SYMBOLCOMMON_NAMEaka. SYNONYMS
win.wannacryptor (Back to overview)

WannaCryptor

aka: Wcry, WannaCry, Wana Decrypt0r

Actor(s): Lazarus Group

There is no description at this point.

References
2021-03-15Sophos LabsMark Loman
@online{loman:20210315:dearcry:a7ac407, author = {Mark Loman}, title = {{DearCry ransomware attacks exploit Exchange server vulnerabilities}}, date = {2021-03-15}, organization = {Sophos Labs}, url = {https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/}, language = {English}, urldate = {2021-04-16} } DearCry ransomware attacks exploit Exchange server vulnerabilities
dearcry WannaCryptor
2020-12-09CrowdStrikeJosh Burgess, Jason Rivera
@techreport{burgess:20201209:from:1811e9c, author = {Josh Burgess and Jason Rivera}, title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}}, date = {2020-12-09}, institution = {CrowdStrike}, url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf}, language = {English}, urldate = {2020-12-11} } From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-02Youtube (Ghidra Ninja)Ghidra Ninja
@online{ninja:20200202:reversing:872f4fb, author = {Ghidra Ninja}, title = {{Reversing WannaCry Part 2 - Diving into the malware with #Ghidra}}, date = {2020-02-02}, organization = {Youtube (Ghidra Ninja)}, url = {https://www.youtube.com/watch?v=Q90uZS3taG0}, language = {English}, urldate = {2020-02-09} } Reversing WannaCry Part 2 - Diving into the malware with #Ghidra
WannaCryptor
2019-07-28Dissecting MalwareMarius Genheimer
@online{genheimer:20190728:third:ede6ba2, author = {Marius Genheimer}, title = {{Third time's the charm? Analysing WannaCry samples}}, date = {2019-07-28}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html}, language = {English}, urldate = {2020-03-27} } Third time's the charm? Analysing WannaCry samples
WannaCryptor
2019-01Journal of Telecommunications and Information TechnologyMaxat Akbanov, Vassilios G. Vassilakis, Michael D. Logothetis
@techreport{akbanov:201901:wannacry:60d302c, author = {Maxat Akbanov and Vassilios G. Vassilakis and Michael D. Logothetis}, title = {{WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms}}, date = {2019-01}, institution = {Journal of Telecommunications and Information Technology}, url = {https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf}, language = {English}, urldate = {2021-01-11} } WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms
WannaCryptor
2018-07-26IEEE Symposium on Security and Privacy (SP)Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy
@techreport{huang:20180726:tracking:b51d0ee, author = {Danny Yuxing Huang and Maxwell Matthaios Aliapoulios and Vector Guo Li and Luca Invernizzi and Kylie McRoberts and Elie Bursztein and Jonathan Levin and Kirill Levchenko and Alex C. Snoeren and Damon McCoy}, title = {{Tracking Ransomware End-to-end}}, date = {2018-07-26}, institution = {IEEE Symposium on Security and Privacy (SP)}, url = {https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf}, language = {English}, urldate = {2021-04-16} } Tracking Ransomware End-to-end
Cerber Locky WannaCryptor
2017-10-27Independent.co.ukAdam Withnall
@online{withnall:20171027:british:18c1e9a, author = {Adam Withnall}, title = {{British security minister says North Korea was behind WannaCry hack on NHS}}, date = {2017-10-27}, organization = {Independent.co.uk}, url = {http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html}, language = {English}, urldate = {2020-01-07} } British security minister says North Korea was behind WannaCry hack on NHS
WannaCryptor
2017-05-25FlashpointFlashpoint
@online{flashpoint:20170525:linguistic:70ffc44, author = {Flashpoint}, title = {{Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors}}, date = {2017-05-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/}, language = {English}, urldate = {2019-12-10} } Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
WannaCryptor
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-05-19ComaeMatt Suiche
@online{suiche:20170519:wannacry:81703ac, author = {Matt Suiche}, title = {{WannaCry — Decrypting files with WanaKiwi + Demos}}, date = {2017-05-19}, organization = {Comae}, url = {https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d}, language = {English}, urldate = {2019-10-25} } WannaCry — Decrypting files with WanaKiwi + Demos
WannaCryptor
2017-05-19MalwarebytesAdam McNeil
@online{mcneil:20170519:how:fac33a7, author = {Adam McNeil}, title = {{How did the WannaCry ransomworm spread?}}, date = {2017-05-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/}, language = {English}, urldate = {2019-12-20} } How did the WannaCry ransomworm spread?
WannaCryptor
2017-05-16Sergei Shevchenko, Adrian Nish
@online{shevchenko:20170516:wannacryptor:8bc9235, author = {Sergei Shevchenko and Adrian Nish}, title = {{Wannacryptor Ransomworm}}, date = {2017-05-16}, url = {https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html}, language = {English}, urldate = {2020-01-07} } Wannacryptor Ransomworm
WannaCryptor
2017-05-14ComaeMatt Suiche
@online{suiche:20170514:wannacry:b2c62ca, author = {Matt Suiche}, title = {{WannaCry — New Variants Detected!}}, date = {2017-05-14}, organization = {Comae}, url = {https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e}, language = {English}, urldate = {2020-01-08} } WannaCry — New Variants Detected!
WannaCryptor
2017-05-13MalwareTechMalwareTech
@online{malwaretech:20170513:how:1036ae2, author = {MalwareTech}, title = {{How to Accidentally Stop a Global Cyber Attacks}}, date = {2017-05-13}, organization = {MalwareTech}, url = {https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html}, language = {English}, urldate = {2019-11-25} } How to Accidentally Stop a Global Cyber Attacks
WannaCryptor
2017-05-12EmsisoftHolger Keller
@online{keller:20170512:global:2ee68f6, author = {Holger Keller}, title = {{Global WannaCry ransomware outbreak uses known NSA exploits}}, date = {2017-05-12}, organization = {Emsisoft}, url = {http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/}, language = {English}, urldate = {2019-12-10} } Global WannaCry ransomware outbreak uses known NSA exploits
WannaCryptor
2017-05-12The Moscow TimesThe Moscow Times
@online{times:20170512:wcry:10ff3fa, author = {The Moscow Times}, title = {{‘WCry’ Virus Reportedly Infects Russian Interior Ministry's Computer Network}}, date = {2017-05-12}, organization = {The Moscow Times}, url = {https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984}, language = {English}, urldate = {2019-12-05} } ‘WCry’ Virus Reportedly Infects Russian Interior Ministry's Computer Network
WannaCryptor
2017-05-12Kaspersky LabsGReAT
@online{great:20170512:wannacry:b24b188, author = {GReAT}, title = {{WannaCry ransomware used in widespread attacks all over the world}}, date = {2017-05-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/}, language = {English}, urldate = {2019-12-20} } WannaCry ransomware used in widespread attacks all over the world
WannaCryptor
2017-05-12G DataG Data
@online{data:20170512:warning:162cfc4, author = {G Data}, title = {{Warning: Massive "WannaCry" Ransomware campaign launched}}, date = {2017-05-12}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign}, language = {English}, urldate = {2020-01-13} } Warning: Massive "WannaCry" Ransomware campaign launched
WannaCryptor
2017-05-12ComaeMatt Suiche
@online{suiche:20170512:wannacry:f79fed5, author = {Matt Suiche}, title = {{WannaCry — The largest ransom-ware infection in History}}, date = {2017-05-12}, organization = {Comae}, url = {https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58}, language = {English}, urldate = {2020-01-06} } WannaCry — The largest ransom-ware infection in History
WannaCryptor
2017-05-12AvastJakub Křoustek
@online{koustek:20170512:wannacry:ff9bc08, author = {Jakub Křoustek}, title = {{WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today}}, date = {2017-05-12}, organization = {Avast}, url = {https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today}, language = {English}, urldate = {2020-01-07} } WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today
WannaCryptor
2017-05-12MicrosoftKarthik Selvaraj, Elia Florio, Andrea Lelli, Tanmay Ganacharya
@online{selvaraj:20170512:wannacrypt:9604786, author = {Karthik Selvaraj and Elia Florio and Andrea Lelli and Tanmay Ganacharya}, title = {{WannaCrypt ransomware worm targets out-of-date systems}}, date = {2017-05-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/}, language = {English}, urldate = {2020-03-06} } WannaCrypt ransomware worm targets out-of-date systems
WannaCryptor
2017-05-12KrebsOnSecurityBrian Krebs
@online{krebs:20170512:uk:11a7e5a, author = {Brian Krebs}, title = {{U.K. Hospitals Hit in Widespread Ransomware Attack}}, date = {2017-05-12}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/}, language = {English}, urldate = {2020-01-06} } U.K. Hospitals Hit in Widespread Ransomware Attack
WannaCryptor
2017Github (rain-1)rain1, Epivalent
@online{rain1:2017:wannacrywannadecrypt0r:53d1c73, author = {rain1 and Epivalent}, title = {{WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm}}, date = {2017}, organization = {Github (rain-1)}, url = {https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168}, language = {English}, urldate = {2019-11-29} } WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm
WannaCryptor
Yara Rules
[TLP:WHITE] win_wannacryptor_auto (20210616 | Detects win.wannacryptor.)
rule win_wannacryptor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.wannacryptor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c744244817406700 894c244c 896c2450 89542454 }
            // n = 4, score = 600
            //   c744244817406700     | mov                 dword ptr [esp + 0x48], 0x674017
            //   894c244c             | mov                 dword ptr [esp + 0x4c], ecx
            //   896c2450             | mov                 dword ptr [esp + 0x50], ebp
            //   89542454             | mov                 dword ptr [esp + 0x54], edx

        $sequence_1 = { 8b4d08 8b442420 83c404 49 3bf8 894d08 75a7 }
            // n = 7, score = 600
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   83c404               | add                 esp, 4
            //   49                   | dec                 ecx
            //   3bf8                 | cmp                 edi, eax
            //   894d08               | mov                 dword ptr [ebp + 8], ecx
            //   75a7                 | jne                 0xffffffa9

        $sequence_2 = { 83f801 7e25 39442410 7434 8b5664 8b5e6c 8b4c2414 }
            // n = 7, score = 600
            //   83f801               | cmp                 eax, 1
            //   7e25                 | jle                 0x27
            //   39442410             | cmp                 dword ptr [esp + 0x10], eax
            //   7434                 | je                  0x36
            //   8b5664               | mov                 edx, dword ptr [esi + 0x64]
            //   8b5e6c               | mov                 ebx, dword ptr [esi + 0x6c]
            //   8b4c2414             | mov                 ecx, dword ptr [esp + 0x14]

        $sequence_3 = { 8bcb 57 e8???????? eb0d }
            // n = 4, score = 600
            //   8bcb                 | mov                 ecx, ebx
            //   57                   | push                edi
            //   e8????????           |                     
            //   eb0d                 | jmp                 0xf

        $sequence_4 = { 83d8ff 85c0 741a 33c9 8b442414 8a4c3e02 }
            // n = 6, score = 600
            //   83d8ff               | sbb                 eax, -1
            //   85c0                 | test                eax, eax
            //   741a                 | je                  0x1c
            //   33c9                 | xor                 ecx, ecx
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   8a4c3e02             | mov                 cl, byte ptr [esi + edi + 2]

        $sequence_5 = { 8b5500 03cf 8a0417 50 51 }
            // n = 5, score = 600
            //   8b5500               | mov                 edx, dword ptr [ebp]
            //   03cf                 | add                 ecx, edi
            //   8a0417               | mov                 al, byte ptr [edi + edx]
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_6 = { e8???????? 83c404 8b03 c74304ffffffff }
            // n = 4, score = 600
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   c74304ffffffff       | mov                 dword ptr [ebx + 4], 0xffffffff

        $sequence_7 = { 6a01 51 8a02 8bcf 88442418 e8???????? 8b542410 }
            // n = 7, score = 600
            //   6a01                 | push                1
            //   51                   | push                ecx
            //   8a02                 | mov                 al, byte ptr [edx]
            //   8bcf                 | mov                 ecx, edi
            //   88442418             | mov                 byte ptr [esp + 0x18], al
            //   e8????????           |                     
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]

        $sequence_8 = { f3a5 8bc8 83e103 3bea f3a4 756f c644241c00 }
            // n = 7, score = 600
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bc8                 | mov                 ecx, eax
            //   83e103               | and                 ecx, 3
            //   3bea                 | cmp                 ebp, edx
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   756f                 | jne                 0x71
            //   c644241c00           | mov                 byte ptr [esp + 0x1c], 0

        $sequence_9 = { 8b442414 81e1ffff0000 6a01 51 50 8bce e8???????? }
            // n = 7, score = 600
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   81e1ffff0000         | and                 ecx, 0xffff
            //   6a01                 | push                1
            //   51                   | push                ecx
            //   50                   | push                eax
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 540672
}
Download all Yara Rules