{
  "family": "wannacry",
  "sample_count": 4876,
  "category": "ransomware_worm",
  "description": "WannaCry is the cryptoworm responsible for the May 2017 global ransomware outbreak that infected over 200,000 systems across 150 countries, including the UK National Health Service, FedEx, Telefonica, and many manufacturing organizations. It propagates using the EternalBlue SMB exploit leaked from the NSA, encrypting files and demanding Bitcoin ransom. Investigators have attributed WannaCry to the North Korean Lazarus Group. Protection requires the MS17-010 patch, disabling SMBv1, and network segmentation to limit lateral movement.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [
    "wanacrypt",
    "wanacry",
    "wannacrypt",
    "wcry",
    "wncry"
  ],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Wannacry?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "WannaCry is the cryptoworm responsible for the May 2017 global ransomware outbreak that infected over 200,000 systems across 150 countries, including the UK National Health Service, FedEx, Telefonica, and many manufacturing organizations. It propagates using the EternalBlue SMB exploit leaked from the NSA, encrypting files and demanding Bitcoin ransom. Investigators have attributed WannaCry to the North Korean Lazarus Group. Protection requires the MS17-010 patch, disabling SMBv1, and network segmentation to limit lateral movement."
      }
    },
    {
      "@type": "Question",
      "name": "How does Wannacry spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "WannaCry spread in May 2017 using the EternalBlue SMB exploit (MS17-010) and the DoublePulsar backdoor, both leaked from the NSA by the Shadow Brokers."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Wannacry infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Files renamed with .wncry, .wcry, .wnry, or .wncryt extensions, ransom screen demanding $300-$600 in Bitcoin, and AV detections for WannaCry, WanaCrypt, or WCry are signatures."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Wannacry on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1210",
    "T1486",
    "T1083",
    "T1490"
  ],
  "cisa_advisory": "https://www.cisa.gov/news-events/alerts/2017/05/12/multiple-ransomware-infections-reported",
  "last_updated": "2026-05-27"
}