Skip to content
Ransomware group Windows

WannaCry

WannaCry is a ransomware cryptoworm that emerged in May 2017 and caused one of the most disruptive global cyber incidents recorded on Microsoft Windows systems.

Profile source: Mallory opens in a new tab

WannaCry

Family profile

WannaCry is a ransomware cryptoworm that emerged in May 2017 and caused one of the most disruptive global cyber incidents recorded on Microsoft Windows systems. It combines file-encrypting ransomware behavior with worm-like self-propagation, allowing it to spread rapidly across vulnerable networks without requiring user interaction on each host. The malware is widely associated with exploitation of the SMB vulnerability addressed by Microsoft in MS17-010, using the EternalBlue exploit to compromise unpatched and unsupported Windows systems at scale.

Once executed, WannaCry encrypts victim data and presents a ransom demand in Bitcoin. In addition to local file encryption, it can scan for newly attached drives and encrypt files on those devices as they appear. It also exhibits defense-evasion and persistence behavior, including hiding some files and creating a Windows service masquerading as a legitimate Microsoft security component. Its worming capability enabled propagation across organizations and countries, contributing to widespread operational disruption in sectors including healthcare, government, and business. The 2017 outbreak notably affected the UK National Health Service and many other large organizations worldwide.

WannaCry has been attributed by multiple governments and security researchers to North Korea, with reporting and technical analysis commonly linking it to the Lazarus Group. Earlier variants were reportedly used in more targeted enterprise attacks before the large-scale outbreak, and the later mass propagation was enabled by the public leak of offensive cyber tooling that included EternalBlue. The campaign is frequently cited as a landmark example of how leaked nation-state exploitation capabilities can be repurposed for financially motivated ransomware operations.

WannaCry is best characterized as both ransomware and a worm, but its most specific classification here is ransomware because its core payload encrypts victim files and extorts payment. Its historical significance stems from the combination of automated network propagation, large-scale impact, and reliance on patchable Windows vulnerabilities, making it a canonical case study in ransomware outbreaks, wormable exploitation, and the security consequences of delayed patching.

Capabilities

  • Defense Evasion
  • Exfiltration
  • Persistence
  • Reconnaissance
  • Scanning

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

5 named in public reporting
Shadow Brokers

Five years ago, the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows, encrypting data at organizations around the world.

Lazarus

The WannaCry ransomware attacks have received extensive coverage since a widespread attack on May 12 caused the systems of many large organizations around the world, including the NHS in the UK, to come to a juddering halt.

TheShadowBrokers

WannaCry paralysed computers running mostly older versions of Microsoft Windows by encrypting users' computer files and displaying a message demanding anywhere from $US300 to $US600 to release them; failure to pay would leave the data mangled and likely beyond repair.

Sandworm

The exploit chains in play included EternalBlue, DoublePulsar, and WannaCry, all tools that have been publicly known and patchable for years.

APT38

The WannaCry attack was a massive ransomware cyberattack... This ransomware leverages an NSA exploit known as EternalBlue... Wincry was the base of the encryption, but two additional exploits, EternalBlue and DoublePulsar, were used by the malware to make it a cryptoworm.

Exploited software

Vulnerabilities linked to WannaCry

4 CVEs

MITRE ATT&CK

WannaCry in ATT&CK

66 distinct techniques

Techniques

66 techniques
T1486 Data Encrypted for Impact T1190 Exploit Public-Facing Application T1120 Peripheral Device Discovery T1570 Lateral Tool Transfer T1041 Exfiltration Over C2 Channel T1068 Exploitation for Privilege Escalation T1203 Exploitation for Client Execution T1499 Endpoint Denial of Service T1584.001 Domains T1036 Masquerading T1543.003 Windows Service T1083 File and Directory Discovery T1564.001 Hidden Files and Directories T1016 System Network Configuration Discovery T1071 Application Layer Protocol T1210 Exploitation of Remote Services T1046 Network Service Discovery T1021 Remote Services T1497 Virtualization/Sandbox Evasion T1490 Inhibit System Recovery T1489 Service Stop T1105 Ingress Tool Transfer T1112 Modify Registry T1547.001 Registry Run Keys / Startup Folder T1090.003 Multi-hop Proxy T1566 Phishing T1566.001 Spearphishing Attachment T1090.002 External Proxy T1059 Command and Scripting Interpreter T1498 Network Denial of Service T1021.002 SMB/Windows Admin Shares T1135 Network Share Discovery T1047 Windows Management Instrumentation T1657 Financial Theft T1568.002 Domain Generation Algorithms T1071.001 Web Protocols T1566.002 Spearphishing Link T1059.003 Windows Command Shell T1564 Hide Artifacts T1080 Taint Shared Content T1070.004 File Deletion T1059.005 Visual Basic T1222 File and Directory Permissions Modification T1204.002 Malicious File T1189 Drive-by Compromise T1003.001 LSASS Memory T1003 OS Credential Dumping T1562 Impair Defenses T1055 Process Injection T1018 Remote System Discovery T1133 External Remote Services T1078 Valid Accounts T1195 Supply Chain Compromise T1543 Create or Modify System Process T1119 Automated Collection T1027.013 Encrypted/Encoded File T1027.003 Steganography T1560 Archive Collected Data T1480.002 Mutual Exclusion T1027.007 Dynamic API Resolution T1140 Deobfuscate/Decode Files or Information T1569.002 Service Execution T1222.001 Windows File and Directory Permissions Modification T1573.002 Asymmetric Cryptography T1563.002 RDP Hijacking T1595 Active Scanning

Reporting

Research mentioning WannaCry

Jul 13
Cyber Security News

AI-Powered 'Intelligent Worm' Could Regenerate Exploits and Adapt to Defenses in Real Time

This is why fast patching remains one of the most effective controls against outbreaks such as Code Red, Slammer, Conficker, and WannaCry.

Jul 9
The Record Media

NSA revives 'Tailored Access Operations' name for elite hacking unit | The Record from Recorded Future News

The U.S. believed that Russia and North Korea capitalized on pilfered tools to unleash devastating global cyberattacks — most famously in 2017 when the WannaCry ransomware used an exploit called EternalBlue.

Jun 30
Enterprisetimes

SonicWall: NHS hospitals hit by 10x cyber attack surge -

Past attacks have taken their toll. WannaCry cost £92 million.

Jun 26
Help Net Security

A privacy-first take on local malware analysis - Help Net Security

Families with larger sample counts, including Adware.Neoreklami, GCleaner, WannaCry, Socks5Systemz, and CobaltStrike, reach high recall.

Jun 16
Infosec Writeups

The Intelligent Shield. OpenCTI. Beyond Ingestion Subtitle: Deploying… | by Andrey Pautov | May, 2026 | InfoSec Write-ups

The profile shows: Attributed to: North Korea Motivations: Financial gain, Espionage Targets: Finance, Cryptocurrency, Defense Malware used: WannaCry, Hermes, BLINDINGCAN (all auto-linked by MITRE connector)

Jun 15
Techtarget

Cyber insurance forces companies to rethink risk management | TechTarget

If you go back about a decade , there were some fairly high-profile incidents -- cases like NotPetya and WannaCry -- where various companies from different parts of the world were impacted by these propagating events.

Jun 11
Cyber Security News

Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation

For example, the WannaCry ransomware attack occurred nearly two months after the MS17-010 patch, while other exploits typically took weeks.

Jun 10
Grahamcluley

Smashing Security podcast #471: This AI worm just rewrote its own rules • Graham Cluley

More recently, the WannaCry worm, of course, that was really high profile back in 2017, I think it was, spread to hundreds of thousands of computers in just a matter of days and exploited a zero-day vulnerability in Microsoft Windows.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.