AhnLab Security Center


Outbreak of Wanna Cry/ WannaCryptor Ransomware


Since first appearing in Spain, the U.K. and Russia on May 12, the WannaCryptor ransomware (also known as Wanna Cry and Wcrypt) is rapidly proliferating across the world. This article presents the symptoms and attack methods of WannaCryptor.

1. Overview
WannaCryptor was first discovered on February, 2017. The latest version of this ransomware, which ran rampant on May 12, is a strain that uses an exploit toolkit called “Eternal Blue” that takes advantage of a Sever Message Block (SMB) vulnerability (MS17-010). Microsoft released the relevant security update addressing this vulnerability in March, 2017. The large number of systems around the world that still remain unpatched, however, has enabled WannaCryptor to spread at an alarming rate.

2. Infection Vector
Unlike most ransomware that infect systems via email attachments or drive-by-download with compromised Web sites, WannaCryptor infects Windows systems via MS17-010 (Microsoft Windows SMBv2 remote code execution vulnerability). Systems that has not been patched with the Windows security update released on March, 2017 are thus exposed to infection without the user actually doing anything.

Microsoft Windows SMB vulnerabilities related to WannaCryptor and affected systems are as follows:

■ Vulnerabilities
- Windows SMB remote code execution vulnerability (CVE-2017-0143)
- Windows SMB remote code execution vulnerability (CVE-2017-0144)
- Windows SMB remote code execution vulnerability (CVE-2017-0145)
- Windows SMB remote code execution vulnerability (CVE-2017-0146)
- Windows SMB remote code execution vulnerability (CVE-2017-0147)
- Windows SMB remote code execution vulnerability (CVE-2017-0148)


■ Affected Operating Systems
- Windows 10 (Not targeted by WannaCryptor despite presence of the corresponding vulnerability)
- Windows 7/ 8.1/ RT 8.1
- Windows Server 2016/ 2012 R2 / 2008 R2 SP1 SP2

3. Symptoms
WannaCryptor scans the D class values of its local IP addresses (xxx.xxx.xxx.1~255) to repeatedly transmit SMB protocol packets. The return data is then examined in order to identify vulnerable SMB packet headers, to which additional data that includes an executable code is transmitted. The shellcode activates if the target system’s OS has not been applied with the vulnerability fix patch.


Figure 1. WannaCryptor shellcode (partial)

When a system is infected by WannaCryptor, the ransomware encrypts files with the extensions listed below, and append the file extension with .WNCRY (or .WNCRYT, depending on the variant):


After the target files have been encrypted, the desktop screen is altered and a message appears demanding a ransom of the bitcoin equivalent of $300, as shown in Figure 3. The ransom note has been composed in 28 different languages.



Figure 2. Desktop wallpaper taken over by WannaCryptor


Figure 3. WannaCryptor ransom note

When WannaCryptor runs, it attempts to connect to http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, and it shuts down itself if the connection is successfully made. This domain, which is known as a kill chain of WannaCryptor, was not register when the ransomware was distributed, and an English security researcher preemptively purchased the domain to prevent the further spread of the ransomware.

If WannaCryptor cannot access to the domain due to the lack of an internet connection or other circumstances, files related to WannaCryptor are created and encryption of the files in the PC commences. The names of the created folders and files may be differ depending on the WannaCryptor variant.

In addition, ransom note files in various languages are created in the /msg folder. 



Figure 4. Ransom notes in various languages

Also, files for Tor, the software program which provides anonymity online, is created in the /TaskData folder, presumably to make the ransomware more difficult to track.



Figure 5. Tor files created

4. AhnLab's Response

Aliases identified by V3, AhnLab’s anti-malware product, are as below:

- Trojan/Win32.WannaCryptor.C1951322
- Trojan/Win32.WannaCryptor.C1951351
- Trojan/Win32.WannaCryptor.R200571
- Trojan/Win32.WannaCryptor.R200572
- Trojan/Win32.WannaCryptor.R200579
- Trojan/Win32.WannaCryptor.R200580


5. Security Recommendation

AhnLab has recently updated V3 with the latest signatures, and will continue to provide analysis on additional variants that appear. Therefore, the latest versions of V3 engines should be applied and maintained. With new variants of WannaCryptor sprouting constantly, the latest Windows security updates should also be applied with vigilance.

- Check the the relevant OS and patches from MS Security Bulletin