Skip to content

S0366 WannaCry

WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.4531

Item Value
ID S0366
Associated Names WanaCry, WanaCrypt, WanaCrypt0r, WCry
Type MALWARE
Version 1.1
Created 25 March 2019
Last Modified 08 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
WanaCry 2
WanaCrypt 2
WanaCrypt0r 4
WCry 42

Techniques Used

Domain ID Name Use
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service WannaCry creates the service “mssecsvc2.0” with the display name “Microsoft Security Center (2.0) Service.”41
enterprise T1486 Data Encrypted for Impact WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.412
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.2
enterprise T1210 Exploitation of Remote Services WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network.415
enterprise T1083 File and Directory Discovery WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.41
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.4
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories WannaCry uses attrib +h to make some of its files hidden.4
enterprise T1490 Inhibit System Recovery WannaCry uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features.412
enterprise T1570 Lateral Tool Transfer WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.4
enterprise T1120 Peripheral Device Discovery WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy WannaCry uses Tor for command and control traffic.2
enterprise T1563 Remote Service Session Hijacking -
enterprise T1563.002 RDP Hijacking WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.4
enterprise T1018 Remote System Discovery WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.2
enterprise T1489 Service Stop WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.12
enterprise T1016 System Network Configuration Discovery WannaCry will attempt to determine the local network segment it is a part of.2
enterprise T1047 Windows Management Instrumentation WannaCry utilizes wmic to delete shadow copies.412
ics T0866 Exploitation of Remote Services WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. 6
ics T0867 Lateral Tool Transfer WannaCry can move laterally through industrial networks by means of the SMB service. 6

Groups That Use This Software

ID Name References
G0032 Lazarus Group 7412

References