WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1222.001 File And Directory Permissions Modification : Windows File And Directory Permissions Modification |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2022-03-17 by Tilly Travers from Sophos
2022-03-01 by Dipankar Lama from Github (0xZuk0)
2021-03-15 by Mark Loman from Sophos Labs
2020-12-09 by Josh Burgess from CrowdStrike
2020-08 by CARE from Temple University
2020-07-29 by welivesecurity from ESET Research
2020-06-09 by Costin Raiu from Kaspersky Labs
2020-03-05 by Microsoft Threat Protection Intelligence Team from Microsoft
2020-02-26 by MetaSwan from MetaSwan's Lab
2020-02-19 by Lexfo from Lexfo
2020-02-10 by Adam Kujawa from Malwarebytes
2020-02-02 by Ghidra Ninja from Youtube (Ghidra Ninja)
2019-09-18 by Peter Mackenzie from SophosLabs Uncut
2019-09-17 by Peter Mackenzie from SophosLabs
2019-07-28 by Marius Genheimer from Dissecting Malware
2019-01 by Maxat Akbanov from Journal of Telecommunications and Information Technology
2018-10-03 by Peter Kálnai from Virus Bulletin
2018-07-26 by Danny Yuxing Huang from IEEE Symposium on Security and Privacy (SP)
2017-10-27 by Adam Withnall from Independent.co.uk
2017-08-25 by Juan Andrés Guerrero-Saade from Kaspersky Labs
2017-05-25 by Flashpoint from Flashpoint
2017-05-22 by Symantec Security Response from Symantec
2017-05-19 by Matt Suiche from Comae
2017-05-19 by Adam McNeil from Malwarebytes
2017-05-16 by Sergei Shevchenko from
2017-05-14 by Matt Suiche from Comae
2017-05-13 by MalwareTech from MalwareTech
2017-05-12 by The Moscow Times from The Moscow Times
2017-05-12 by Jakub Křoustek from Avast
2017-05-12 by Holger Keller from Emsisoft
2017-05-12 by G Data from G Data
2017-05-12 by Brian Krebs from KrebsOnSecurity
2017-05-12 by Karthik Selvaraj from Microsoft
2017-05-12 by Matt Suiche from Comae
2017-05-12 by GReAT from Kaspersky Labs
2017 by rain1 from Github (rain-1)
Tool: WannaCry
Names: WannaCry, WannaCrypt, WannaCryptor, Wcry, WanaCry, WanaCrypt, WanaCrypt0r, Wana Decrypt0r
Description: WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.
Category: Malware
Type: Ransomware, Worm, Remote command
Information: https://www.us-cert.gov/ncas/alerts/TA17-132A
Information: https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html
Information: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
Information: https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
Information: https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58
Information: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d
Information: https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984
Information: https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/
Information: https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/
Information: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
Information: https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
Information: https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign
Information: https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/
Information: https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/
Information: http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/
Information: https://www.dropbox.com/s/hpr9fas9xbzo2uz/Whitepaper%20WannaCry%20Ransomware.pdf?dl=0
Mitre-attack: https://attack.mitre.org/software/S0366/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE wannacry creates the service "mssecsvc2.0" with the display name "microsoft security center (2.0) service." | T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE wannacry creates the service "mssecsvc2.0" with the display name "microsoft security center (2.0) service." | T1222.001 FILE AND DIRECTORY PERMISSIONS MODIFICATION : WINDOWS FILE AND DIRECTORY PERMISSIONS MODIFICATION wannacry uses attrib +h and icacls . /grant everyone:f /t /c /q to make some of its files hidden and grant all users full access controls. T1564.001 HIDE ARTIFACTS : HIDDEN FILES AND DIRECTORIES wannacry uses attrib +h to make some of its files hidden. | T1083 FILE AND DIRECTORY DISCOVERY wannacry searches for variety of user files by file extension before encrypting them using rsa and aes, including office, pdf, image, audio, video, source code, archive/compression format, and key and certificate files. T1120 PERIPHERAL DEVICE DISCOVERY wannacry contains a thread that will attempt to scan for new attached drives every few seconds. if one is identified, it will encrypt the files on the attached device. T1018 REMOTE SYSTEM DISCOVERY wannacry scans its local network segment for remote systems to try to exploit and copy itself to. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY wannacry will attempt to determine the local network segment it is a part of. | T1210 EXPLOITATION OF REMOTE SERVICES wannacry uses an exploit in smbv1 to spread itself to other remote systems on a network. T1570 LATERAL TOOL TRANSFER wannacry attempts to copy itself to remote computers after gaining access via an smb exploit. T1563.002 REMOTE SERVICE SESSION HIJACKING : RDP HIJACKING wannacry enumerates current remote desktop sessions and tries to execute the malware on each session. | T1573.002 ENCRYPTED CHANNEL : ASYMMETRIC CRYPTOGRAPHY wannacry uses tor for command and control traffic and routes a custom cryptographic protocol over the tor circuit. | T1486 DATA ENCRYPTED FOR IMPACT wannacry encrypts user files and demands that a ransom be paid in bitcoin to decrypt those files. T1490 INHIBIT SYSTEM RECOVERY wannacry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features. T1489 SERVICE STOP wannacry attempts to kill processes associated with exchange, microsoft sql server, and mysql to make it possible to encrypt their data stores. |