S0366 WannaCry
WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.4531
| Item | Value |
|---|---|
| ID | S0366 |
| Associated Names | WanaCry, WanaCrypt, WanaCrypt0r, WCry |
| Type | MALWARE |
| Version | 1.1 |
| Created | 25 March 2019 |
| Last Modified | 08 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| WanaCry | 2 |
| WanaCrypt | 2 |
| WanaCrypt0r | 4 |
| WCry | 42 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | WannaCry creates the service “mssecsvc2.0” with the display name “Microsoft Security Center (2.0) Service.”41 |
| enterprise | T1486 | Data Encrypted for Impact | WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.412 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.2 |
| enterprise | T1210 | Exploitation of Remote Services | WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network.415 |
| enterprise | T1083 | File and Directory Discovery | WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.41 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.4 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | WannaCry uses attrib +h to make some of its files hidden.4 |
| enterprise | T1490 | Inhibit System Recovery | WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.412 |
| enterprise | T1570 | Lateral Tool Transfer | WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.4 |
| enterprise | T1120 | Peripheral Device Discovery | WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | WannaCry uses Tor for command and control traffic.2 |
| enterprise | T1563 | Remote Service Session Hijacking | - |
| enterprise | T1563.002 | RDP Hijacking | WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.4 |
| enterprise | T1018 | Remote System Discovery | WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.2 |
| enterprise | T1489 | Service Stop | WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.12 |
| enterprise | T1016 | System Network Configuration Discovery | WannaCry will attempt to determine the local network segment it is a part of.2 |
| enterprise | T1047 | Windows Management Instrumentation | WannaCry utilizes wmic to delete shadow copies.412 |
| ics | T0866 | Exploitation of Remote Services | WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. 6 |
| ics | T0867 | Lateral Tool Transfer | WannaCry can move laterally through industrial networks by means of the SMB service. 6 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 7412 |
References
-
Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. ↩↩↩↩↩↩↩↩↩↩
-
Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019. ↩
-
Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019. ↩↩
-
Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ↩↩
-
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. ↩