WannaCry

WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[1][2][3][4]

ID: S0366
Associated Software: WanaCry, WanaCrypt, WanaCrypt0r, WCry
Type: MALWARE
Platforms: Windows
Contributors: Jan Miller, CrowdStrike
Version: 1.0

Associated Software Descriptions

Name Description
WanaCry [5]
WanaCrypt [5]
WanaCrypt0r [1]
WCry [1][5]

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol

WannaCry uses a custom cryptographic protocol over the Tor circuit.[5]

Enterprise T1486 Data Encrypted for Impact

WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.[1][4][5]

Enterprise T1210 Exploitation of Remote Services

WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network.[1][4][2]

Enterprise T1083 File and Directory Discovery

WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.[1][4]

Enterprise T1222 File and Directory Permissions Modification

WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.[1]

Enterprise T1158 Hidden Files and Directories

WannaCry uses attrib +h to make some of its files hidden.[1]

Enterprise T1490 Inhibit System Recovery

WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.[1][4][5]

Enterprise T1188 Multi-hop Proxy

WannaCry uses Tor for command and control traffic.[5]

Enterprise T1079 Multilayer Encryption

WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.[5]

Enterprise T1050 New Service

WannaCry creates the service "mssecsvc2.0" with the display name "Microsoft Security Center (2.0) Service."[1][4]

Enterprise T1120 Peripheral Device Discovery

WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.[4]

Enterprise T1076 Remote Desktop Protocol

WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.[1]

Enterprise T1105 Remote File Copy

WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.[1]

Enterprise T1018 Remote System Discovery

WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.[5]

Enterprise T1489 Service Stop

WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.[4][5]

Enterprise T1016 System Network Configuration Discovery

WannaCry will attempt to determine the local network segment it is a part of.[5]

Enterprise T1047 Windows Management Instrumentation

WannaCry utilizes wmic to delete shadow copies.[1][4][5]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [6] [1] [4] [5]

References