SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wannacryptor (Back to overview)

WannaCryptor

aka: Wana Decrypt0r, WannaCry, WannaCrypt, Wcry

Actor(s): Lazarus Group

VTCollection    

WannaCry is ransomware that contains a worm component enabled by the EternalBlue exploit. It attempts to use vulnerabilities in the Windows SMBv1 server to remotely compromise systems, encrypt files, and spread to other hosts. Systems that have installed the MS17-010 patch are not vulnerable to the exploits used. The spreading was stopped about 8 hours after initial outbreak due to triggering a kill switch domain.

References
2026-04-18Github (zanez)Irvin Martínez González
WannaCry Malware Analysis - How YOU Could have Saved the World
WannaCryptor
2024-07-14Github (Hildaboo)Hildaboo
WannaCry Server Emulator
WannaCryptor
2022-08-15BrandefenseBrandefense
Lazarus APT Group (APT38)
AppleJeus AppleJeus BADCALL Bankshot BLINDINGCAN DRATzarus Dtrack KEYMARBLE Sierra(Alfa,Bravo, ...) Torisma WannaCryptor
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-01Github (0xZuk0)Dipankar Lama
Malware Analysis Report: WannaCry Ransomware
WannaCryptor
2021-03-15Sophos LabsMark Loman
DearCry ransomware attacks exploit Exchange server vulnerabilities
dearcry WannaCryptor
2020-12-09CrowdStrikeJason Rivera, Josh Burgess
From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-06-09Kaspersky LabsCostin Raiu
Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-02-26MetaSwan's LabMetaSwan
Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-19LexfoLexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-10MalwarebytesAdam Kujawa, Chris Boyd, David Ruiz, Jérôme Segura, Jovi Umawing, Nathan Collier, Pieter Arntz, Thomas Reed, Wendy Zamora
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-02Youtube (Ghidra Ninja)Ghidra Ninja
Reversing WannaCry Part 2 - Diving into the malware with #Ghidra
WannaCryptor
2019-09-18SophosLabs UncutPeter Mackenzie
The WannaCry hangover
WannaCryptor
2019-09-17SophosLabsPeter Mackenzie
WannaCry Aftershock
WannaCryptor
2019-07-28Dissecting MalwareMarius Genheimer
Third time's the charm? Analysing WannaCry samples
WannaCryptor
2019-01-01Journal of Telecommunications and Information TechnologyMaxat Akbanov, Michael D. Logothetis, Vassilios G. Vassilakis
WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms
WannaCryptor
2018-10-03Virus BulletinMichal Poslušný, Peter Kálnai
Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor
2018-07-26IEEE Symposium on Security and Privacy (SP)Alex C. Snoeren, Damon McCoy, Danny Yuxing Huang, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Kylie McRoberts, Luca Invernizzi, Maxwell Matthaios Aliapoulios, Vector Guo Li
Tracking Ransomware End-to-end
Cerber Locky WannaCryptor
2017-10-27Independent.co.ukAdam Withnall
British security minister says North Korea was behind WannaCry hack on NHS
WannaCryptor
2017-08-25Kaspersky LabsCostin Raiu, Juan Andrés Guerrero-Saade
Walking in your Enemy's Shadow: When Fourth-Party Collection becomes Attribution Hell
NetTraveler RCS WannaCryptor Dancing Salome
2017-05-25FlashpointFlashpoint
Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
WannaCryptor
2017-05-22SymantecSymantec Security Response
WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-05-19ComaeMatt Suiche
WannaCry — Decrypting files with WanaKiwi + Demos
WannaCryptor
2017-05-19MalwarebytesAdam McNeil
How did the WannaCry ransomworm spread?
WannaCryptor
2017-05-16Adrian Nish, Sergei Shevchenko
Wannacryptor Ransomworm
WannaCryptor
2017-05-14ComaeMatt Suiche
WannaCry — New Variants Detected!
WannaCryptor
2017-05-13MalwareTechMalwareTech
How to Accidentally Stop a Global Cyber Attacks
WannaCryptor
2017-05-12MicrosoftAndrea Lelli, Elia Florio, Karthik Selvaraj, Tanmay Ganacharya
WannaCrypt ransomware worm targets out-of-date systems
WannaCryptor
2017-05-12The Moscow TimesThe Moscow Times
‘WCry’ Virus Reportedly Infects Russian Interior Ministry's Computer Network
WannaCryptor
2017-05-12ComaeMatt Suiche
WannaCry — The largest ransom-ware infection in History
WannaCryptor
2017-05-12EmsisoftHolger Keller
Global WannaCry ransomware outbreak uses known NSA exploits
WannaCryptor
2017-05-12Kaspersky LabsGReAT
WannaCry ransomware used in widespread attacks all over the world
WannaCryptor
2017-05-12G DataG Data
Warning: Massive "WannaCry" Ransomware campaign launched
WannaCryptor
2017-05-12KrebsOnSecurityBrian Krebs
U.K. Hospitals Hit in Widespread Ransomware Attack
WannaCryptor
2017-05-12AvastJakub Křoustek
WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today
WannaCryptor
2017-01-01Github (rain-1)Epivalent, rain1
WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm
WannaCryptor
Yara Rules
[TLP:WHITE] win_wannacryptor_auto (20260504 | Detects win.wannacryptor.)
rule win_wannacryptor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.wannacryptor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 8bf1 50 e8???????? 8b4c240c 8b542410 51 }
            // n = 7, score = 700
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   51                   | push                ecx

        $sequence_1 = { 7d14 8b4204 85c0 7c0d 3b4154 7d08 }
            // n = 6, score = 700
            //   7d14                 | jge                 0x16
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   85c0                 | test                eax, eax
            //   7c0d                 | jl                  0xf
            //   3b4154               | cmp                 eax, dword ptr [ecx + 0x54]
            //   7d08                 | jge                 0xa

        $sequence_2 = { 8b5500 03cf 8a0417 50 }
            // n = 4, score = 700
            //   8b5500               | mov                 edx, dword ptr [ebp]
            //   03cf                 | add                 ecx, edi
            //   8a0417               | mov                 al, byte ptr [edi + edx]
            //   50                   | push                eax

        $sequence_3 = { 7d0d 8b5168 8b7960 03d7 }
            // n = 4, score = 700
            //   7d0d                 | jge                 0xf
            //   8b5168               | mov                 edx, dword ptr [ecx + 0x68]
            //   8b7960               | mov                 edi, dword ptr [ecx + 0x60]
            //   03d7                 | add                 edx, edi

        $sequence_4 = { 83ec54 56 8bf1 57 8a4658 }
            // n = 5, score = 700
            //   83ec54               | sub                 esp, 0x54
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   8a4658               | mov                 al, byte ptr [esi + 0x58]

        $sequence_5 = { 8d78c0 0fafd7 8916 8b796c }
            // n = 4, score = 700
            //   8d78c0               | lea                 edi, [eax - 0x40]
            //   0fafd7               | imul                edx, edi
            //   8916                 | mov                 dword ptr [esi], edx
            //   8b796c               | mov                 edi, dword ptr [ecx + 0x6c]

        $sequence_6 = { 8b4620 6821010000 6a00 6a00 }
            // n = 4, score = 700
            //   8b4620               | mov                 eax, dword ptr [esi + 0x20]
            //   6821010000           | push                0x121
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_7 = { 50 51 885c243c e8???????? }
            // n = 4, score = 700
            //   50                   | push                eax
            //   51                   | push                ecx
            //   885c243c             | mov                 byte ptr [esp + 0x3c], bl
            //   e8????????           |                     

        $sequence_8 = { 8bd8 8b5500 03cf 8a4411ff 8bcd 50 57 }
            // n = 7, score = 700
            //   8bd8                 | mov                 ebx, eax
            //   8b5500               | mov                 edx, dword ptr [ebp]
            //   03cf                 | add                 ecx, edi
            //   8a4411ff             | mov                 al, byte ptr [ecx + edx - 1]
            //   8bcd                 | mov                 ecx, ebp
            //   50                   | push                eax
            //   57                   | push                edi

        $sequence_9 = { 7507 8bce e8???????? 8d54241c }
            // n = 4, score = 700
            //   7507                 | jne                 9
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8d54241c             | lea                 edx, [esp + 0x1c]

    condition:
        7 of them and filesize < 540672
}
Download all Yara Rules