WannaCry

Malware updated 22 days ago (2024-11-29T13:54:11.628Z)
Download STIX
Preview STIX
WannaCry is a notorious malware that gained global attention in 2017 when it was responsible for the biggest ransomware attack to date. The malware, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites. Once inside a system, WannaCry can disrupt operations and hold data hostage for ransom. The malware exploits vulnerabilities in Windows' SMBv1 Remote Code Execution, specifically CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143. This led to widespread disruptions in businesses worldwide, making it one of the most devastating cyberattacks in recent history. The author of WannaCry included an Internet connectivity check to a killswitch domain, which suggests the script may have been developed by a researcher or someone with interest in threat intelligence. In response to the attack, decryption tools were developed to unlock systems affected by WannaCry and other ransomware such as Petya, NotPetya, TeslaCrypt, DarkSide, REvil, Alcatraz Locker, Apocalypse, BadBlock, Bart, BTCWare, EncrypTile, and Globe. One such tool is the WannaCry ransomware decryption tool available on GitHub, which has proven effective in decrypting files held hostage by the malware. The impact of WannaCry has been felt globally, with notable instances including 2,678 detections across African government sectors in Q1 2021. This has led to increased interest in Africa for more control over their technology supply chains, highlighting the importance of supply-chain security following malicious events like the WannaCry and NotPetya worms. Similar events such as the compromise of SolarWinds and the CrowdStrike outage have further underscored the need for robust cybersecurity measures to protect against such threats.
Description last updated: 2024-11-25T13:45:04.033Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Wana Decrypt0r is a possible alias for WannaCry. Wana Decrypt0r, also known as WCry, WannaCry, WanaCrypt, and Wana Decryptor, is a threat actor responsible for a widespread ransomware campaign that severely impacted systems worldwide in May 2017. This malicious entity utilizes a variety of tactics to execute its intentions, including embedding an
2
Wannacryptor is a possible alias for WannaCry. WannaCryptor, also known as WannaCry or Wanna Decryptor, is a threat actor that has been active since at least 2009. This group, which is aligned with North Korea, has been responsible for several high-profile cyber incidents. Notable among these are the Sony Pictures Entertainment hack in 2014, cyb
2
Wcry is a possible alias for WannaCry. WCry, also known as WannaCry or WanaCryptor, is a self-propagating ransomware that was one of the most disruptive cyber attacks in history. This malware was a product of a North Korean cyber operation aimed at financial gain. The ransomware spreads through internal networks and over the public inter
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Windows
Vulnerability
Exploit
Worm
Exploits
exploited
Antivirus
Ransom
Wiper
Botnet
Dropper
Microsoft
Payload
Bitcoin
Apt
Encrypt
exploitation
Encryption
Extortion
Nhs
RCE (Remote ...
Proxy
African
Remote Code ...
Cybercrime
State Sponso...
Trojan
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The NotPetya Malware is associated with WannaCry. NotPetya is a destructive malware that posed as ransomware, causing significant global damage in 2017. Despite its appearance as ransomware, NotPetya was not designed to extort money but rather to destroy data and disrupt operations, particularly targeting Ukraine's infrastructure. NotPetya was attrUnspecified
8
The Ryuk Malware is associated with WannaCry. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
4
The Stuxnet Malware is associated with WannaCry. Stuxnet, discovered in 2010, is one of the most infamous malware attacks in history. It was a military-grade cyberweapon co-developed by the United States and Israel, specifically targeting Iran's nuclear enrichment facility at Natanz. The Stuxnet worm infiltrated Windows systems, programming logic Unspecified
3
The petya Malware is associated with WannaCry. Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and DaUnspecified
3
The Lockbit Malware is associated with WannaCry. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers orUnspecified
2
The LockerGoga Malware is associated with WannaCry. LockerGoga is a type of malware, specifically ransomware, that infiltrates computer systems and holds data hostage until a ransom is paid. This malicious software was notably deployed in an attack against Norsk Hydro in March 2019. The malware was distributed by the threat group FIN6, which traditioUnspecified
2
The Yashma Ransomware Malware is associated with WannaCry. Yashma ransomware is a malicious software that was first observed in May 2022 as a rebranded version of the Chaos ransomware builder V5, which leaked in April 2022. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold daUnspecified
2
The Phobos Malware is associated with WannaCry. Phobos is a form of malware, specifically ransomware, that has been active since May 2019. The operation utilizes a ransomware-as-a-service (RaaS) model and is responsible for numerous cyber attacks worldwide. Threat actors behind Phobos gained initial access to vulnerable networks through phishing Unspecified
2
The Conficker Malware is associated with WannaCry. Conficker, also known as Kido, Downadup, and Downup, is a malicious software (malware) that emerged in November 2008. This worm rapidly spread across computer networks, exfiltrating sensitive information such as login credentials and personal data. It exploited the MS08-067 vulnerability to initiallUnspecified
2
The TRITON Malware is associated with WannaCry. Triton is a type of malware, specifically designed to exploit and damage computer systems. It was first used in a cyberattack on a Middle East petrochemical facility in 2017, attributed to the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM). The malware targets saUnspecified
2
The Mirai Malware is associated with WannaCry. Mirai is a type of malware that primarily targets Internet of Things (IoT) devices, converting them into a botnet, which is then used to launch Distributed Denial of Service (DDoS) attacks. In early 2022, Mirai botnets accounted for over seven million detections worldwide, though there was a 9% quarUnspecified
2
The REvil Malware is associated with WannaCry. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with WannaCry. The Lazarus Group, a notorious threat actor attributed to North Korea, is renowned for its malicious activities aimed at furthering the country's objectives. This group has been implicated in several high-profile cyber-attacks, including an attack in Spain known as Operation DreamJob. The exploitatiUnspecified
4
The Shadow Brokers Threat Actor is associated with WannaCry. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National SeUnspecified
2
The Labyrinth Chollima Threat Actor is associated with WannaCry. Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by varUnspecified
2
The HIDDEN COBRA Threat Actor is associated with WannaCry. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's sUnspecified
2
The threatActor Wanacryptor is associated with WannaCry. Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalblue Vulnerability is associated with WannaCry. EternalBlue is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Server Message Block (SMB) protocol. This vulnerability, officially known as CVE-2017-0144, allows for the execution of arbitrary code on affected systems. It became publicly known after a groExploited
8
The Ms17-010 Vulnerability is associated with WannaCry. MS17-010, also known as "EternalBlue," "EternalSynergy," or "Eternal Romance," is a significant vulnerability in Microsoft's Server Message Block 1.0 (SMBv1) protocol that allows for remote code execution. It was first addressed by Microsoft through the release of security bulletin MS17-010 on MarchUnspecified
4
The vulnerability CVE-2017-0144 is associated with WannaCry. Unspecified
3
Source Document References
Information about the WannaCry Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
DARKReading
a month ago
DARKReading
2 months ago
Flashpoint
2 months ago
BankInfoSecurity
3 months ago
Unit42
3 months ago
DARKReading
4 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
CERT-EU
10 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
InfoSecurity-magazine
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
InfoSecurity-magazine
6 months ago
Securityaffairs
6 months ago