Register to stream ATT&CKcon 2.0 October 29-30


WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.[1][2][3][4]

ID: S0366
Associated Software: WanaCry, WanaCrypt, WanaCrypt0r, WCry
Platforms: Windows
Contributors: Jan Miller, CrowdStrike
Version: 1.0

Associated Software Descriptions

Name Description
WanaCry [5]
WanaCrypt [5]
WanaCrypt0r [1]
WCry [1][5]

Techniques Used

Domain ID Name Use
Enterprise T1024 Custom Cryptographic Protocol WannaCry uses a custom cryptographic protocol over the Tor circuit. [5]
Enterprise T1486 Data Encrypted for Impact WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files. [1] [4] [5]
Enterprise T1210 Exploitation of Remote Services WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network. [1] [4] [2]
Enterprise T1083 File and Directory Discovery WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files. [1] [4]
Enterprise T1222 File Permissions Modification WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls. [1]
Enterprise T1158 Hidden Files and Directories WannaCry uses attrib +h to make some of its files hidden. [1]
Enterprise T1490 Inhibit System Recovery WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features. [1] [4] [5]
Enterprise T1188 Multi-hop Proxy WannaCry uses Tor for command and control traffic. [5]
Enterprise T1079 Multilayer Encryption WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit. [5]
Enterprise T1050 New Service WannaCry creates the service "mssecsvc2.0" with the display name "Microsoft Security Center (2.0) Service." [1] [4]
Enterprise T1120 Peripheral Device Discovery WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device. [4]
Enterprise T1076 Remote Desktop Protocol WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session. [1]
Enterprise T1105 Remote File Copy WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit. [1]
Enterprise T1018 Remote System Discovery WannaCry scans its local network segment for remote systems to try to exploit and copy itself to. [5]
Enterprise T1489 Service Stop WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores. [4] [5]
Enterprise T1016 System Network Configuration Discovery WannaCry will attempt to determine the local network segment it is a part of. [5]
Enterprise T1047 Windows Management Instrumentation WannaCry utilizes wmic to delete shadow copies. [1] [4] [5]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [6] [1] [4] [5]