Ransomware Research

WanaCrypt0r 2.0 Ransomware

WanaCrypt0r 2.0 is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on March 1, 2014, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: WannaCry: NSA Exploit Edition, WannaCry NSA EE.

Quick Facts

Ransomware Family
WanaCrypt0r 2.0
First Seen
March 1, 2014
Known Aliases
WannaCry: NSA Exploit EditionWannaCry NSA EE

How WanaCrypt0r 2.0 Ransomware Works

Targeted Files

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa -> Tested OK https://app.any.run/tasks/3bc7a483-5b6e-49f6-99a7-079cb4a88a63/

File Encryption Patterns

WanaCrypt0r 2.0 modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..wncry..wannacry..WNCRYT..WCRY..WCYR

Ransom Note and Payment Demands

After encrypting files, WanaCrypt0r 2.0 displays ransom notes demanding payment for file recovery:

file@Please_Read_Me@.txt

Ransom message:

notes/@Please_Read_Me@.txt

Note locations:

EveryFolder
file!Please Read Me!.txt

Ransom message:

notes/!Please Read Me!.txt
screenshot

Ransom message:

notes/@WanaDecryptor@.bmp.2923339963.bmp

Note locations:

Desktop
message

Ransom message:

notes/note.txt

Note locations:

Login

Technical Indicators

Associated Executable Files

The following executable files are associated with WanaCrypt0r 2.0 ransomware:

  • cliconfg.exe
  • taskdl.exe
  • taskdl.bin
  • 4a468603fdcb7a2e_taskdl.exe
  • taskdl.exe.Bin
  • file.None.0x81fbc920.dat
  • lhdfrgui.exe
  • wannacry
  • task6_1.bin
  • wannacry_4.exe
  • Challenge_2.bin
  • Anydesk.exe
  • test.exe
  • CB007530Sample.bin
  • WC.exe
  • Hello
  • file.exe
  • mssecsvc.exe
  • ut.dat
  • wannacry.exe
  • WannaCry.exe
  • wannacry.bin
  • Muestra1.exe
  • Ege 2.inscription___
  • Muestra1.html
  • pr3.exe
  • strikeHcpvZV.exe
  • wannacry_killswitch.exe
  • challenge66.virussample
  • Wannacry.bin
  • wcry.bin
  • Wannacry.A.exe
  • Wannacry.O.exe
  • 24d0.vir.DNvir
  • Llac.exe
  • MicrosoftEdgeUpdate.exe
  • WANNACRY
  • wcryv1.exe
  • wc.exe
  • pr2.exe
  • cwskpegso
  • malware01.exe
  • okay.bin
  • sample.exe
  • wanacry.bin
  • 24d004a104d4d540_mssecsvc.exe
  • ColetaniaPlayboy.exe
  • content_96594.exe
  • wannacry__ransomware (37)
  • WannaCry_mssecsvc.exe
  • wcry1.exe
  • mssecsvckkk.exe
  • wannacry2.bin
  • WannaWanna.docx
  • valorant.exe
  • wannaCry.exe
  • SuperKeyPass.exe
  • diskpart.exe
  • malb6_
  • WannaCry.EXE
  • wannaCry.bin
  • tasksche.exe
  • pearcheats-lite.exe
  • WannaCry.safe
  • wncry.exe
  • muestra1.bin
  • SampleA.exe
  • WannaCry Final Builder.EXE
  • Wanacry Plus Builder.exe
  • Ransomware.WannaCrypt0r.v2.exe
  • WannaCrypt0r.exe
  • WannaCrypt0r.sk
  • Schoolwork.exe
  • wcry.exe
  • Endermanch@WannaCrypt0r.exe
  • wanncry.exe
  • qeriuwjhrf
  • EvilGaming.exe
  • unknown.exe
  • Kaitlins Pictures.exe
  • malware_no_executar
  • $R8215LL.exe
  • x.EXE
  • WannaCry.bin
  • lasergun.EXE
  • WannaCry.EXE.bin
  • svchost.exe
  • lsasvs.exe
  • wodglslsh
  • MWPHR5F2.exe
  • PN86CH9A.exe
  • 0P38EVIS.exe
  • taskhcst.exe
  • wannacry__ransomware
  • taskhcst.jpg
  • uzdsvc.dll
  • rdmgr.dll
  • BPIQSVC.DLL
  • dmtimgmt.dll
  • bgpupsvc.dll
  • dlwinmgr.dll
  • houdmgr.dll
  • vti-rescan
  • dmadminsvcs.dllz

Recovery and Decryption Tools

Good news! Decryption tools are available for WanaCrypt0r 2.0 ransomware:

0

1

Elastio Can Help You

Don't let WanaCrypt0r 2.0 ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This WanaCrypt0r 2.0 ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like WanaCrypt0r 2.0.

Last updated: July 30, 2025