Wannacry 03

Infection distribution throughout different regions.

WannaCry, originally named as WanaCrypt, having aliases of Wana Crypt0r and Wana Decrypt0r, is a ransomware worm on Microsoft Windows that uses two NSA-leaked tools that has wreaked havoc in airports, banks, universities, hospitals and many other facilities. It has spread to some 150 countries worldwide, mainly Russia, Ukraine, the US, and India. It is not decryptable as it uses RSA-2048; thus, the only way to retrieve files is by backup or directly paying with Bitcoin equivalent to $300 USD. Required payment increases to the Bitcoin equivalent of $600 USD after 72 hours since the initial infection of the PC. 7 days after the victim's infection, the malware will start deleting the computer's files.

In late June, a email scam called WannaSpam emerged. Hundreds of computer users reported being sent an email from someone (or multiple people), claiming to be the developers of WannaCry. The email threatened to destroy the victims' data unless they sent 0.1 BTC to the Bitcoin address of the hackers.



This program can be delivered the same way a trojan is, it is loaded through hyperlinks run by emails, Dropbox link, or advertisement. When run, the ransomware will quickly encrypt the files on the computer using the same encryption method Instant Messaging uses, except only those used by the system. It also has the ability to attack network drives as well.

From version 2.0 and above of this ransomware, instead of using spam emails, spoofed links or advertisement as means of transfer, it behaves like a worm. With the help of remote malicious code, it actively attacks every vulnerable computer on the infected computer's network.

It scans for TCP and UDP ports 139 and 445 (SMB) from the computers, if found listening and the host is found vulnerable to this attack, it will download itself into the host and start its execution.


Wannacry 01

Exploit used by WannaCry

This ransomware uses the EternalBlue exploit kit leaked by The Shadow Brokers, which was patched by Microsoft on March 14. However, many companies and organizations have not installed this patch. Due to the damage that the ransomware caused, Microsoft launched a patch for Windows XP, Windows Server 2003, and Windows 8, which all have been no longer supported at the time.
What is WanaCrypt0r 2

What is WanaCrypt0r 2.0 -WannaCry Ransomware-?

Many antivirus vendors and computer security companies have also created programs to "immunize" against the NSA hacking tools.
WannaCry Virus- Just The Beginning! What's Next?

WannaCry Virus- Just The Beginning! What's Next?


On May 14, a British network engineer Darien Huss, found that the ransomware searches an unregistered domain with nonsense letters and numbers. If the website is found, the ransomware will stop the spread. Darien shared the "Kill Switch" with a man named MalwareTech on the Internet. They bought the domain to stop the ransomware. This ultimately significantly slowed the spread of WannaCry. Eventually, the developer updated the ransomware to remove this "kill switch"
Wannacry 08-1024x372

Properties of malware files used by WannaCry

Decryption tool released

Adrien Guinet, a French security researcher from Quarkslab, found that the ransomware did not remove the prime numbers from memory after encrypting the files, meaning that the user can use these numbers to generate the pair of public key and private key again.

Before generating a pair of RSA encryption keys, the system will need to choose two prime numbers. After generation of these keys, the numbers should be kept secret to prevent other users (such as hackers) to use them to regenerate the private key.

The WanaKiwi tries to find out the prime numbers left by the ransomware and generates the private key, so that the user might not need to pay the ransom for files decryption. However there are some limits, otherwise the decryption tool might not be able to help decrypt the files:

  1. The infected machine should have never been rebooted.
  2. Since the memory location for these prime numbers are no longer allocated, they could be erased or overwritten by other processes, so the decryption tool should be started as early as possible in order to find the numbers.

However, in most cases, the system has already rebooted and therefore the decryptor is not suitable in most cases.

Other Languages

WannaCrypt Map

WannaCrypt Map

WannaCry Ransomware in Action - NSA Exploit based

WannaCry Ransomware in Action - NSA Exploit based

Video by The PC Security Channel.

Killing WannaCry Ransomware - Explained in depth

Killing WannaCry Ransomware - Explained in depth

Wannacry 06

The ransom note in Chinese.

WannaCry provides translations for these langauges:
  • Bulgarian
  • Chinese (Simplified)
  • Chinese (Traditional)
  • Croatian
  • Czech
  • Danish
  • Dutch
  • English
  • Filipino
  • Finnish
  • French
  • German
  • Greek
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Latvian
  • Norwegian
  • Polish
  • Portuguese
  • Romanian
  • Russian
  • Slovak
  • Spanish
  • Swedish
  • Turkish
  • Vietnamese

Affected Organizations (according to Wikipedia)

  • São Paulo Court of Justice (Brazil)
  • Aristotle University of Thessaloniki (Greece)
  • Vivo (Telefônica Brasil) (Brazil)
  • Lakeridge Health (Canada)
  • PetroChina (China)
  • Public Security Bureaus (China)
  • Sun Yat-sen University (China)
  • Instituto Nacional de Salud (Colombia)
  • Renault (France)
  • Deutsche Bahn (Germany)
  • Telenor Hungary (Hungary)
  • Andhra Pradesh Police (India)
  • Dharmais Hospital (Indonesia)
  • Harapan Kita Hospital (Indonesia)
  • University of Milano-Bicocca (Italy)
  • Q-Park (Netherlands)
  • Portugal Telecom (Portugal)
  • Automobile Dacia (Romania)
  • Ministry of Foreign Affairs (Romania)
  • MegaFon (Russia)
  • Ministry of Internal Affairs (Russia)
  • Russian Railways (Russia)
  • Banco Bilbao Vizcaya Argentaria (Spain)
  • Telefónica (Spain)
  • Sandvik (Sweden)
  • Garena Blade and Soul (Thailand)
  • National Health Service (United Kingdom)
  • Nissan UK (United Kingdom)
  • FedEx (United States)
  • STC (Saudi Arabia)
  • Boeing (United States)
  • Cambrian College (Canada)
  • Chinese public security bureau (China)
  • CJ CGV (South Korea)
  • Dalian Maritime University (China)
  • Faculty Hospital (Slovakia)
  • Guilin University Of Aerospace Technology (China)
  • Guilin University Of Electronic Technology (China)
  • Hezhou University (China)
  • Hitachi (Japan)
  • Honda (Japan)
  • LATAM Airlines Group (Chile)
  • NHS Scotland (Scotland)
  • O2 (Germany)
  • Petrobrás (Brazil)
  • Pulse FM (Australia)
  • Sberbank (Russia)
  • Shandong University (China)
  • Government of Gujarat (India
  • Government of Kerala (India)
  • Government of Maharashtra (India)
  • Government of West Bengal (India)
  • Suzhou Vehicle Administration (China)
  • Telkom (South Africa)
  • Timrå Municipality (Sweden)
  • TSMC (Taiwan)
  • Universitas Jember (Indonesia)
  • University of Montreal (Canada)

Timeline of key events relating to the WannaCry ransomware, made by Symantec.


Including the very first version, there are 5 known versions:

  • Version 1.0 - April 25, 2017
  • Version 2.0 - May 13, 2017
  • Version 2.1 - May 14, 2017
  • Version 2.2 - May 15, 2017
  • Version 3.0 - June 12, 2017



Community content is available under CC-BY-SA unless otherwise noted.