Wannacryptor

Threat Actor updated 5 months ago (2024-05-04T19:31:21.518Z)

Download STIX

Preview STIX

WannaCryptor, also known as WannaCry or Wanna Decryptor, is a threat actor that has been active since at least 2009. This group, which is aligned with North Korea, has been responsible for several high-profile cyber incidents. Notable among these are the Sony Pictures Entertainment hack in 2014, cyber heists amounting to tens of millions of dollars in 2016, and the widespread WannaCry outbreak in 2017. The group has also consistently targeted South Korean public and critical infrastructure since 2011. The WannaCry outbreak in 2017 was particularly significant due to its use of the EternalBlue exploit, a vulnerability in legacy versions of Server Message Block (SMB). This exploit, which was leaked by the National Security Agency (NSA), allowed WannaCryptor to rapidly spread malware across networks. Unlike the Diskcoder.C malware, which only targets computers within the local network address space, WannaCry had a much wider impact. Despite the cybersecurity industry's attempts to mitigate threats like WannaCryptor, the group remains active and continues to evolve its tactics. In addition to their previous attacks, they have also been involved in supply-chain attacks on 3CX and X_TRADER in recent years. These incidents highlight the persistent and evolving nature of the threat posed by WannaCryptor and underline the importance of ongoing vigilance and robust cybersecurity measures.

Description last updated: 2024-05-04T17:05:05.121Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
WannaCry is a possible alias for Wannacryptor. WannaCry, a potent malware, emerged as one of the most destructive cyberattacks in recent history when it struck in May 2017. Leveraging Windows SMBv1 Remote Code Execution vulnerabilities (CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143), WannaCry rapidly spread across systems worldwide, encrypting	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Eternalblue Vulnerability is associated with Wannacryptor. EternalBlue is a software vulnerability that exists due to a flaw in the design or implementation of the Windows Server Message Block (SMB). This vulnerability, officially known as CVE-2017-0144, was made public after the Shadow Brokers group leaked an exploit developed by the U.S. National Security	Unspecified	2

Source Document References

Information about the Wannacryptor Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	9 months ago	Examples of Past and Current Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
CERT-EU	a year ago	Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
ESET	2 years ago	WinorDLL64: A backdoor from the vast Lazarus arsenal? \| WeLiveSecurity
MITRE	2 years ago	TeleBots are back: Supply‑chain attacks against Ukraine \| WeLiveSecurity