Decryptor, is a threat actor responsible for a widespread ransomware campaign that severely impacted systems worldwide in May 2017. This malicious entity utilizes a variety of tactics to execute its intentions, including embedding an
2
Wannacryptor is a possible alias for WannaCry. WannaCryptor, also known as WannaCry or Wanna Decryptor, is a threat actor that has been active since at least 2009. This group, which is aligned with North Korea, has been responsible for several high-profile cyber incidents. Notable among these are the Sony Pictures Entertainment hack in 2014, cyb
2
Wcry is a possible alias for WannaCry. WCry, also known as WannaCry or WanaCryptor, is a self-propagating ransomware that was one of the most disruptive cyber attacks in history. This malware was a product of a North Korean cyber operation aimed at financial gain. The ransomware spreads through internal networks and over the public inter
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Windows
Vulnerability
Exploit
Worm
Exploits
exploited
Antivirus
Ransom
Wiper
Botnet
Dropper
Microsoft
Payload
Bitcoin
Apt
Encrypt
exploitation
Encryption
Extortion
Nhs
RCE (Remote ...
Proxy
African
Remote Code ...
Cybercrime
State Sponso...
Trojan
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The NotPetya Malware is associated with WannaCry. NotPetya, a destructive malware posing as ransomware, was unleashed in 2017, causing widespread global damage while primarily targeting Ukraine's infrastructure. The cyberattack, commonly attributed to Russia, was so devastating that it led many to consider it an act of cyberwar, despite no officialUnspecified
8
The Ryuk Malware is associated with WannaCry. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
4
The Stuxnet Malware is associated with WannaCry. Stuxnet, discovered in 2010, is one of the most infamous malware attacks in history. It was a military-grade cyberweapon co-developed by the United States and Israel, specifically targeting Iran's nuclear enrichment facility at Natanz. The Stuxnet worm infiltrated Windows systems, programming logic Unspecified
3
The petya Malware is associated with WannaCry. Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and DaUnspecified
3
The Lockbit Malware is associated with WannaCry. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
2
The LockerGoga Malware is associated with WannaCry. LockerGoga is a type of malware, specifically ransomware, that infiltrates computer systems and holds data hostage until a ransom is paid. This malicious software was notably deployed in an attack against Norsk Hydro in March 2019. The malware was distributed by the threat group FIN6, which traditioUnspecified
2
The Yashma Ransomware Malware is associated with WannaCry. Yashma ransomware is a malicious software that was first observed in May 2022 as a rebranded version of the Chaos ransomware builder V5, which leaked in April 2022. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold daUnspecified
2
The Phobos Malware is associated with WannaCry. Phobos is a form of malware, specifically ransomware, that has been active since May 2019. The operation utilizes a ransomware-as-a-service (RaaS) model and is responsible for numerous cyber attacks worldwide. Threat actors behind Phobos gained initial access to vulnerable networks through phishing Unspecified
2
The Conficker Malware is associated with WannaCry. Conficker, also known as Kido, Downadup, and Downup, is a malicious software (malware) that emerged in November 2008. This worm rapidly spread across computer networks, exfiltrating sensitive information such as login credentials and personal data. It exploited the MS08-067 vulnerability to initiallUnspecified
2
The TRITON Malware is associated with WannaCry. Triton is a type of malware, specifically designed to exploit and damage computer systems. It was first used in a cyberattack on a Middle East petrochemical facility in 2017, attributed to the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM). The malware targets saUnspecified
2
The Mirai Malware is associated with WannaCry. Mirai, a malware that targets Internet of Things (IoT) devices, was responsible for over 7 million botnet detections in early 2022. This malicious software infiltrates systems often without the user's knowledge and can steal personal information, disrupt operations, or hold data hostage for ransom. Unspecified
2
The REvil Malware is associated with WannaCry. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with WannaCry. The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North KUnspecified
4
The Shadow Brokers Threat Actor is associated with WannaCry. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National SeUnspecified
2
The Labyrinth Chollima Threat Actor is associated with WannaCry. Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by varUnspecified
2
The HIDDEN COBRA Threat Actor is associated with WannaCry. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's sUnspecified
2
The threatActor Wanacryptor is associated with WannaCry. Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalblue Vulnerability is associated with WannaCry. EternalBlue is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Server Message Block (SMB) protocol. This vulnerability, officially known as CVE-2017-0144, allows for the execution of arbitrary code on affected systems. It became publicly known after a groExploited
8
The Ms17-010 Vulnerability is associated with WannaCry. MS17-010, also known as "EternalBlue," "EternalSynergy," or "Eternal Romance," is a significant vulnerability in Microsoft's Server Message Block 1.0 (SMBv1) protocol that allows for remote code execution. It was first addressed by Microsoft through the release of security bulletin MS17-010 on MarchUnspecified
4
The vulnerability CVE-2017-0144 is associated with WannaCry. Unspecified
3
Source Document References
Information about the WannaCry Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
5 hours ago
DARKReading
6 days ago
DARKReading
a month ago
Flashpoint
a month ago
BankInfoSecurity
2 months ago
Unit42
2 months ago
DARKReading
3 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
CERT-EU
9 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
InfoSecurity-magazine
5 months ago
Securityaffairs
5 months ago