WanaCrypt0r 2.0 (WannaCry)

WanaCrypt0r 2.0 or WannaCry is a ransomware that spreads globally on May 2017, causing a lot of damage to several companies.


WanaCrypt0r 2.0 ransomware may spread via torrent websites, fake updates or other fake setups and executables uploaded on shady hots. The virus’s primary method of spreading may be via convincingly created e-mails. Such e-mails aim to get victims to click on a malicious e-mail attachment and hence become infected with the .WNCRY file virus.

The attachments may usually be .js, .exe or other type of executable files, but in some situations they are also related with malicious macros. These malicious macros may be activated once the user enables the content on a document.

The first infections of Wana Decrypt0r 2.0 have been in Germany, Russia, Taiwan, Turkey, Kazakhstan, Indonesia, Vietnam, Japan, Spain, Ukraine and the Philippines. But the countries number may rise very rapidly soon, since this pattern shows global distribution campaign.


The main activity of the Wana Decrypt0r 2.0 ransomware virus after infection is to drop an embedded file into the folder where the infection file is located. The file is a password protected .zip, named wcry.zip. It has the following contents:


The Wana Decrypt0r 2.0 ransomware’s infection file will then extract those zipped files into a folder and begin to connect to the download web page of the TOR web browser. From there, the .Wana Decrypt0r 2.0 virus may connect to multiple command and control servers:


Then, Wana Decrypt0r 2.0 prepares for encrypting vital victim files. To do this, it runs an administrative command in Windows in order to obtain Administrator functions:
icacls . /grant Everyone:F /T /C /Q

Then, the Wana Decrypt0r 2.0 virus shuts down the following Windows System processes from the Task Manager:


The payload may consist of multiple different types of files. Some of those files may modify the Windows Registry Editor and target the following sub-keys:

HKCU\Control Panel\Desktop\Wallpaper

In those keys, custom value strings with data in them may be input so that it is possible for the ransomware to run on system startup and begin encrypting files on boot.

In addition to the activity of WanaCrypt0r .WNCRY infection may be to delete the shadow volume copies and eradicate all chances of reverting your files via backup on the infected computer. This is done by executing the following administrative Windows commands:

vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set boostatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

In addition to this activity, WannaCry .WNCRY virus also drops a program, named @WanaDecryptor@.exe that has an actual timer with advanced instructions on how to pay the ransom. This program is called “Wana Decrypt0r 2.0” and it’s message looks like the following:

After the timer on this program runs out the cost of the ransom payoff may double, according to the scareware messages and the previous version, also using this software.

Another action the program makes is that it also changes the wallpaper on the victim’s computer with the following message:

Ooops, your important files are encrypted.
If you see this text, but don’t see the ”Wana Decrypt0r” window,
then your antivirus removed the decrypt software or you deleted it from your computer.
If you need your files you have to run the decrypt software.
Please find an application file named “@WanaDecryptor@.exe” in any folder or restore from the antivirus quarantine.
Run and follow the instructions!

Encryption Process

Two encryption algorithms may be used for this specific ransomware infection. One of those is known as AES (Advanced Encryption Standard) and may be used in 128-bit of strength. It is one of the strongest ciphers and cannot be decrypted unless the criminals make a mistake in the encryption code. It may generate a symmetric key, called FEK key after encryption. This key may be the only method to decrypt the files because with it the process can be reversed.

In addition to this, another cipher known as Rivers-Shamir-Adleman or RSA is also used in combination with the AES cipher in order to generate unique public and private keys for each of the files. This makes the decryption of each file separate and very difficult and unique process.

For the encryption process, the .WNCRY virus targets files that are widely used. These files are usually the following:

.ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .msg, .ost, .pst, .potm, .potx .eml, .der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .asp, .java, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc, .jar,

After the encryption is done, the .WNCRY virus may send the decryption key to the cyber-criminals so that they can create a custom decrypter for the victim which will be sent back to him once the ransom is paid. Paying the ransom, however is highly inadvisable.

Here's a video about WannaCry Ransomware :


Next Post »