Information

What is Wannacry Ransomware?

Wannacry, also known as WanaCrypt0r 2.0, is a ransomware software package. In May 2017, a large scale infection started affecting Telefonica and several other large companies in Spain, as well as parts of the British National Health Service. Many other countries were attacked by WanaCrypt0r 2.0. Other targets in at least 74 countries were also reported to have been attacked around the same time. Wannacry is believed to use the EternalBlue exploit to attack computers running Microsoft Windows operating systems.





Above you can find a picture of the information that's displayed upon infection of the ransomware.

How does Wannacry Ransomware spread itself?

Wannacry Ransomware spreads itself by utilizing exploitation of an SMB vulnerability mentioned in MS17-010's summary listing. Microsoft released a patch for this critical vulnerability on March 14, 2017.

In order to protect yourself from Wannacry Ransomware, you should do the following:
• Keep all Windows systems updated!
• Make sure the patch mentioned in MS17-010 is applied!
• Consider applying firewall rules to the following ports: 139/445 and 3389!
• Ensure that you are running a Windows version that's maintained by Micrososft - Windows XP is no longer maintained, see here!
• Keep backups of valuable data stored offline!
While the points above will not prevent local/internal infection, they will prevent remote exploitation of the vulnerability.
If you have not updated your system yet, consider using Wannafix which will grant you immunity while you apply the patch. This is quicker and will keep you safe, but should not be used as a permanent fix.

How can I decrypt my files?

Currently, there is no known method of decryption - however, this page will be updated once a decrypter is published.

Is it possible to see how many systems have been infected?

A map of all the known infections can be found here:

Is there a sample binary available anywhere?

A binary used to create at least one of the infections can be found here here.

Note that the above link contains malware and should not be executed unless you know what you are doing.

What file extensions does Wannacry Ransomware target?

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

What languages is the ransom message available in?

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

Have the attackers been paid?

There's currently 3 known BTC addresses which are hard coded into the ransomware that are being used to receive payments:

1. 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
2. 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
3. 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

However, do note that there's absolutely no proof available which suggests that you are able to recover your files if any payment is made.

Multiple sources have strongly advised not to make any payments at this moment in time.

What has HIBC done in regards to the global campaign?

We have released a tool called Wannafix that can be found here: here.

Wannafix is a tool that allows you to mitigate the threat while applying the appropriate patch to your computer. For information on the technical aspects of the tool, please see the README which can be found here.