WannaCryptor (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.wannacryptor (Back to overview)

WannaCryptor

aka: Wana Decrypt0r, WannaCry, WannaCrypt, Wcry

Actor(s): Lazarus Group

VTCollection

WannaCry is ransomware that contains a worm component enabled by the EternalBlue exploit. It attempts to use vulnerabilities in the Windows SMBv1 server to remotely compromise systems, encrypt files, and spread to other hosts. Systems that have installed the MS17-010 patch are not vulnerable to the exploits used. The spreading was stopped about 8 hours after initial outbreak due to triggering a kill switch domain.

References

2024-07-14 ⋅ Github (Hildaboo) ⋅ Hildaboo
WannaCry Server Emulator
WannaCryptor

2022-08-15 ⋅ Brandefense ⋅ Brandefense
Lazarus APT Group (APT38)
AppleJeus AppleJeus BADCALL Bankshot BLINDINGCAN DRATzarus Dtrack KEYMARBLE Sierra(Alfa,Bravo, ...) Torisma WannaCryptor

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-01 ⋅ Github (0xZuk0) ⋅ Dipankar Lama
Malware Analysis Report: WannaCry Ransomware
WannaCryptor

2021-03-15 ⋅ Sophos Labs ⋅ Mark Loman
DearCry ransomware attacks exploit Exchange server vulnerabilities
dearcry WannaCryptor

2020-12-09 ⋅ CrowdStrike ⋅ Jason Rivera, Josh Burgess
From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower
FastCash Hermes WannaCryptor

2020-08-01 ⋅ Temple University ⋅ CARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-06-09 ⋅ Kaspersky Labs ⋅ Costin Raiu
Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-02-26 ⋅ MetaSwan's Lab ⋅ MetaSwan
Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor

2020-02-19 ⋅ Lexfo ⋅ Lexfo
The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor

2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Chris Boyd, David Ruiz, Jérôme Segura, Jovi Umawing, Nathan Collier, Pieter Arntz, Thomas Reed, Wendy Zamora
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor

2020-02-02 ⋅ Youtube (Ghidra Ninja) ⋅ Ghidra Ninja
Reversing WannaCry Part 2 - Diving into the malware with #Ghidra
WannaCryptor

2019-09-18 ⋅ SophosLabs Uncut ⋅ Peter Mackenzie
The WannaCry hangover
WannaCryptor

2019-09-17 ⋅ SophosLabs ⋅ Peter Mackenzie
WannaCry Aftershock
WannaCryptor

2019-07-28 ⋅ Dissecting Malware ⋅ Marius Genheimer
Third time's the charm? Analysing WannaCry samples
WannaCryptor

2019-01-01 ⋅ Journal of Telecommunications and Information Technology ⋅ Maxat Akbanov, Michael D. Logothetis, Vassilios G. Vassilakis
WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms
WannaCryptor

2018-10-03 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Lazarus Group A Mahjong Game Played with Different Sets of Tiles
Bankshot BanPolMex RAT FuwuqiDrama HOTWAX KillDisk (Lazarus) NACHOCHEESE REDSHAWL WannaCryptor

2018-07-26 ⋅ IEEE Symposium on Security and Privacy (SP) ⋅ Alex C. Snoeren, Damon McCoy, Danny Yuxing Huang, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Kylie McRoberts, Luca Invernizzi, Maxwell Matthaios Aliapoulios, Vector Guo Li
Tracking Ransomware End-to-end
Cerber Locky WannaCryptor

2017-10-27 ⋅ Independent.co.uk ⋅ Adam Withnall
British security minister says North Korea was behind WannaCry hack on NHS
WannaCryptor

2017-08-25 ⋅ Kaspersky Labs ⋅ Costin Raiu, Juan Andrés Guerrero-Saade
Walking in your Enemy's Shadow: When Fourth-Party Collection becomes Attribution Hell
NetTraveler RCS WannaCryptor Dancing Salome

2017-05-25 ⋅ Flashpoint ⋅ Flashpoint
Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
WannaCryptor

2017-05-22 ⋅ Symantec ⋅ Symantec Security Response
WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor

2017-05-19 ⋅ Comae ⋅ Matt Suiche
WannaCry — Decrypting files with WanaKiwi + Demos
WannaCryptor

2017-05-19 ⋅ Malwarebytes ⋅ Adam McNeil
How did the WannaCry ransomworm spread?
WannaCryptor

2017-05-16 ⋅ Adrian Nish, Sergei Shevchenko
Wannacryptor Ransomworm
WannaCryptor

2017-05-14 ⋅ Comae ⋅ Matt Suiche
WannaCry — New Variants Detected!
WannaCryptor

2017-05-13 ⋅ MalwareTech ⋅ MalwareTech
How to Accidentally Stop a Global Cyber Attacks
WannaCryptor

2017-05-12 ⋅ Microsoft ⋅ Andrea Lelli, Elia Florio, Karthik Selvaraj, Tanmay Ganacharya
WannaCrypt ransomware worm targets out-of-date systems
WannaCryptor

2017-05-12 ⋅ The Moscow Times ⋅ The Moscow Times
‘WCry’ Virus Reportedly Infects Russian Interior Ministry's Computer Network
WannaCryptor

2017-05-12 ⋅ Comae ⋅ Matt Suiche
WannaCry — The largest ransom-ware infection in History
WannaCryptor

2017-05-12 ⋅ Emsisoft ⋅ Holger Keller
Global WannaCry ransomware outbreak uses known NSA exploits
WannaCryptor

2017-05-12 ⋅ Kaspersky Labs ⋅ GReAT
WannaCry ransomware used in widespread attacks all over the world
WannaCryptor

2017-05-12 ⋅ G Data ⋅ G Data
Warning: Massive "WannaCry" Ransomware campaign launched
WannaCryptor

2017-05-12 ⋅ KrebsOnSecurity ⋅ Brian Krebs
U.K. Hospitals Hit in Widespread Ransomware Attack
WannaCryptor

2017-05-12 ⋅ Avast ⋅ Jakub Křoustek
WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today
WannaCryptor

2017-01-01 ⋅ Github (rain-1) ⋅ Epivalent, rain1
WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm
WannaCryptor

Yara Rules

[TLP:WHITE] win_wannacryptor_auto (20251219 | Detects win.wannacryptor.)

rule win_wannacryptor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.wannacryptor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 7403 8b4004 50 8b442428 }
            // n = 6, score = 700
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   50                   | push                eax
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]

        $sequence_1 = { c744243802000000 e8???????? 55 8d4c2420 b303 50 51 }
            // n = 7, score = 700
            //   c744243802000000     | mov                 dword ptr [esp + 0x38], 2
            //   e8????????           |                     
            //   55                   | push                ebp
            //   8d4c2420             | lea                 ecx, [esp + 0x20]
            //   b303                 | mov                 bl, 3
            //   50                   | push                eax
            //   51                   | push                ecx

        $sequence_2 = { 8d7e44 85c0 755f 8b17 8d4c241c 6a01 51 }
            // n = 7, score = 700
            //   8d7e44               | lea                 edi, [esi + 0x44]
            //   85c0                 | test                eax, eax
            //   755f                 | jne                 0x61
            //   8b17                 | mov                 edx, dword ptr [edi]
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   6a01                 | push                1
            //   51                   | push                ecx

        $sequence_3 = { 7d0d 8b5168 8b7960 03d7 }
            // n = 4, score = 700
            //   7d0d                 | jge                 0xf
            //   8b5168               | mov                 edx, dword ptr [ecx + 0x68]
            //   8b7960               | mov                 edi, dword ptr [ecx + 0x60]
            //   03d7                 | add                 edx, edi

        $sequence_4 = { c644243404 e8???????? 8d4c241c 885c2430 }
            // n = 4, score = 700
            //   c644243404           | mov                 byte ptr [esp + 0x34], 4
            //   e8????????           |                     
            //   8d4c241c             | lea                 ecx, [esp + 0x1c]
            //   885c2430             | mov                 byte ptr [esp + 0x30], bl

        $sequence_5 = { 8d542418 c744243005000000 8b41f8 8b4e74 2bc1 }
            // n = 5, score = 700
            //   8d542418             | lea                 edx, [esp + 0x18]
            //   c744243005000000     | mov                 dword ptr [esp + 0x30], 5
            //   8b41f8               | mov                 eax, dword ptr [ecx - 8]
            //   8b4e74               | mov                 ecx, dword ptr [esi + 0x74]
            //   2bc1                 | sub                 eax, ecx

        $sequence_6 = { 8a02 8bcf 88442418 e8???????? 8b542410 c744243000000000 }
            // n = 6, score = 700
            //   8a02                 | mov                 al, byte ptr [edx]
            //   8bcf                 | mov                 ecx, edi
            //   88442418             | mov                 byte ptr [esp + 0x18], al
            //   e8????????           |                     
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   c744243000000000     | mov                 dword ptr [esp + 0x30], 0

        $sequence_7 = { c7442430ffffffff e8???????? e9???????? 85c0 754b }
            // n = 5, score = 700
            //   c7442430ffffffff     | mov                 dword ptr [esp + 0x30], 0xffffffff
            //   e8????????           |                     
            //   e9????????           |                     
            //   85c0                 | test                eax, eax
            //   754b                 | jne                 0x4d

        $sequence_8 = { 88442418 e8???????? 8b542410 c744243000000000 52 50 8d442420 }
            // n = 7, score = 700
            //   88442418             | mov                 byte ptr [esp + 0x18], al
            //   e8????????           |                     
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   c744243000000000     | mov                 dword ptr [esp + 0x30], 0
            //   52                   | push                edx
            //   50                   | push                eax
            //   8d442420             | lea                 eax, [esp + 0x20]

        $sequence_9 = { 89442418 0f8c42ffffff 8b442438 5f 85c0 }
            // n = 5, score = 700
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   0f8c42ffffff         | jl                  0xffffff48
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]
            //   5f                   | pop                 edi
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 540672
}

Download all Yara Rules

WannaCryptor Propose Change

References

Yara Rules

WannaCryptor