1. Symantec/
  2. Security Response/
  3. Ransom.Wannacry

Ransom.Wannacry

Risk Level 2: Low

Discovered:
May 12, 2017
Updated:
May 24, 2017 1:46:26 PM
Type:
Trojan, Worm
Infection Length:
Varies
Systems Affected:
Windows
Ransom.Wannacry is a worm that spreads by exploiting vulnerabilities in the Windows operating system. Once installed, it encrypts files and demands a payment to decrypt them.

Ransom.Wannacry is a worm that delivers a ransomware payload. It has two primary components. A worm module used for self-propagation and a ransom module used for handling the ransom extortion activities.


Initial infection
At this time, the initial infection vector is unknown. There have been discussions of the threat being initially spread through email but this has not been confirmed.

Given the nature of the infection routine, it is possible that only a small number of targets may have been initially seeded with the worm and then the worm propagation routine continued to expand out the pool of compromised computers.

WannaCry is a threat composed of two main parts, a worm module and a ransomware module. The ransomware module is spread by a companion worm module. The worm module uses the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0144) and the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0145) to spread.


Ransom demand amount
  • US$300-$600 paid in bitcoin

Timeline of the WannaCry ransomware attack



Recognizing infections
Computers compromised by Ransom.Wannacry may display a black Windows desktop background image with instructions in red text.



In addition, the ransomware module displays a window with instructions to the user informing them of what has happened and how to pay the ransom.



Users may find that they are unable to open data files, and files may be seen with the following extension at the end of their file names:
  • .WCRY

    Users may also find the following files in a number of folders where files have been encrypted:
    • Please_Read_Me@.txt
    • @WanaDecryptor@.exe.lnk
    • !WannaDecryptor!.exe.lnk
    • !Please Read Me!.txt

      The text file contains a message informing the user of the ransom demand.




      Protection

      Antivirus

      SONAR behavior detection technology

      Advanced machine learning

      Network-based protection

      Mitigation
      Apply patches for the following issues:

      For more information, please see the following resources

      Antivirus Protection Dates

      • Initial Rapid Release version May 12, 2017 revision 006
      • Latest Rapid Release version October 25, 2017 revision 002
      • Initial Daily Certified version May 12, 2017 revision 009
      • Latest Daily Certified version October 25, 2017 revision 006
      • Initial Weekly Certified release date May 17, 2017
      Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
      Writeup By: Symantec Security Response

      Search Threats

      Search by name
      Example: W32.Beagle.AG@mm
      STAR Antimalware Protection Technologies
      2016 Internet Security Threat Report, Volume 21
      • Twitter
      • Facebook
      • LinkedIn
      • Google+
      • YouTube