WannaCry

WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[1][2][3][4]

ID: S0366
Associated Software: WanaCry, WanaCrypt, WanaCrypt0r, WCry
Type: MALWARE
Platforms: Windows
Contributors: Jan Miller, CrowdStrike
Version: 1.1
Created: 25 March 2019
Last Modified: 08 March 2023

Associated Software Descriptions

Name Description
WanaCry

[5]

WanaCrypt

[5]

WanaCrypt0r

[1]

WCry

[1][5]

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

WannaCry creates the service "mssecsvc2.0" with the display name "Microsoft Security Center (2.0) Service."[1][4]

Enterprise T1486 Data Encrypted for Impact

WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.[1][4][5]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.[5]

Enterprise T1210 Exploitation of Remote Services

WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network.[1][4][2]

Enterprise T1083 File and Directory Discovery

WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.[1][4]

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

WannaCry uses attrib +h to make some of its files hidden.[1]

Enterprise T1490 Inhibit System Recovery

WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.[1][4][5]

Enterprise T1570 Lateral Tool Transfer

WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.[1]

Enterprise T1120 Peripheral Device Discovery

WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.[4]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

WannaCry uses Tor for command and control traffic.[5]

Enterprise T1563 .002 Remote Service Session Hijacking: RDP Hijacking

WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.[1]

Enterprise T1018 Remote System Discovery

WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.[5]

Enterprise T1489 Service Stop

WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.[4][5]

Enterprise T1016 System Network Configuration Discovery

WannaCry will attempt to determine the local network segment it is a part of.[5]

Enterprise T1047 Windows Management Instrumentation

WannaCry utilizes wmic to delete shadow copies.[1][4][5]

ICS T0866 Exploitation of Remote Services

WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. [6]

ICS T0867 Lateral Tool Transfer

WannaCry can move laterally through industrial networks by means of the SMB service. [6]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[7][1][4][5]

References