Wannacryptor

Threat Actor updated 7 months ago (2024-05-04T19:31:21.518Z)

Download STIX

Preview STIX

WannaCryptor, also known as WannaCry or Wanna Decryptor, is a threat actor that has been active since at least 2009. This group, which is aligned with North Korea, has been responsible for several high-profile cyber incidents. Notable among these are the Sony Pictures Entertainment hack in 2014, cyber heists amounting to tens of millions of dollars in 2016, and the widespread WannaCry outbreak in 2017. The group has also consistently targeted South Korean public and critical infrastructure since 2011. The WannaCry outbreak in 2017 was particularly significant due to its use of the EternalBlue exploit, a vulnerability in legacy versions of Server Message Block (SMB). This exploit, which was leaked by the National Security Agency (NSA), allowed WannaCryptor to rapidly spread malware across networks. Unlike the Diskcoder.C malware, which only targets computers within the local network address space, WannaCry had a much wider impact. Despite the cybersecurity industry's attempts to mitigate threats like WannaCryptor, the group remains active and continues to evolve its tactics. In addition to their previous attacks, they have also been involved in supply-chain attacks on 3CX and X_TRADER in recent years. These incidents highlight the persistent and evolving nature of the threat posed by WannaCryptor and underline the importance of ongoing vigilance and robust cybersecurity measures.

Description last updated: 2024-05-04T17:05:05.121Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
WannaCry is a possible alias for Wannacryptor. WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Eternalblue Vulnerability is associated with Wannacryptor. EternalBlue is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Server Message Block (SMB) protocol. This vulnerability, officially known as CVE-2017-0144, allows for the execution of arbitrary code on affected systems. It became publicly known after a gro	Unspecified	2

Source Document References

Information about the Wannacryptor Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	10 months ago	Examples of Past and Current Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
ESET	2 years ago	WinorDLL64: A backdoor from the vast Lazarus arsenal? \| WeLiveSecurity
MITRE	2 years ago	TeleBots are back: Supply‑chain attacks against Ukraine \| WeLiveSecurity