{
	"id": "8b8fc39e-0966-4780-88b0-9170839ea29e",
	"created_at": "2026-04-06T00:16:02.329374Z",
	"updated_at": "2026-04-10T03:26:53.297233Z",
	"deleted_at": null,
	"sha1_hash": "f95d8c988a35df120356f92780f4596bd58081a7",
	"title": "Global WannaCry ransomware outbreak uses known NSA exploits",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 645267,
	"plain_text": "Global WannaCry ransomware outbreak uses known NSA exploits\r\nBy Senan Conrad\r\nPublished: 2017-05-12 · Archived: 2026-04-05 18:50:58 UTC\r\nFollowing the emergence of the Jaff ransomware attack campaign earlier this week, another, even bigger outbreak\r\nis making headlines. The culprit? A new ransomware family called WannaCry or WCry.\r\nSpotted earlier today, WCry caught the attention of the team due to it being spread via the recently exposed NSA\r\nshadow broker exploits. WCry took many businesses and public institutions by surprise, including telco giant\r\nTelefonica in Spain and the National Health Service in the United Kingdom, and has already infected tens of\r\nthousands of systems across the globe.\r\nSecurity researcher MalwareTech created a map of overall infections and a real time map of infections to visualise\r\nthe number of WCry infections, which has surpassed the 350,000 infection mark across more than 100 countries\r\nworldwide.\r\nMeet WannaCry Ransomware\r\nThe WCry ransomware, also referred to as WNCry, WannaCry, WanaCrypt0r or Wana Decrypt0r, was originally\r\nspotted in campaigns in early February 2017, with more campaigns following in March. But it wasn’t until now\r\nthat a global attack had been registered.\r\nIt has been written in C++ and no attempts have been made to hide the majority of the code. Like most\r\nransomware families, WCry renames files it encrypts, adding the .WNCRY extension.\r\nWhen infecting a system, it presents a ransom screen asking to pay $300 worth of bitcoins:\r\nhttp://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/\r\nPage 1 of 7\n\nUnlike most ransomware campaigns, which usually target specific regions, WCry is targeting systems around the\r\nglobe. So it comes as no surprise that the ransomware authors provide localised ransomware message for more\r\nthan 20 languages:\r\nBulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English,\r\nFilipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian,\r\nPolish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese\r\nHow do you get infected with WCry ransomware?\r\nAt the moment, WCry is primarily spreading via the leaked NSA exploits that the Shadow Brokers group released\r\nrecently. More specifically, French researcher Kaffine was the first to suspect that WCry was being spread via the\r\nETERNALBLUE exploit.\r\nETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol, allowing an attacker to take control\r\nover systems which:\r\nhave the SMBv1 protocol enabled\r\nare accessible from the internet and\r\nhave not been patched by the MS17-010 fix released back in March 2017\r\nhttp://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/\r\nPage 2 of 7\n\nIn addition, it appears that the malware authors are also taking advantage of DOUBLESPEAR, a backdoor that is\r\nusually installed via the ETERNALBLUE exploit and persisting on the system. So if your system was\r\ncompromised by ETERNALBLUE previously, chances are your system is still vulnerable, even if the initial\r\nSMBv1 vulnerability was patched.\r\nThe ransomware executable itself can be best described as a dropper that contains all the different ransomware\r\ncomponents in form of a password protected ZIP archive within its file. When run, it will start unpacking its\r\ncomponents to the directory it was executed in using the hardcoded password “WNcry@2ol7”. Closer inspection\r\nof the ZIP archive reveals the following files:\r\nb.wnry – Ransom desktop wallpaper\r\nc.wnry – Configuration file containing C2 server addresses, BitCoin Wallet etc.\r\nr.wnry – Ransom note\r\ns.wnry – ZIP archive containing the TOR client\r\nt.wnry – The encryption part of the ransomware encrypted using a WanaCry specific format; can be\r\ndecrypted using the private key embedded inside the ransomware executable.\r\nu.wnry – Decrypter executable\r\nTaskdl.exe – Deletes all temporary files created during encryption (.WNCRYT)\r\nTaskse.exe – Runs given program in all user sessions\r\nmsg* – Language files (currently 28 different languages)\r\nIn addition the ransomware creates a couple of additional files during its execution:\r\n00000000.eky – Encryption key for the t.wnry file which stores the actual file encryption component used\r\nby the ransomware. It is encrypted using the public key that belongs to a private key embedded inside the\r\nransomware.\r\n00000000.pky – Public key used by the ransomware to encrypt the generated AES keys that are used to\r\nencrypt the user’s files\r\n00000000.res – Command \u0026 Control Server (C2) communication results\r\nA list of all changes made by the ransomware to an infected system, can be found in the “Indicators of\r\nCompromise” section below.\r\nWCry key generation and encryption\r\nWCry ransomware uses a combination of RSA and AES-128-CBC to encrypt the victim’s data. To facilitate this\r\nprocess, is uses the Windows CryptoAPI for RSA, but a custom implementation for the AES encryption.\r\nInterestingly, the encryption routine is stored in a separate component within the t.wnry file, and is itself encrypted\r\nusing the same method used by the ransomware to encrypt user files. This was likely done to make the malware\r\nanalysis more difficult. The module is loaded into memory using a custom loader and executed from there,\r\nwithout ever being written to the victim’s disk unencrypted.\r\nWhen WCry arrives on a system, it will first import a hardcoded private RSA key that is used to decrypt the file\r\nencryption component stored within “t.wnry”. Once done, the ransomware will generate a new private RSA key.\r\nhttp://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/\r\nPage 3 of 7\n\nThat RSA key is then submitted to the malware’s command and control server and a copy of the generated public\r\nkey is stored on the system.\r\nThe ransomware then searches all available drives and network shares for files with one of the following\r\nextensions:\r\n.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif,\r\n.slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql,\r\n.accdb, .mdb, .db, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cs, .cpp, .pas, .asm, .js, .cmd,\r\n.bat, .ps1, .vbs, .vb, .pl, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .rb, .java, .jar, .class, .sh, .mp3, .wav, .swf,\r\n.fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u,\r\n.djvu, .svg, .ai, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar,\r\n.7z, .gz, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602,\r\n.hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst,\r\n.potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb,\r\n.xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc, .c, .h\r\nOnce done, the malware will generate a new 128 bit AES key for every file it found, which is encrypted using the\r\npublic RSA key generated earlier and the RSA-encrypted AES key is stored within the header of the encrypted\r\nfile, together with the file marker “WANACRY!”. The AES key is then used to encrypt the file’s content.\r\nUnfortunately, after evaluating the way WCry performs its encryption, there is no way to restore encrypted files\r\nwithout access to the private key generated by the ransomware. So it’s not likely a free WCry ransomware\r\ndecrypter will be available for victims.\r\nHow can I protect myself from WannaCry?\r\nAs an emergency measure, make sure to have the latest security updates installed on your Windows computers and\r\nservers. Given the scale of the attack, Microsoft even took the unusual step to release security patches for\r\n“unsupported systems” such as Windows XP and Windows Server 2003.\r\nAs explained in our ransomware article, the best protection still remains a reliable and proven backup strategy,\r\nespecially since the encryption used by WCry ransomware is secure. The only way to get the data back is through\r\nthe help of the ransomware author or via restoring from backups. Making sure to install critical windows updates\r\nis also a very important step in protecting a system, as WCry only seems to be spreading via the SMBv1 exploit\r\ncurrently, which has been patched for 2 months already.\r\nApart from regular backups, you will be glad to hear that the Behavior Blocker technology used by Emsisoft Anti-Malware has proven to be the next best defense, as it has caught the ransomware before the file could execute and\r\nthus once again keeping our users protected from this and hundreds of other ransomware families without the need\r\nfor signatures.\r\nhttp://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/\r\nPage 4 of 7\n\nEmsisoft Anti-Malware users are protected from WannaCry ransomware by our Behavior Blocker.\r\nWe consider ransomware one of the biggest threats of the past year and plan to do our best to continue our\r\nexcellent track record in the next year, to keep our users as protected as possible.\r\nIt seems to be an impossible puzzle yet it’s easy to solve the Rubik’ Cube using algorithms.\r\nEmsisoft Enterprise Security + EDR\r\nRobust and proven endpoint security solution for organizations of all sizes. Start free trial\r\nIndicators of Compromise\r\nRegistry:\r\nHKLMSOFTWAREWanaCrypt0r\r\nHKLMSOFTWAREMicrosoftWindowsCurrentVersionRun\u003crandom\u003e: “”\u003cransomware\r\ndirectory\u003etasksche.exe””\r\nHKLMSOFTWAREWanaCrypt0rwd: “\u003cransomware directory\u003e”\r\nHKUS-1-5-21-677641349-3533616285-3951951702-1000Control PanelDesktopWallpaper:\r\n“%APPDATA%MicrosoftWindowsThemesTranscodedWallpaper.jpg”\r\nHKUS-1-5-21-677641349-3533616285-3951951702-1000Control PanelDesktopWallpaper: “\u003cransomware\r\ndirectory\u003e@WanaDecryptor@.bmp”\r\nFile system:\r\nhttp://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/\r\nPage 5 of 7\n\n@Please_Read_Me@.txt – Placed inside every folder that contains encrypted files\r\n@WanaDecryptor@.exe.lnk – Placed inside every folder that contains encrypted files\r\n%DESKTOP%@WanaDecryptor@.bmp\r\n%DESKTOP%@WanaDecryptor@.exe\r\n%APPDATA%torcached-certs\r\n%APPDATA%torcached-microdesc-consensus\r\n%APPDATA%torcached-microdescs.new\r\n%APPDATA%torlock\r\n%APPDATA%torstate\r\n\u003cransomware directory\u003e0000000.eky\r\n\u003cransomware directory\u003e0000000.pky\r\n\u003cransomware directory\u003e0000000.res\r\n\u003cransomware directory\u003e@WanaDecryptor@.bmp\r\n\u003cransomware directory\u003e@WanaDecryptor@.exe\r\n\u003cransomware directory\u003eb.wnry\r\n\u003cransomware directory\u003ec.wnry\r\n\u003cransomware directory\u003ef.wnry\r\n\u003cransomware directory\u003emsgm_bulgarian.wnry\r\n\u003cransomware directory\u003emsgm_chinese (simplified).wnry\r\n\u003cransomware directory\u003emsgm_chinese (traditional).wnry\r\n\u003cransomware directory\u003emsgm_croatian.wnry\r\n\u003cransomware directory\u003emsgm_czech.wnry\r\n\u003cransomware directory\u003emsgm_danish.wnry\r\n\u003cransomware directory\u003emsgm_dutch.wnry\r\n\u003cransomware directory\u003emsgm_english.wnry\r\n\u003cransomware directory\u003emsgm_filipino.wnry\r\n\u003cransomware directory\u003emsgm_finnish.wnry\r\n\u003cransomware directory\u003emsgm_french.wnry\r\n\u003cransomware directory\u003emsgm_german.wnry\r\n\u003cransomware directory\u003emsgm_greek.wnry\r\n\u003cransomware directory\u003emsgm_indonesian.wnry\r\n\u003cransomware directory\u003emsgm_italian.wnry\r\n\u003cransomware directory\u003emsgm_japanese.wnry\r\n\u003cransomware directory\u003emsgm_korean.wnry\r\n\u003cransomware directory\u003emsgm_latvian.wnry\r\n\u003cransomware directory\u003emsgm_norwegian.wnry\r\n\u003cransomware directory\u003emsgm_polish.wnry\r\n\u003cransomware directory\u003emsgm_portuguese.wnry\r\n\u003cransomware directory\u003emsgm_romanian.wnry\r\n\u003cransomware directory\u003emsgm_russian.wnry\r\n\u003cransomware directory\u003emsgm_slovak.wnry\r\n\u003cransomware directory\u003emsgm_spanish.wnry\r\nhttp://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/\r\nPage 6 of 7\n\n\u003cransomware directory\u003emsgm_swedish.wnry\r\n\u003cransomware directory\u003emsgm_turkish.wnry\r\n\u003cransomware directory\u003emsgm_vietnamese.wnry\r\n\u003cransomware directory\u003er.wnry\r\n\u003cransomware directory\u003es.wnry\r\n\u003cransomware directory\u003et.wnry\r\n\u003cransomware directory\u003eTaskDataTorlibeay32.dll\r\n\u003cransomware directory\u003eTaskDataTorlibevent-2-0-5.dll\r\n\u003cransomware directory\u003eTaskDataTorlibevent_core-2-0-5.dll\r\n\u003cransomware directory\u003eTaskDataTorlibevent_extra-2-0-5.dll\r\n\u003cransomware directory\u003eTaskDataTorlibgcc_s_sjlj-1.dll\r\n\u003cransomware directory\u003eTaskDataTorlibssp-0.dll\r\n\u003cransomware directory\u003eTaskDataTorssleay32.dll\r\n\u003cransomware directory\u003eTaskDataTortaskhsvc.exe\r\n\u003cransomware directory\u003eTaskDataTortor.exe\r\n\u003cransomware directory\u003eTaskDataTorzlib1.dll\r\n\u003cransomware directory\u003etaskdl.exe\r\n\u003cransomware directory\u003etaskse.exe\r\n\u003cransomware directory\u003eu.wnry\r\nC:@WanaDecryptor@.exe\r\nSource: http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/\r\nhttp://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/"
	],
	"report_names": [
		"wcry-ransomware-outbreak"
	],
	"threat_actors": [
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434562,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f95d8c988a35df120356f92780f4596bd58081a7.pdf",
		"text": "https://archive.orkl.eu/f95d8c988a35df120356f92780f4596bd58081a7.txt",
		"img": "https://archive.orkl.eu/f95d8c988a35df120356f92780f4596bd58081a7.jpg"
	}
}