WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.
Associated Software: WanaCry, WanaCrypt, WanaCrypt0r, WCry
Contributors: Jan Miller, CrowdStrike
Associated Software Descriptions
|Enterprise||T1024||Custom Cryptographic Protocol||WannaCry uses a custom cryptographic protocol over the Tor circuit. |
|Enterprise||T1486||Data Encrypted for Impact||WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.   |
|Enterprise||T1210||Exploitation of Remote Services||WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network.   |
|Enterprise||T1083||File and Directory Discovery||WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.  |
|Enterprise||T1222||File Permissions Modification||
|Enterprise||T1158||Hidden Files and Directories||
|Enterprise||T1490||Inhibit System Recovery||
|Enterprise||T1188||Multi-hop Proxy||WannaCry uses Tor for command and control traffic. |
|Enterprise||T1079||Multilayer Encryption||WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit. |
|Enterprise||T1050||New Service||WannaCry creates the service "mssecsvc2.0" with the display name "Microsoft Security Center (2.0) Service."  |
|Enterprise||T1120||Peripheral Device Discovery||WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device. |
|Enterprise||T1076||Remote Desktop Protocol||WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session. |
|Enterprise||T1105||Remote File Copy||WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit. |
|Enterprise||T1018||Remote System Discovery||WannaCry scans its local network segment for remote systems to try to exploit and copy itself to. |
|Enterprise||T1489||Service Stop||WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.  |
|Enterprise||T1016||System Network Configuration Discovery||WannaCry will attempt to determine the local network segment it is a part of. |
|Enterprise||T1047||Windows Management Instrumentation||
Groups That Use This Software
|G0032||Lazarus Group||   |
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.
- Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.