{
	"id": "bcdc0021-7fcd-4462-a876-817d384eb806",
	"created_at": "2026-04-06T00:11:37.401015Z",
	"updated_at": "2026-04-10T03:26:53.366438Z",
	"deleted_at": null,
	"sha1_hash": "5223c844b3882bc77a6597277929e92460c3e30a",
	"title": "WannaCrypt ransomware worm targets out-of-date systems | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 111598,
	"plain_text": "WannaCrypt ransomware worm targets out-of-date systems |\r\nMicrosoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2017-05-13 · Archived: 2026-04-05 15:17:37 UTC\r\nOn May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have\r\nbeen previously fixed. While security updates are automatically applied in most computers, some users and\r\nenterprises may delay deployment of patches. Unfortunately, the ransomware, known as WannaCrypt, appears to\r\nhave affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we\r\nremind users to install MS17-010 if they have not already done so.\r\nMicrosoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us\r\nvisibility and context into this new attack as it happened, allowing Windows Defender Advanced Threat Protection\r\n(ATP) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we\r\nwere able to rapidly protect against this malware.\r\nIn this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under\r\ninvestigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our\r\ndetection response.\r\nTo test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced\r\nattacks, sign up for a free trial.\r\nAttack vector\r\nRansomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry,\r\nWanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying\r\non users downloading and executing a malicious payload. However, in this unique case, the ransomware\r\nperpetrators used publicly available exploit code for the patched SMB “EternalBlue” vulnerability, CVE-2017-\r\n0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability\r\nwas fixed in security bulletin MS17-010, which was released on March 14, 2017.\r\nWannaCrypt’s spreading mechanism is borrowed from well-known public SMB exploits, which armed this regular\r\nransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix\r\nhad become available.\r\nThe exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows\r\nServer 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.\r\nWe haven’t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we\r\nbelieve are highly possible explanations for the spread of this ransomware:\r\nhttps://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nPage 1 of 7\n\nArrival through social engineering emails designed to trick users to run the malware and activate the\r\nworm-spreading functionality with the SMB exploit\r\nInfection through SMB exploit when an unpatched computer is addressable from other infected machines\r\nDropper\r\nThe threat arrives as a dropper Trojan that has the following two components:\r\n1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers\r\n2. The ransomware known as WannaCrypt\r\nThe dropper tries to connect the following domains using the API InternetOpenUrlA():\r\nwww[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\r\nwww[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\r\nwww[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test\r\nIf connection to the domains is successful, the dropper does not infect the system further with ransomware or try\r\nto exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds\r\nto drop the ransomware and creates a service on the system.\r\nIn other words, unlike in most malware infections, IT Administrators should NOT block these domains. Note\r\nthat the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the\r\nInternet, but can resolve to any accessible server which will accept connections on TCP 80.\r\nThe threat creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other\r\ncomputers accessible from the infected system:\r\nService Name: mssecsvc2.0\r\nService Description: (Microsoft Security Center (2.0) Service)\r\nService Parameters: “-m security”\r\nWannaCrypt ransomware\r\nThe ransomware component is a dropper that contains a password-protected .zip archive in its resource section.\r\nThe document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the\r\nransom message. In the samples we analyzed, the password for the .zip archive is “WNcry@2ol7”.\r\nWhen run, WannaCrypt creates the following registry keys:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\\u003crandom string\u003e = “\u003cmalware working\r\ndirectory\u003e\\tasksche.exe”\r\nHKLM\\SOFTWARE\\WanaCrypt0r\\\\wd = “\u003cmalware working directory\u003e”\r\nIt changes the wallpaper to a ransom message by modifying the following registry key:\r\nHKCU\\Control Panel\\Desktop\\Wallpaper: “\u003cmalware working directory\u003e\\@WanaDecryptor@.bmp”\r\nhttps://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nPage 2 of 7\n\nIt creates the following files in the malware’s working directory:\r\n00000000.eky\r\n00000000.pky\r\n00000000.res\r\n274901494632976.bat\r\n@Please_Read_Me@.txt\r\n@WanaDecryptor@.bmp\r\n@WanaDecryptor@.exe\r\nb.wnry\r\nc.wnry\r\nf.wnry\r\nm.vbs\r\nmsg\\m_bulgarian.wnry\r\nmsg\\m_chinese (simplified).wnry\r\nmsg\\m_chinese (traditional).wnry\r\nmsg\\m_croatian.wnry\r\nmsg\\m_czech.wnry\r\nmsg\\m_danish.wnry\r\nmsg\\m_dutch.wnry\r\nmsg\\m_english.wnry\r\nmsg\\m_filipino.wnry\r\nmsg\\m_finnish.wnry\r\nmsg\\m_french.wnry\r\nmsg\\m_german.wnry\r\nmsg\\m_greek.wnry\r\nmsg\\m_indonesian.wnry\r\nmsg\\m_italian.wnry\r\nmsg\\m_japanese.wnry\r\nmsg\\m_korean.wnry\r\nmsg\\m_latvian.wnry\r\nmsg\\m_norwegian.wnry\r\nmsg\\m_polish.wnry\r\nmsg\\m_portuguese.wnry\r\nmsg\\m_romanian.wnry\r\nmsg\\m_russian.wnry\r\nmsg\\m_slovak.wnry\r\nmsg\\m_spanish.wnry\r\nmsg\\m_swedish.wnry\r\nmsg\\m_turkish.wnry\r\nmsg\\m_vietnamese.wnry\r\nr.wnry\r\ns.wnry\r\nhttps://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nPage 3 of 7\n\nt.wnry\r\nTaskData\\Tor\\libeay32.dll\r\nTaskData\\Tor\\libevent-2-0-5.dll\r\nTaskData\\Tor\\libevent_core-2-0-5.dll\r\nTaskData\\Tor\\libevent_extra-2-0-5.dll\r\nTaskData\\Tor\\libgcc_s_sjlj-1.dll\r\nTaskData\\Tor\\libssp-0.dll\r\nTaskData\\Tor\\ssleay32.dll\r\nTaskData\\Tor\\taskhsvc.exe\r\nTaskData\\Tor\\tor.exe\r\nTaskData\\Tor\\zlib1.dll\r\ntaskdl.exe\r\ntaskse.exe\r\nu.wnry\r\nWannaCrypt may also create the following files:\r\n%SystemRoot%\\tasksche.exe\r\n%SystemDrive%\\intel\\\u003crandom directory name\u003e\\tasksche.exe\r\n%ProgramData%\\\u003crandom directory name\u003e\\tasksche.exe\r\nIt may create a randomly named service that has the following associated ImagePath: “cmd.exe /c “\u003cmalware\r\nworking directory\u003e\\tasksche.exe””.\r\nIt then searches the whole computer for any file with any of the following file name extensions: .123, .jpeg , .rb ,\r\n.602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z ,\r\n.ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb ,\r\n.asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg ,\r\n.bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw ,\r\n.class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv ,\r\n.ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ ,\r\n.vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm ,\r\n.pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv ,\r\n.pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1\r\n, .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.\r\nWannaCrypt encrypts all files it finds and renames them by appending .WNCRY to the file name. For example, if a\r\nfile is named picture.jpg, the ransomware encrypts and renames the file to picture.jpg.WNCRY.\r\nThis ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file\r\ncontains the same ransom message shown in the replaced wallpaper image (see screenshot below).\r\nAfter completing the encryption process, the malware deletes the volume shadow copies by running the following\r\ncommand:\r\nhttps://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nPage 4 of 7\n\ncmd.exe /c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026 bcdedit /set {default}\r\nbootstatuspolicy ignoreallfailures \u0026 bcdedit /set {default} recoveryenabled no \u0026 wbadmin delete catalog -quiet\r\nIt then replaces the desktop background image with the following message:\r\nIt also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:\r\nThe text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian,\r\nCzech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean,\r\nLatvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.\r\nThe ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files,\r\nfree of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.\r\nSpreading capability\r\nThe worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it\r\nalso executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This\r\nactivity results in large SMB traffic from the infected host, which can be observed by SecOps personnel.\r\nThe Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that\r\nIP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated\r\nvalue for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces.\r\nOnce a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious\r\ninfection cycle continues as the scanning routing discovers unpatched computers.\r\nWhen it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have\r\nbeen copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and\r\nexecute the ransomware dropper payload, both for x86 and x64 systems.\r\nProtection against the WannaCrypt attack\r\nTo get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you\r\nthe benefits of the latest features and proactive mitigations built into the latest versions of Windows.\r\nWe recommend customers that have not yet installed the security update MS17-010 do so as soon as possible.\r\nUntil you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\r\nDisable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as\r\nrecommended previously\r\nConsider adding a rule on your router or firewall to block incoming SMB traffic on port 445\r\nWindows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update.\r\nWindows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\r\nFor enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security,\r\nallowing only trusted applications to run, effectively preventing malware from running.\r\nhttps://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nPage 5 of 7\n\nUse Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email\r\nthreats, such as the emails carrying ransomware.\r\nMonitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams\r\nabout suspicious activities.\r\nTo test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced\r\nattacks, sign up for a free trial.\r\nResources\r\nDownload English language security updates: Windows Server 2003 SP2 x64, Windows XP SP2 x64, Windows\r\nXP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86 and Windows 8 x64\r\nDownload localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86,\r\nWindows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64\r\nMS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\r\nCustomer guidance for WannaCrypt attacks: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\r\nGeneral information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx\r\nNext-generation ransomware protection with Windows 10 Creators Update:\r\nhttps://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/\r\nIndicators of compromise\r\nSHA1 of samples analyzed:\r\n51e4307093f8ca8854359c0ac882ddca427a813c\r\ne889544aff85ffaf8b0d0da705105dee7c97fe26\r\nFiles created:\r\n%SystemRoot%\\mssecsvc.exe\r\n%SystemRoot%\\tasksche.exe\r\n%SystemRoot%\\qeriuwjhrf\r\nb.wnry\r\nc.wnry\r\nf.wnry\r\nr.wnry\r\ns.wnry\r\nt.wnry\r\nhttps://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nPage 6 of 7\n\nu.wnry\r\ntaskdl.exe\r\ntaskse.exe\r\n00000000.eky\r\n00000000.res\r\n00000000.pky\r\n@WanaDecryptor@.exe\r\n@Please_Read_Me@.txt\r\nm.vbs\r\n@WanaDecryptor@.exe.lnk\r\n@WanaDecryptor@.bmp\r\n274901494632976.bat\r\ntaskdl.exe\r\nTaskse.exe\r\nFiles with “.wnry” extension\r\nFiles with “.WNCRY” extension\r\nRegistry keys created:\r\nHKLM\\SOFTWARE\\WanaCrypt0r\\wd\r\nKarthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya (@tanmayg)\r\nMicrosoft Malware Protection Center (@msftmmpc)\r\nRelated blog entries:\r\nWindows 10 Creators Update provides next-gen ransomware protection\r\nAnalysis of the ETERNALBLUE and ETERNALROMANCE exploits leaked by Shadow Brokers\r\nUpdates:\r\nJune 20, 2017 – added reference to analysis of exploits leaked by Shadow Brokers\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows\r\nDefender Security Intelligence.\r\nFollow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.\r\nSource: https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nhttps://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nPage 7 of 7\n\nworking directory\u003e\\tasksche.exe””. It then searches the whole computer for any file with any of the following file name extensions: .123, .jpeg , .rb ,\n.602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z ,\n.ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb ,\n.asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg ,\n.bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw ,\n.class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv ,\n.ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ ,\n.vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm ,\n.pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv ,\n.pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1\n, .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.   \nWannaCrypt encrypts all files it finds and renames them by appending .WNCRY to the file name. For example, if a\nfile is named picture.jpg, the ransomware encrypts and renames the file to picture.jpg.WNCRY.   \nThis ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file\ncontains the same ransom message shown in the replaced wallpaper image (see screenshot below).  \nAfter completing the encryption process, the malware deletes the volume shadow copies by running the following \ncommand:      \n  Page 4 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/"
	],
	"report_names": [
		"wannacrypt-ransomware-worm-targets-out-of-date-systems"
	],
	"threat_actors": [
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434297,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5223c844b3882bc77a6597277929e92460c3e30a.pdf",
		"text": "https://archive.orkl.eu/5223c844b3882bc77a6597277929e92460c3e30a.txt",
		"img": "https://archive.orkl.eu/5223c844b3882bc77a6597277929e92460c3e30a.jpg"
	}
}