Wannacry, also known as WanaCrypt0r 2.0, is a ransomware software package. In May 2017, a large scale infection started affecting Telefonica and several other large companies in Spain, as well as parts of the British National Health Service. Many other countries were attacked by WanaCrypt0r 2.0. Other targets in at least 74 countries were also reported to have been attacked around the same time. Wannacry is believed to use the EternalBlue exploit to attack computers running Microsoft Windows operating systems.
Above you can find a picture of the information that's displayed upon infection of the ransomware.
Wannacry Ransomware spreads itself by utilizing exploitation of an SMB vulnerability mentioned in MS17-010's summary listing. Microsoft released a patch for this critical vulnerability on March 14, 2017.
In order to protect yourself from Wannacry Ransomware, you should do the following:
• Keep all Windows systems updated!
• Make sure the patch mentioned in MS17-010 is applied!
• Consider applying firewall rules to the following ports: 139/445 and 3389!
• Ensure that you are running a Windows version that's maintained by Micrososft - Windows XP is no longer maintained, see here!
• Keep backups of valuable data stored offline!
While the points above will not prevent local/internal infection, they will prevent remote exploitation of the vulnerability.
If you have not updated your system yet, consider using Wannafix which will grant you immunity while you apply the patch. This is quicker and will keep you safe, but should not be used as a permanent fix.
Currently, there is no known method of decryption - however, this page will be updated once a decrypter is published.
A map of all the known infections can be found here:
A binary used to create at least one of the infections can be found here here.
Note that the above link contains malware and should not be executed unless you know what you are doing.
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese
There's currently 3 known BTC addresses which are hard coded into the ransomware that are being used to receive payments:1. 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
However, do note that there's absolutely no proof available which suggests that you are able to recover your files if any payment is made.
Multiple sources have strongly advised not to make any payments at this moment in time.
We have released a tool called Wannafix that can be found here: here.
Wannafix is a tool that allows you to mitigate the threat while applying the appropriate patch to your computer. For information on the technical aspects of the tool, please see the README which can be found here.