WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[1][2][3][4]

ID: S0366
Associated Software: WanaCry, WanaCrypt, WanaCrypt0r, WCry

Contributors: Jan Miller, CrowdStrike

Platforms: Windows

Version: 1.0

Associated Software Descriptions


Techniques Used

EnterpriseT1024Custom Cryptographic ProtocolWannaCry uses a custom cryptographic protocol over the Tor circuit.[5]
EnterpriseT1486Data Encrypted for ImpactWannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.[1][4][5]
EnterpriseT1210Exploitation of Remote ServicesWannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network.[1][4][2]
EnterpriseT1083File and Directory DiscoveryWannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.[1][4]
EnterpriseT1222File Permissions ModificationWannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.[1]
EnterpriseT1158Hidden Files and DirectoriesWannaCry uses attrib +h to make some of its files hidden.[1]
EnterpriseT1490Inhibit System RecoveryWannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.[1][4][5]
EnterpriseT1188Multi-hop ProxyWannaCry uses Tor for command and control traffic.[5]
EnterpriseT1079Multilayer EncryptionWannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.[5]
EnterpriseT1050New ServiceWannaCry creates the service "mssecsvc2.0" with the display name "Microsoft Security Center (2.0) Service."[1][4]
EnterpriseT1120Peripheral Device DiscoveryWannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.[4]
EnterpriseT1076Remote Desktop ProtocolWannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.[1]
EnterpriseT1105Remote File CopyWannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.[1]
EnterpriseT1018Remote System DiscoveryWannaCry scans its local network segment for remote systems to try to exploit and copy itself to.[5]
EnterpriseT1489Service StopWannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.[4][5]
EnterpriseT1016System Network Configuration DiscoveryWannaCry will attempt to determine the local network segment it is a part of.[5]
EnterpriseT1047Windows Management InstrumentationWannaCry utilizes wmic to delete shadow copies.[1][4][5]


Groups that use this software:

Lazarus Group