{ "id": "358f5a51-50cd-42fd-b515-0c6da79733c9", "created_at": "2026-04-06T00:20:15.107635Z", "updated_at": "2026-04-10T03:29:45.361504Z", "deleted_at": null, "sha1_hash": "bfafdaaee8f80a9af567a2fed682e9efcc9084f5", "title": "Wannacrypt0r-FACTSHEET.md", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 110865, "plain_text": "Wannacrypt0r-FACTSHEET.md\r\nArchived: 2026-04-05 14:13:21 UTC\r\nWannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm\r\nVirus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY\r\nVector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses\r\nEternalBlue MS17-010 to propagate.\r\nRansom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus\r\ncrashes.\r\nBackdooring: The worm loops through every RDP session on a system to run the ransomware as that user.\r\nIt also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder.\r\n(source: malwarebytes)\r\nKill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits\r\ninstead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread\r\nof the worm. Will not work if proxied (source).\r\nupdate: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by\r\nrecompile so probably not done by the original malware author. On the other hand that is the only change: the\r\nencryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the\r\nransomware aspect of it doesn't work - it only propagates.\r\nSECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-\r\n010.aspx\r\nMicrosoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\r\nKillswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/\r\nhttps://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html\r\nExploit details: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html\r\nVulnerable/Not Vulnerable\r\nTo be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR\r\n(and killswitch not registered or somehow blocked, or the network accessing it through a proxy).\r\nThe MS17-010 patch fixes the vulnerability.\r\nWindows XP: Doesn't spread. If run manually, can encrypt files.\r\nWindows 7,8,2008: can spread unpatched, can encrypt files.\r\nWindows 10: Doesn't spread. Even though Windows 10 does have the faulty SMB driver.\r\nhttps://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168\r\nPage 1 of 5\n\nLinux: Doesn't spread. If run manually with wine, can encrypt files.\r\nInfections\r\nNHS (uk) turning away patients, unable to perform x-rays. (list of affected hospitals)\r\nNissan (uk) http://www.chroniclelive.co.uk/news/north-east-news/cyber-attack-nhs-latest-news-13029913\r\nTelefonica (spain) (https://twitter.com/SkyNews/status/863044193727389696)\r\npower firm Iberdrola and Gas Natural (spain)\r\nFedEx (us) (https://twitter.com/jeancreed1/status/863089728253505539)\r\nUniversity of Waterloo (ontario canada)\r\nRussia interior ministry \u0026 Megafon (russia)\r\nhttps://twitter.com/dabazdyrev/status/863034199460261890/photo/1\r\nVTB (russian bank) https://twitter.com/vassgatov/status/863175506790952962\r\nRussian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768\r\nPortugal Telecom\r\nСбербанк - Sberbank Russia (russia)\r\nShaheen Airlines (pakistan, claimed on twitter)\r\nTrain station in frankfurt (germany)\r\nNeustadt station (germany)\r\nthe entire network of German Rail seems to be affected (@farbenstau)\r\nin China secondary schools and universities had been affected (source)\r\nA Library in Oman (@99arwan1)\r\nChina Yanshui County Public Security Bureau (https://twitter.com/95cnsec/status/863292545278685184)\r\nRenault (France) (http://www.lepoint.fr/societe/renault-touche-par-la-vague-de-cyberattaques-internationales-13-05-2017-2127044_23.php) (http://www.lefigaro.fr/flash-eco/2017/05/13/97002-\r\n20170513FILWWW00031-renault-touche-par-la-vague-de-cyberattaques-internationales.php)\r\nSchools/Education (France) https://twitter.com/Damien_Bancal/status/863305670568837120\r\nUniversity of Milano-Bicocca (italy)\r\nA mall in singapore https://twitter.com/nkl0x55/status/863340271391580161\r\nATMs in china https://twitter.com/95cnsec/status/863382193615159296\r\nnorwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245\r\nSTC telecom (saudia arabia, more, more)\r\nAll ATMs in india closed\r\nUS radiology equipment https://twitter.com/Forbes/status/864850749225934852\r\nMore at https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations they seem\r\nto be cataloguing the infections faster/better.\r\nInformative Tweets\r\nSample released by ens (thank you ens!): https://twitter.com/the_ens/status/863055007842750465\r\nOnion C\u0026Cs extracted: https://twitter.com/the_ens/status/863069021398339584\r\nEternalBlue confirmed: https://twitter.com/kafeine/status/863049739583016960\r\nhttps://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168\r\nPage 2 of 5\n\nShell commands: https://twitter.com/laurilove/status/863065599919915010\r\nMaps/stats: https://twitter.com/laurilove/status/863066699888824322\r\nCore DLL: https://twitter.com/laurilove/status/863072240123949059\r\nHybrid-analysis: https://twitter.com/PayloadSecurity/status/863024514933956608\r\nImpact assessment: https://twitter.com/CTIN_Global/status/863095852113571840\r\nUses DoublePulsar: https://twitter.com/laurilove/status/863107992425779202\r\nYour machine is attacking others: https://twitter.com/hackerfantastic/status/863105127196106757\r\nTor hidden service C\u0026C: https://twitter.com/hackerfantastic/status/863105031167504385\r\nFedEx infected via Telefonica? https://twitter.com/jeancreed1/status/863089728253505539\r\nHOW TO AVOID INFECTION: https://twitter.com/hackerfantastic/status/863070063536091137\r\nMore of this to come: https://twitter.com/hackerfantastic/status/863069142273929217\r\nC\u0026C hosts: https://twitter.com/hackerfantastic/status/863115568181850113\r\nCrypted files will be deleted after countdown: https://twitter.com/laurilove/status/863116900829724672\r\nClaim of attrib [take with salt]: https://twitter.com/0xSpamTech/status/863058605473509378\r\nTrack the bitcoins: https://twitter.com/bl4sty/status/863143484919828481\r\nkeys in pem format: https://twitter.com/e55db081d05f58a/status/863109716456747008\r\nneel points out a similarity with another virus https://twitter.com/neelmehta/status/864164081116225536\r\nshadowbrokers talk about responsible disclosure\r\nhttps://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition\r\nanother factsheet https://www.secureworks.com/research/wcry-ransomware-analysis\r\nCryptography details\r\nEach infection generates a new RSA-2048 keypair.\r\nThe public key is exported as blob and saved to 00000000.pky\r\nThe private key is encrypted with the ransomware public key and saved as 00000000.eky\r\nEach file is encrypted using AES-128-CBC, with a unique AES key per file.\r\nEach AES key is generated CryptGenRandom.\r\nThe AES key is encrypted using the infection specific RSA keypair.\r\nThe RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and\r\nowned by the ransomware authors.\r\nhttps://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)\r\nhttps://haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob dumped from the\r\nDLL by blasty.\r\nhttps://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!\r\nBitcoin ransom addresses\r\n3 addresses hard coded into the malware.\r\nhttps://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94\r\nhttps://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168\r\nPage 3 of 5\n\nhttps://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw\r\nhttps://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn\r\nC\u0026C centers\r\ngx7ekbenv2riucmf.onion\r\n57g7spgrzlojinas.onion\r\nxxlvbrloxvriy2c5.onion\r\n76jdd2ir2embyv47.onion\r\ncwwnhwhlz52maqm7.onion\r\nLanguages\r\nAll language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip\r\nm_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch,\r\nm_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese,\r\nm_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish,\r\nm_swedish, m_turkish, m_vietnamese\r\nFile types\r\nThere are a number of files and folders wannacrypt will avoid. Some because it's entirely pointless and others\r\nbecause it might destabilize the system. During scans, it will search the path for the following strings and skip\r\nover if present:\r\n\"Content.IE5\"\r\n\"Temporary Internet Files\"\r\n\" This folder protects against ransomware. Modifying it will reduce protection\"\r\n\"\\Local Settings\\Temp\"\r\n\"\\AppData\\Local\\Temp\"\r\n\"\\Program Files (x86)\"\r\n\"\\Program Files\"\r\n\"\\WINDOWS\"\r\n\"\\ProgramData\"\r\n\"\\Intel\"\r\n\"$\"\r\nThe filetypes it looks for to encrypt are:\r\n.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg,\r\n.onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm,\r\n.pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx,\r\n.gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm,\r\nhttps://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168\r\nPage 4 of 5\n\n.tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg,\r\n.vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb,\r\n.vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db,\r\n.mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk,\r\n.dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der\r\ncredit herulume, thanks for extracting this list from the binary.\r\nmore details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11\r\nSome other interesting strings\r\nBAYEGANSRV\\administrator\r\nSmile465666SA\r\nwanna18@hotmail.com\r\ncredit: nulldot https://pastebin.com/0LrH05y2\r\nEncrypted file format\r\ntypedef struct _wc_file_t {\r\n char sig[WC_SIG_LEN] // 64 bit signature WANACRY!\r\n uint32_t keylen; // length of encrypted key\r\n uint8_t key[WC_ENCKEY_LEN]; // AES key encrypted with RSA\r\n uint32_t unknown; // usually 3 or 4, unknown\r\n uint64_t datalen; // length of file before encryption, obtained from GetFileSizeEx\r\n uint8_t *data; // Ciphertext Encrypted data using AES-128 in CBC mode\r\n} wc_file_t;\r\ncredit for reversing this file format info: cyg_x11.\r\nVulnerability disclosure\r\nThe specific vulnerability that it uses to propagate is ETERNALBLUE.\r\nThis was developed by \"equation group\" an exploit developer group associated with the NSA and leaked to the\r\npublic by \"the shadow brokers\". Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the\r\ntime of release.\r\nhttps://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/\r\nhttps://technet.microsoft.com/en-us/library/security/ms17-010.aspx\r\nSource: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168\r\nhttps://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168" ], "report_names": [ "989428fa5504f378b993ee6efbc0b168" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434815, "ts_updated_at": 1775791785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bfafdaaee8f80a9af567a2fed682e9efcc9084f5.pdf", "text": "https://archive.orkl.eu/bfafdaaee8f80a9af567a2fed682e9efcc9084f5.txt", "img": "https://archive.orkl.eu/bfafdaaee8f80a9af567a2fed682e9efcc9084f5.jpg" } }