WannaCry

Malware updated 22 days ago (2024-09-26T02:01:08.200Z)
Download STIX
Preview STIX
WannaCry, a potent malware, emerged as one of the most destructive cyberattacks in recent history when it struck in May 2017. Leveraging Windows SMBv1 Remote Code Execution vulnerabilities (CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143), WannaCry rapidly spread across systems worldwide, encrypting data and demanding ransom for its release. The attack was particularly notorious for its widespread impact, with even African government sectors reporting 2,678 WannaCry ransomware detections in Q1 2021. The malware's potency stemmed from its use of EternalBlue, an exploit that allowed it to propagate swiftly and widely. This exploit was also used by other types of ransomware such as Petya, NotPetya, TeslaCrypt, DarkSide, REvil, Alcatraz Locker, Apocalypse, BadBlock, Bart, BTCWare, EncrypTile, and Globe. However, WannaCry stood out due to its vast reach and the significant disruption it caused, marking it as the largest ransomware attack at the time in 2017. In response to this threat, various decryption tools were developed to help victims recover their encrypted files without paying the ransom. One such tool is 'wanakiwi', available on GitHub, which can decrypt files affected by the WannaCry ransomware. These tools, along with regular software updates and patches, have played a crucial role in mitigating similar attacks since the WannaCry incident in 2017.
Description last updated: 2024-09-26T01:15:37.206Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Wana Decrypt0r is a possible alias for WannaCry. Wana Decrypt0r, also known as WCry, WannaCry, WanaCrypt, and Wana Decryptor, is a threat actor responsible for a widespread ransomware campaign that severely impacted systems worldwide in May 2017. This malicious entity utilizes a variety of tactics to execute its intentions, including embedding an
2
Wannacryptor is a possible alias for WannaCry. WannaCryptor, also known as WannaCry or Wanna Decryptor, is a threat actor that has been active since at least 2009. This group, which is aligned with North Korea, has been responsible for several high-profile cyber incidents. Notable among these are the Sony Pictures Entertainment hack in 2014, cyb
2
Wcry is a possible alias for WannaCry. WCry, also known as WannaCry or WanaCryptor, is a self-propagating ransomware that was one of the most disruptive cyber attacks in history. This malware was a product of a North Korean cyber operation aimed at financial gain. The ransomware spreads through internal networks and over the public inter
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Windows
Vulnerability
Exploit
Worm
Exploits
exploited
Antivirus
Ransom
Wiper
Botnet
Dropper
Microsoft
Payload
Bitcoin
Apt
Encrypt
Encryption
Nhs
Extortion
Proxy
RCE (Remote ...
Remote Code ...
Trojan
exploitation
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The NotPetya Malware is associated with WannaCry. NotPetya is a malicious software (malware) that caused extensive damage worldwide in 2017. It was initially perceived as ransomware, similar to other notorious variants such as WannaCry, Petya, TeslaCrypt, DarkSide, and REvil. However, unlike typical ransomware, NotPetya was primarily destructive raUnspecified
8
The Ryuk Malware is associated with WannaCry. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
4
The Stuxnet Malware is associated with WannaCry. Stuxnet, discovered in 2010, is one of the most notorious malware attacks in history, primarily targeting Windows systems, programming logic controllers (PLCs), and supervisory controls and data acquisition (SCADA) systems. The military-grade cyberweapon was co-developed by the United States and IsrUnspecified
3
The petya Malware is associated with WannaCry. Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and DaUnspecified
3
The Lockbit Malware is associated with WannaCry. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operatUnspecified
2
The Yashma Ransomware Malware is associated with WannaCry. Yashma ransomware is a malicious software that was first observed in May 2022 as a rebranded version of the Chaos ransomware builder V5, which leaked in April 2022. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold daUnspecified
2
The Phobos Malware is associated with WannaCry. Phobos is a type of malware, specifically ransomware, that has been causing significant cybersecurity concerns. Ransomware is a malicious software that infects systems, often without the user's knowledge, via suspicious downloads, emails, or websites. Once inside, it can disrupt operations and hold Unspecified
2
The Conficker Malware is associated with WannaCry. Conficker, also known as Kido, Downadup, and Downup, is a malicious software (malware) that emerged in November 2008. This worm rapidly spread across computer networks, exfiltrating sensitive information such as login credentials and personal data. It exploited the MS08-067 vulnerability to initiallUnspecified
2
The LockerGoga Malware is associated with WannaCry. LockerGoga is a type of malware, specifically ransomware, that infiltrates computer systems and holds data hostage until a ransom is paid. This malicious software was notably deployed in an attack against Norsk Hydro in March 2019. The malware was distributed by the threat group FIN6, which traditioUnspecified
2
The TRITON Malware is associated with WannaCry. Triton is a type of malware, specifically designed to exploit and damage computer systems. It was first used in a cyberattack on a Middle East petrochemical facility in 2017, attributed to the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM). The malware targets saUnspecified
2
The REvil Malware is associated with WannaCry. REvil is a notorious malware, specifically a type of ransomware, that gained prominence in the cybercrime world as part of the Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, establishing relationships between first-stage malwares and subsequent ransomware attacUnspecified
2
The Mirai Malware is associated with WannaCry. Mirai is a type of malware that specifically targets Internet of Things (IoT) devices to create a botnet, which can then be used for various malicious activities. The Mirai botnet had a significant impact in early 2022, accounting for over 7 million botnet detections globally. However, there was a 9Unspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Lazarus Group Threat Actor is associated with WannaCry. The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over thUnspecified
4
The Shadow Brokers Threat Actor is associated with WannaCry. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National SeUnspecified
2
The HIDDEN COBRA Threat Actor is associated with WannaCry. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's sUnspecified
2
The Labyrinth Chollima Threat Actor is associated with WannaCry. Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by varUnspecified
2
The threatActor Wanacryptor is associated with WannaCry. Unspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalblue Vulnerability is associated with WannaCry. EternalBlue is a software vulnerability that exists due to a flaw in the design or implementation of the Windows Server Message Block (SMB). This vulnerability, officially known as CVE-2017-0144, was made public after the Shadow Brokers group leaked an exploit developed by the U.S. National SecurityExploited
8
The Ms17-010 Vulnerability is associated with WannaCry. MS17-010, also known as EternalBlue, EternalSynergy, or EternalRomance, is a significant remote code execution vulnerability in Microsoft's Server Message Block 1.0 (SMBv1) protocol. This flaw in software design and implementation was exploited by various malware strains, most notably the WannaCry rUnspecified
4
The vulnerability CVE-2017-0144 is associated with WannaCry. Unspecified
3
Source Document References
Information about the WannaCry Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
22 days ago
Unit42
a month ago
DARKReading
2 months ago
DARKReading
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
CERT-EU
8 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
InfoSecurity-magazine
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
InfoSecurity-magazine
4 months ago
Securityaffairs
4 months ago
Quick Heal Technologies Ltd.
4 months ago
RIA - Information System Authority
4 months ago
InfoSecurity-magazine
5 months ago
Securityaffairs
5 months ago