Security home


Home / malwarePDF  


First posted on 13 May 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/WannaCrypt.

Explanation :


When run, it tries to communicate with the following URL:

  • on port 80

It can create the following file and service:

  • %SystemRoot% \tasksche.exe

  • mssecsvc2.0


Encrypts files

This threat searches for and encrypts files with the following filename extensions:




















































































































































































The ransomware may create the following files:
  • r.wnry
  • s.wnry
  • t.wnry
  • taskdl.exe
  • taskse.exe
  • 00000000.eky
  • 00000000.res
  • 00000000.pky
  • @WanaDecryptor@.exe
  • @Please_Read_Me@.txt
  • m.vbs
  • @WanaDecryptor@.exe.lnk

It appends .WNCRY to the filename of encrypted files. For example:
  • file.docx is renamed to file.docx.WNCRY
  • file.pdf is renamed to file.pdf.WNCRY

SHA1s used in this analysis:
  • 51e4307093f8ca8854359c0ac882ddca427a813c
  • 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
  • bd44d0ab543bf814d93b719c24e90d8dd7111234
  • 87420a2791d18dad3f18be436045280a4cc16fc4
  • e889544aff85ffaf8b0d0da705105dee7c97fe26

Analysis by: Andrea Lelli

Solution :

Adrien Guinet of QuarksLab in Paris released a potential fix in Github, which relies on snagging private key traces from the infected computer's memory to decrypt the files. But there is a caveat: the potential fix may fail if the malware, or other processes, overwrote the decryption key traces, or if the user rebooted the computer after the infection.

Last update 13 May 2017



Malware :