WanaCrypt0r 2.0 is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on March 1, 2014, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: WannaCry: NSA Exploit Edition, WannaCry NSA EE.
Quick Facts
Ransomware Family
WanaCrypt0r 2.0
First Seen
March 1, 2014
Known Aliases
WannaCry: NSA Exploit EditionWannaCry NSA EE
How WanaCrypt0r 2.0 Ransomware Works
Targeted Files
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa -> Tested OK
https://app.any.run/tasks/3bc7a483-5b6e-49f6-99a7-079cb4a88a63/
File Encryption Patterns
WanaCrypt0r 2.0 modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..wncry..wannacry..WNCRYT..WCRY..WCYR
Ransom Note and Payment Demands
After encrypting files, WanaCrypt0r 2.0 displays ransom notes demanding payment for file recovery:
file@Please_Read_Me@.txt
Ransom message:
notes/@Please_Read_Me@.txt
Note locations:
EveryFolder
file!Please Read Me!.txt
Ransom message:
notes/!Please Read Me!.txt
screenshot
Ransom message:
notes/@WanaDecryptor@.bmp.2923339963.bmp
Note locations:
Desktop
message
Ransom message:
notes/note.txt
Note locations:
Login
Technical Indicators
Associated Executable Files
The following executable files are associated with WanaCrypt0r 2.0 ransomware:
cliconfg.exe
taskdl.exe
taskdl.bin
4a468603fdcb7a2e_taskdl.exe
taskdl.exe.Bin
file.None.0x81fbc920.dat
lhdfrgui.exe
wannacry
task6_1.bin
wannacry_4.exe
Challenge_2.bin
Anydesk.exe
test.exe
CB007530Sample.bin
WC.exe
Hello
file.exe
mssecsvc.exe
ut.dat
wannacry.exe
WannaCry.exe
wannacry.bin
Muestra1.exe
Ege 2.inscription___
Muestra1.html
pr3.exe
strikeHcpvZV.exe
wannacry_killswitch.exe
challenge66.virussample
Wannacry.bin
wcry.bin
Wannacry.A.exe
Wannacry.O.exe
24d0.vir.DNvir
Llac.exe
MicrosoftEdgeUpdate.exe
WANNACRY
wcryv1.exe
wc.exe
pr2.exe
cwskpegso
malware01.exe
okay.bin
sample.exe
wanacry.bin
24d004a104d4d540_mssecsvc.exe
ColetaniaPlayboy.exe
content_96594.exe
wannacry__ransomware (37)
WannaCry_mssecsvc.exe
wcry1.exe
mssecsvckkk.exe
wannacry2.bin
WannaWanna.docx
valorant.exe
wannaCry.exe
SuperKeyPass.exe
diskpart.exe
malb6_
WannaCry.EXE
wannaCry.bin
tasksche.exe
pearcheats-lite.exe
WannaCry.safe
wncry.exe
muestra1.bin
SampleA.exe
WannaCry Final Builder.EXE
Wanacry Plus Builder.exe
Ransomware.WannaCrypt0r.v2.exe
WannaCrypt0r.exe
WannaCrypt0r.sk
Schoolwork.exe
wcry.exe
Endermanch@WannaCrypt0r.exe
wanncry.exe
qeriuwjhrf
EvilGaming.exe
unknown.exe
Kaitlins Pictures.exe
malware_no_executar
$R8215LL.exe
x.EXE
WannaCry.bin
lasergun.EXE
WannaCry.EXE.bin
svchost.exe
lsasvs.exe
wodglslsh
MWPHR5F2.exe
PN86CH9A.exe
0P38EVIS.exe
taskhcst.exe
wannacry__ransomware
taskhcst.jpg
uzdsvc.dll
rdmgr.dll
BPIQSVC.DLL
dmtimgmt.dll
bgpupsvc.dll
dlwinmgr.dll
houdmgr.dll
vti-rescan
dmadminsvcs.dllz
Recovery and Decryption Tools
Good news! Decryption tools are available for WanaCrypt0r 2.0 ransomware:
0
1
Elastio Can Help You
Don't let WanaCrypt0r 2.0 ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
This WanaCrypt0r 2.0 ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like WanaCrypt0r 2.0.