FANDOM


AutoWannacryV2 is an encryption ransomware Trojan first observed on August 3rd, 2018. AutoWannacryV2 is named after WannaCry, a high-profile ransomware threat that received quite a bit of attention on the news. However, this just seems to be for show since there does not seem to be any connection between the two threats besides the use of the same name.

Payload

Transmission

AutoWannacryV2 is commonly delivered to the victim's computer through damaged spam email attachments. These email attachments use corrupted embedded macro scripts to download and install AutoWannacryV2 onto the victim's computer.

Infection

Once installed, AutoWannacryV2 will use a strong encryption algorithm to encrypt the victim's files, targeting the user-generated files, which may include a wide variety of media files, images, documents, databases, and numerous others. Threats like AutoWannacryV2 will target the files listed below in these attacks:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, 
.boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, 
.qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, 
.djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, 
.pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, 
.key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, 
.7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, 
.dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, 
.lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, 
.kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

AutoWannacryV2 will mark the files it compromises by adding the file extension '.wannacryv2' to the file's name. AutoWannacryV2 delivers various messages to the victims to alert them of the attack and to demand a ransom payment. In the event of an AutoWannacryV2 attack, computer users will see some notifications such as:

Message "Success":
'All your files encrypted! By wannacryV2
Spent time on encryption: 318 seconds
Message "Enter key to decrypt!":
'WARNING! DONT TRY TO BRUTE!
[TEXT BOX]
[OK|BUTTON] [Cancel|BUTTON]
Message "Ohh no":
'Invalid key!
[OK|BUTTON]
Message "Key valid":
'Ok, you get valid key!
[OK|BUTTON]
Community content is available under CC-BY-SA unless otherwise noted.