{
	"id": "c7b7e2d0-74a2-4e13-92a6-1a2a1cfc712b",
	"created_at": "2026-04-06T03:36:42.602508Z",
	"updated_at": "2026-04-10T03:21:18.159461Z",
	"deleted_at": null,
	"sha1_hash": "51799bfb905141574cc8f095ed531d51b7e422a2",
	"title": "Indicators Associated With WannaCry Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 117735,
	"plain_text": "Indicators Associated With WannaCry Ransomware | CISA\r\nPublished: 2018-06-07 · Archived: 2026-04-06 02:11:02 UTC\r\nSystems Affected\r\nMicrosoft Windows operating systems\r\nOverview\r\nThis Alert has been updated to reflect the U.S. Government's public attribution of the \"WannaCry\" ransomware\r\nvariant to the North Korean government. Additional information on the attribution may be found in a press\r\nbriefing from the White House. For more information related to WannaCry activity, go to https://www.us-cert.gov/hiddencobra.\r\nAccording to numerous open-source reports, a widespread ransomware campaign is affecting various\r\norganizations with reports of tens of thousands of infections in over 150 countries, including the United States,\r\nUnited Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different\r\nlanguages.\r\nThe latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered\r\nthe morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours,\r\nwith initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested\r\nransom of .1781 bitcoins, roughly $300 U.S.\r\nThis Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity\r\nand Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight\r\nknown cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local\r\ngovernment systems and as such, further releases of technical information may be forthcoming.\r\nInitial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise\r\nservers through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for\r\nthe MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP,\r\nWindows 8, and Windows Server 2003 operating systems on May 13, 2017. \r\nAccording to open sources, one possible infection vector may be through phishing.\r\nTechnical Details\r\nIndicators of Compromise (IOC)\r\nSee TA17-132A_WannaCry.xlsx and TA17-132A_WannaCry_stix.xml for IOCs developed immediately after\r\nWannaCry ransomware appeared. These links contain identical content in two different formats.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nPage 1 of 8\n\nSee TA17-132A_stix.xml for IOCs developed after further analysis of the WannaCry malware.\r\nAnalysis\r\nThree files were submitted to US-CERT for analysis. All files are confirmed as components of a ransomware\r\ncampaign identified as \"WannaCry\", a.k.a \"WannaCrypt\" or \".wnCry\". The first file is a dropper, which contains\r\nand runs the ransomware, propagating via the MS17-010/EternalBlue SMBv1.0 exploit. The remaining two files\r\nare ransomware components containing encrypted plug-ins responsible for encrypting the victim users files. For a\r\nlist of IOCs found during analysis, see the STIX file.\r\nDisplayed below are YARA signatures that can be used to detect the ransomware:\r\nYara Signatures\r\nrule Wanna_Cry_Ransomware_Generic {\r\n meta:\r\n description = \"Detects WannaCry Ransomware on Disk and in Virtual Page\"\r\n author = \"US-CERT Code Analysis Team\"\r\n reference = \"not set\"\r\n date = \"2017/05/12\"\r\n hash0 = \"4DA1F312A214C07143ABEEAFB695D904\"\r\n strings:\r\n $s0 = {410044004D0049004E0024}\r\n $s1 = \"WannaDecryptor\"\r\n $s2 = \"WANNACRY\"\r\n $s3 = \"Microsoft Enhanced RSA and AES Cryptographic\"\r\n $s4 = \"PKS\"\r\n $s5 = \"StartTask\"\r\n $s6 = \"wcry@123\"\r\n $s7 = {2F6600002F72}\r\n $s8 = \"unzip 0.15 Copyrigh\"\r\n $s9 = \"Global\\\\WINDOWS_TASKOSHT_MUTEX\"         \r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nPage 2 of 8\n\n$s10 = \"Global\\\\WINDOWS_TASKCST_MUTEX\"    \r\n$s11 =\r\n{7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163}\r\n $s12 =\r\n{6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68}\r\n$s13 = \"WNcry@2ol7\"\r\n $s14 = \"wcry@123\"\r\n $s15 = \"Global\\\\MsWinZonesCacheCounterMutexA\"\r\n condition:\r\n $s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or\r\n$s11 and $s12 or $s13 or $s14 or $s15\r\n}\r\n/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.*/\r\nrule MS17_010_WanaCry_worm {\r\n meta:\r\n description = \"Worm exploiting MS17-010 and dropping WannaCry Ransomware\"\r\n author = \"Felipe Molina (@felmoltor)\"\r\n reference = \"https://www.exploit-db.com/exploits/41987/\"\r\ndate = \"2017/05/12\"\r\n strings:\r\n $ms17010_str1=\"PC NETWORK PROGRAM 1.0\"\r\n $ms17010_str2=\"LANMAN1.0\"\r\n $ms17010_str3=\"Windows for Workgroups 3.1a\"\r\n $ms17010_str4=\"__TREEID__PLACEHOLDER__\"\r\n $ms17010_str5=\"__USERID__PLACEHOLDER__\"\r\n $wannacry_payload_substr1 = \"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j\"\r\n $wannacry_payload_substr2 = \"h54WfF9cGigWFEx92bzmOd0UOaZlM\"\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nPage 3 of 8\n\n$wannacry_payload_substr3 = \"tpGFEoLOU6+5I78Toh/nHs/RAP\"\r\ncondition:\r\n all of them\r\n}\r\nDropper\r\nThis artifact (5bef35496fcbdbe841c82f4d1ab8b7c2) is a malicious PE32 executable that has been identified as a\r\nWannaCry ransomware dropper. Upon execution, the dropper attempts to connect to the following hard-coded\r\nURI:\r\nhttp[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.\r\nDisplayed below is a sample request observed:\r\n--Begin request—\r\nGET / HTTP/1.1\r\nHost: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\r\nCache-Control: no-cache\r\n--End request--\r\nIf a connection is established, the dropper will terminate execution. If the connection fails, the dropper will infect\r\nthe system with ransomware.\r\nWhen executed, the malware is designed to run as a service with the parameters “-m security”. During runtime,\r\nthe malware determines the\r\nnumber of arguments passed during execution. If the arguments passed are less than two, the dropper proceeds to\r\ninstall itself as the\r\nfollowing service:\r\n--Begin service--\r\nServiceName = \"mssecsvc2.0\"\r\nDisplayName = \"Microsoft Security Center (2.0) Service\"\r\nStartType = SERVICE_AUTO_START\r\nBinaryPathName = \"%current directory%5bef35496fcbdbe841c82f4d1ab8b7c2.exe -m security\"\r\n--End service--\r\nOnce the malware starts as a service named mssecsvc2.0, the dropper attempts to create and scan a list of IP\r\nranges on the local network\r\nand attempts to connect using UDP ports 137, 138 and TCP ports 139, 445. If a connection to port 445 is\r\nsuccessful, it creates an additional\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nPage 4 of 8\n\nthread to propagate by exploiting the SMBv1 vulnerability documented by Microsoft Security bulliten MS17-010.\r\nThe malware then extracts \u0026\r\ninstalls a PE32 binary from it's resource section named \"R\". This binary has been identified as the ransomware\r\ncomponent of WannaCrypt.\r\nThe dropper installs this binary into \"C:\\WINDOWS\\tasksche.exe.\" The dropper executes tasksche.exe with the\r\nfollowing command:\r\n--Begin command--\r\n\"C:\\WINDOWS\\tasksche.exe /i\"\r\n--End command—\r\nNote:\r\n=====\r\nWhen this sample was initially discovered, the domain \"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\" was\r\nnot registered, allowing the\r\nmalware to run and propagate freely. However within a few days, researchers learned that by registering the\r\ndomain and allowing the\r\nmalware to connect, it's ability to spread was greatly reduced. At this time, all traffic to\r\n\"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\" is\r\nre-directed to a monitored, non-malicious server, causing the malware to terminate if it is allowed to connect. For\r\nthis reason, we recommend\r\nthat administrators and network security personnel not block traffic to this domain.\r\nImpact\r\nRansomware not only targets home users; businesses can also become infected with ransomware, leading to\r\nnegative consequences, including\r\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\nPaying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious\r\nactors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does\r\nnot mean the malware infection itself has been removed.\r\nSolution\r\nRecommended Steps for Prevention\r\nApply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.\r\nEnable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nPage 5 of 8\n\nReporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email\r\nspoofing.\r\nScan all incoming and outgoing emails to detect threats and filter executable files from reaching the end\r\nusers.\r\nEnsure anti-virus and anti-malware solutions are set to automatically conduct regular scans.\r\nManage the use of privileged accounts. Implement the principle of least privilege. No users should be\r\nassigned administrative access unless absolutely needed. Those with a need for administrator accounts\r\nshould only use them when necessary.\r\nConfigure access controls including file, directory, and network share permissions with least privilege in\r\nmind. If a user only needs to read specific files, they should not have write access to those files, directories,\r\nor shares.\r\nDisable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer\r\nsoftware to open Microsoft Office files transmitted via email instead of full Office suite applications.\r\nDevelop, institute, and practice employee education programs for identifying scams, malicious links, and\r\nattempted social engineering.\r\nRun regular penetration tests against the network, no less than once a year. Ideally, run these as often as\r\npossible and practical.\r\nTest your backups to ensure they work correctly upon use.\r\nRecommendations for Network Protection \r\nApply the patch (MS17-010). If the patch cannot be applied, consider:\r\nDisabling SMBv1 and\r\nblocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on\r\nUDP ports 137-138 and TCP port 139, for all boundary devices.\r\nNote: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The\r\nbenefits of mitigation should be weighed against potential disruptions to users.\r\nReview US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended\r\nMitigations and consider implementing the following best practices:\r\n1. Segregate networks and functions.\r\n2. Limit unnecessary lateral communications.\r\n3. Harden network devices.\r\n4. Secure access to infrastructure devices.\r\n5. Perform out-of-band network management.\r\n6. Validate integrity of hardware and software.\r\nRecommended Steps for Remediation\r\nContact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to\r\nreport an intrusion and request assistance. Maintain and provide relevant logs.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nPage 6 of 8\n\nImplement your security incident response and business continuity plan. Ideally, organizations should\r\nensure they have appropriate backups so their response is simply to restore the data from a known clean\r\nbackup. \r\nDefending Against Ransomware Generally\r\nPrecautionary measures to mitigate ransomware threats include:\r\nEnsure anti-virus software is up-to-date.\r\nImplement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a\r\nseparate and secure location. Backup copies of sensitive data should not be readily accessible from local\r\nnetworks.\r\nScrutinize links contained in emails, and do not open attachments included in unsolicited emails.\r\nOnly download software—especially free software—from sites you know and trust.\r\nEnable automated patches for your operating system and Web browser.\r\nReport Notice\r\nDHS and FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to\r\nreport information to DHS or law enforcement immediately. We encourage you to contact CISA Central\r\n(SayCISA@cisa.dhs.gov or 1-844-Say-CISA), or the FBI through a local field office or the FBI’s Cyber\r\nDivision (CyWatch@ic.fbi.gov or 855-292-3937) to report an intrusion and to request incident response\r\nresources or technical assistance.\r\nReferences\r\nMalwarebytes LABS: WanaCrypt0r ransomware hits it big just before the weekend\r\nMalwarebytes LABS: The worm that spreads WanaCrypt0r\r\nMicrosoft: Microsoft Security Bulletin MS17-010\r\nForbes: An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak\r\nReuters: Factbox: Don't click - What is the 'ransomware' WannaCry worm?\r\nGitHubGist: WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm\r\nMicrosoft: Microsoft Update Catalog: Patches for Windows XP, Windows 8, and Windows Server 2003,\r\n(KB4012598)\r\nCisco: Player 3 Has Entered the Game: Say Hello to 'WannaCry'\r\nWashington Post: More than 150 countries affected by massive cyberattack, Europol says\r\nRevisions\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nPage 7 of 8\n\nMay 12, 2017: Initial post|May 14, 2017: Corrected Syntax in the second Yara Rule|May 14, 2017: Added\r\nMicrosoft link to patches for Windows XP, Windows 8, and Windows Server 2003|May 14, 2017: Corrected\r\nSyntax in the first Yara Rule|May 16, 2017: Provided further analysis and new IOCs in STIX format|May 18,\r\n2017: Provided initial IOCs in a STIX format|June 7, 2018: Added attribution of the WannaCry malware variant to\r\nthe North Korean government and link to White House press briefing\r\nSource: https://www.us-cert.gov/ncas/alerts/TA17-132A\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA17-132A"
	],
	"report_names": [
		"TA17-132A"
	],
	"threat_actors": [],
	"ts_created_at": 1775446602,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51799bfb905141574cc8f095ed531d51b7e422a2.pdf",
		"text": "https://archive.orkl.eu/51799bfb905141574cc8f095ed531d51b7e422a2.txt",
		"img": "https://archive.orkl.eu/51799bfb905141574cc8f095ed531d51b7e422a2.jpg"
	}
}