{
	"id": "1c586250-4503-44c8-9bfe-528cceb3e48c",
	"created_at": "2026-04-06T00:16:50.117095Z",
	"updated_at": "2026-04-10T03:26:53.25967Z",
	"deleted_at": null,
	"sha1_hash": "e3e74a0d11c6e876f479535687e836219f9d521b",
	"title": "WannaCry ransomware used in widespread attacks all over the world",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3006088,
	"plain_text": "WannaCry ransomware used in widespread attacks all over the\r\nworld\r\nBy GReAT\r\nPublished: 2017-05-12 · Archived: 2026-04-05 16:26:05 UTC\r\nEarlier today, our products detected and successfully blocked a large number of ransomware attacks around the\r\nworld. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.\r\nOur analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in\r\nMicrosoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the\r\nShadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.\r\nUnfortunately, it appears that many organizations have not yet installed the patch.\r\nSource: https://support.kaspersky.com/shadowbrokers\r\nA few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a\r\nmassive ransomware attack affecting several Spanish organizations. The alert recommends the installation of\r\nupdates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.\r\nThe National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical\r\ninstitutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine,\r\nand India.\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 1 of 13\n\nIt’s important to understand that while unpatched Windows computers exposing their SMB services can be\r\nremotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence\r\nof this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence\r\nof this vulnerability appears to be the most significant factor that caused the outbreak.\r\nCCN-CERT alert (in Spanish)\r\nAnalysis of the attack\r\nCurrently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the\r\nworld, mostly in Russia. It’s important to note that our visibility may be limited and incomplete and the range of\r\ntargets and victims is likely much, much higher.\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 2 of 13\n\nGeographical target distribution according to our telemetry for the first few hours of the attack\r\nThe malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for\r\n$600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600\r\nUSD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing\r\nthe ransom demands.\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 3 of 13\n\nThe tool was designed to address users of multiple countries, with translated messages in different languages.\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 4 of 13\n\nLanguage list that the malware supports\r\nNote that the “payment will be raised” after a specific countdown, along with another display raising urgency to\r\npay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides\r\nthis timer countdown.\r\nTo make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on\r\nhow to find the decryptor tool dropped by the malware.\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 5 of 13\n\nAn image used to replace user’s wallpaper\r\nMalware samples contain no reference to any specific culture or codepage other than universal English and Latin\r\ncodepage CP1252. The files contain version info stolen from random Microsoft Windows 7 system tools:\r\nProperties of malware files used by WannaCry\r\nFor convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their\r\nmain bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any\r\nadditional info:\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 6 of 13\n\nOne of the Bitcoin wallets used by the attackers: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94\r\nOne of the attacker wallets received 0.88 BTC during the last hours\r\nAnother Bitcoin wallets included in the attackers’ “readme.txt” from the samples are:\r\n115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC\r\n12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 0.16 BTC\r\n1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY\r\nFor command and control, the malware extracts and uses Tor service executable with all necessary dependencies\r\nto access the Tor network:\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 7 of 13\n\nA list of dropped files related to Tor service\r\nIn terms of targeted files, the ransomware encrypts files with the following extensions:\r\n.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots,\r\n.sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc,\r\n.sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo,\r\n.cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar,\r\n.class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2,\r\n.flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp,\r\n.jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg,\r\n.vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123,\r\n.rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps,\r\n.pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx,\r\n.dotm, .dot, .docm, .docb, .docx, .doc\r\nThe file extensions that the malware is targeting contain certain clusters of formats including:\r\n1. 1 Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).\r\n2. 2 Less common and nation-specific office formats (.sxw, .odt, .hwp).\r\n3. 3 Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)\r\n4. 4 Emails and email databases (.eml, .msg, .ost, .pst, .edb).\r\n5. 5 Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).\r\n6. 6 Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).\r\n7. 7 Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).\r\n8. 8 Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).\r\n9. 9 Virtual machine files (.vmx, .vmdk, .vdi).\r\nThe WannaCry dropper drops multiple “user manuals” on different languages:\r\nBulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English,\r\nFilipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian,\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 8 of 13\n\nPolish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese\r\nThe example of a “user manual” in English:\r\nWhat Happened to My Computer?\r\nYour important files are encrypted.\r\nMany of your documents, photos, videos, databases and other files are no longer accessible because\r\nthey have been encrypted. Maybe you are busy looking for a way to\r\nrecover your files, but do not waste your time. Nobody can recover your files without our decryption\r\nservice.\r\nCan I Recover My Files?\r\nSure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.\r\nYou can decrypt some of your files for free. Try now by clicking .\r\nBut if you want to decrypt all your files, you need to pay.\r\nYou only have 3 days to submit the payment. After that the price will be doubled.\r\nAlso, if you don’t pay in 7 days, you won’t be able to recover your files forever.\r\nWe will have free events for users who are so poor that they couldn’t pay in 6 months.\r\nHow Do I Pay?\r\nPayment is accepted in Bitcoin only. For more information, click .\r\nPlease check the current price of Bitcoin and buy some bitcoins. For more information, click .\r\nAnd send the correct amount to the address specified in this window.\r\nAfter your payment, click . Best time to check: 9:00am – 11:00am GMT from Monday to Friday.\r\nOnce the payment is checked, you can start decrypting your files immediately.\r\nContact\r\nIf you need our assistance, send a message by clicking .\r\nWe strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay\r\nand the payment gets processed. If your anti-virus gets\r\nupdated and removes this software automatically, it will not be able to recover your files even if you pay!\r\nIt also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).\r\nJust in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to\r\ndisk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to\r\nmany directories on the victim host. Note that the English written here is done well, with the exception of “How\r\ncan I trust?”. To date, only two transactions appear to have been made with this\r\n115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:\r\nQ: What's wrong with my files?\r\nA: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are\r\ndecrypted.\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 9 of 13\n\nIf you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!\r\nLet’s start decrypting!\r\nQ: What do I do?\r\nA: First, you need to pay service fees for the decryption.\r\nPlease send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn\r\nNext, please find an application file named “@WanaDecryptor@.exe”. It is the decrypt software.\r\nRun and follow the instructions! (You may need to disable your antivirus for a while.)\r\nQ: How can I trust?\r\nA: Don’t worry about decryption.\r\nWe will decrypt your files surely because nobody will trust us if we cheat users.\r\n* If you need our assistance, send a message by clicking on the decryptor window.\r\nOnce started it immediately spawns several processes to change file permissions and communicate with tor hidden\r\nc2 servers:\r\nattrib +h .\r\nicacls . /grant Everyone:F /T /C /Q\r\nC:\\Users\\xxx\\AppData\\Local\\Temp\\taskdl.exe\r\n@WanaDecryptor@.exe fi\r\n300921484251324.bat\r\nC:\\Users\\xxx\\AppData\\Local\\Temp\\taskdl.exe\r\nC:\\Users\\xxx\\AppData\\Local\\Temp\\taskdl.exe\r\nThe malware checks the mutexes “Global\\MsWinZonesCacheCounterMutexA” and\r\n“Global\\MsWinZonesCacheCounterMutexA0” (Update: Thanks Didier Stevens for the correction on the extra\r\nmutex name!) to determine if a system is already infected. It also runs the command:\r\ncmd.exe /c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026 bcdedit /set {default}\r\nbootstatuspolicy ignoreallfailures \u0026 bcdedit /set {default} recoveryenabled no \u0026 wbadmin delete\r\ncatalog -quiet\r\nThis results in an UAC popup that user may notice.\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 10 of 13\n\nUAC popup to disable Volume Shadow Service (System Restore)\r\nThe malware use TOR hidden services for command and control. The list of .onion domains inside is as\r\nfollowing:\r\ngx7ekbenv2riucmf.onion\r\n57g7spgrzlojinas.onion\r\nXxlvbrloxvriy2c5.onion\r\n76jdd2ir2embyv47.onion\r\ncwwnhwhlz52maqm7.onion\r\nsqjolphimrr7jqw6.onion\r\nMitigation and detection information\r\nQuite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher\r\ncomponent has the ability to rollback the changes done by ransomware in the event that a malicious sample\r\nmanaged to bypass other defenses. This is extremely useful in case a ransomware sample slips past defenses and\r\nattempts to encrypt the data on the disk.\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 11 of 13\n\nSystem Watcher blocking the WannaCry attacks\r\nMitigation recommendations:\r\n1. 1 Make sure that all hosts are running and have enabled endpoint security solutions.\r\n2. 2 Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability\r\nused in this attack.\r\n3. 3 Ensure that Kaspersky Lab products have the System Watcher component enabled.\r\n4. 4 Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot\r\nthe system. Once again, make sure MS17-010 patches are installed.\r\nSamples observed in attacks so far:\r\n4fef5e34143e646dbf9907c4374276f5\r\n5bef35496fcbdbe841c82f4d1ab8b7c2\r\n775a0631fb8229b2aa3d7621427085ad\r\n7bf2b57f2a205768755c07f238fb32cc\r\n7f7ccaa16fb15eb1c7399d422f8363e8\r\n8495400f199ac77853c53b5a3f278f3e\r\n84c82835a5d21bbcf75a61706d8ab549\r\n86721e64ffbd69aa6944b9672bcabb6d\r\n8dd63adb68ef053e044a5a2f46e0d2cd\r\nb0ad5902366f860f85b892867e5b1e87\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 12 of 13\n\nd6114ba5f10ad67a4131ab72531f02da\r\ndb349b97c37d22f5ea1d1841e3c89eb4\r\ne372d07207b4da75b3434584cd9f3450\r\nf529f4556a5126bba499c26d67892240\r\nKaspersky Lab detection names:\r\nTrojan-Ransom.Win32.Gen.djd\r\nTrojan-Ransom.Win32.Scatter.tr\r\nTrojan-Ransom.Win32.Wanna.b\r\nTrojan-Ransom.Win32.Wanna.c\r\nTrojan-Ransom.Win32.Wanna.d\r\nTrojan-Ransom.Win32.Wanna.f\r\nTrojan-Ransom.Win32.Zapchast.i\r\nPDM:Trojan.Win32.Generic\r\nKaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims. We\r\nwill provide an update when a tool is available.\r\nAppendix\r\nBatch file\r\n@echo off\r\necho SET ow = WScript.CreateObject(\"WScript.Shell\")\u003e m.vbs\r\necho SET om = ow.CreateShortcut(\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\@WanaDecryptor@.exe.lnk\")\u003e\u003e\r\nm.vbs\r\necho om.TargetPath = “C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\@WanaDecryptor@.exe”\u003e\u003e m.vbs\r\necho om.Save\u003e\u003e m.vbs\r\ncscript.exe //nologo m.vbs\r\ndel m.vbs\r\ndel /a %0\r\nm.vbs\r\nSET ow = WScript.CreateObject(\"WScript.Shell\")\r\nSET om = ow.CreateShortcut(\"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\@WanaDecryptor@.exe.lnk\")\r\nom.TargetPath = \"C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\@WanaDecryptor@.exe\"\r\nom.Save\r\nSource: https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nhttps://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/"
	],
	"report_names": [
		"wannacry-ransomware-used-in-widespread-attacks-all-over-the-world"
	],
	"threat_actors": [
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434610,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3e74a0d11c6e876f479535687e836219f9d521b.pdf",
		"text": "https://archive.orkl.eu/e3e74a0d11c6e876f479535687e836219f9d521b.txt",
		"img": "https://archive.orkl.eu/e3e74a0d11c6e876f479535687e836219f9d521b.jpg"
	}
}