Ransomware Research
WanaCrypt0r 2.0 Ransomware
WanaCrypt0r 2.0 is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on March 1, 2014, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: WannaCry: NSA Exploit Edition, WannaCry NSA EE.
Quick Facts
- Ransomware Family
- WanaCrypt0r 2.0
- First Seen
- March 1, 2014
- Known Aliases
- WannaCry: NSA Exploit EditionWannaCry NSA EE
How WanaCrypt0r 2.0 Ransomware Works
Targeted Files
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa -> Tested OK https://app.any.run/tasks/3bc7a483-5b6e-49f6-99a7-079cb4a88a63/
File Encryption Patterns
WanaCrypt0r 2.0 modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..wncry..wannacry..WNCRYT..WCRY..WCYRRansom Note and Payment Demands
After encrypting files, WanaCrypt0r 2.0 displays ransom notes demanding payment for file recovery:
@Please_Read_Me@.txtRansom message:
notes/@Please_Read_Me@.txt
Note locations:
EveryFolder!Please Read Me!.txtRansom message:
notes/!Please Read Me!.txt
Ransom message:
notes/@WanaDecryptor@.bmp.2923339963.bmp
Note locations:
DesktopRansom message:
notes/note.txt
Note locations:
LoginTechnical Indicators
Associated Executable Files
The following executable files are associated with WanaCrypt0r 2.0 ransomware:
cliconfg.exetaskdl.exetaskdl.bin4a468603fdcb7a2e_taskdl.exetaskdl.exe.Binfile.None.0x81fbc920.datlhdfrgui.exewannacrytask6_1.binwannacry_4.exeChallenge_2.binAnydesk.exetest.exeCB007530Sample.binWC.exeHellofile.exemssecsvc.exeut.datwannacry.exeWannaCry.exewannacry.binMuestra1.exeEge 2.inscription___Muestra1.htmlpr3.exestrikeHcpvZV.exewannacry_killswitch.exechallenge66.virussampleWannacry.binwcry.binWannacry.A.exeWannacry.O.exe24d0.vir.DNvirLlac.exeMicrosoftEdgeUpdate.exeWANNACRYwcryv1.exewc.exepr2.execwskpegsomalware01.exeokay.binsample.exewanacry.bin24d004a104d4d540_mssecsvc.exeColetaniaPlayboy.execontent_96594.exewannacry__ransomware (37)WannaCry_mssecsvc.exewcry1.exemssecsvckkk.exewannacry2.binWannaWanna.docxvalorant.exewannaCry.exeSuperKeyPass.exediskpart.exemalb6_WannaCry.EXEwannaCry.bintasksche.exepearcheats-lite.exeWannaCry.safewncry.exemuestra1.binSampleA.exeWannaCry Final Builder.EXEWanacry Plus Builder.exeRansomware.WannaCrypt0r.v2.exeWannaCrypt0r.exeWannaCrypt0r.skSchoolwork.exewcry.exeEndermanch@WannaCrypt0r.exewanncry.exeqeriuwjhrfEvilGaming.exeunknown.exeKaitlins Pictures.exemalware_no_executar$R8215LL.exex.EXEWannaCry.binlasergun.EXEWannaCry.EXE.binsvchost.exelsasvs.exewodglslshMWPHR5F2.exePN86CH9A.exe0P38EVIS.exetaskhcst.exewannacry__ransomwaretaskhcst.jpguzdsvc.dllrdmgr.dllBPIQSVC.DLLdmtimgmt.dllbgpupsvc.dlldlwinmgr.dllhoudmgr.dllvti-rescandmadminsvcs.dllz
Recovery and Decryption Tools
Good news! Decryption tools are available for WanaCrypt0r 2.0 ransomware:
0
1
Elastio Can Help You
Don't let WanaCrypt0r 2.0 ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This WanaCrypt0r 2.0 ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like WanaCrypt0r 2.0.
Last updated: July 30, 2025