WannaCry is ransomware first seen in a global attack in May 2017 that, per MITRE ATT&CK, affected more than 150 countries. It contains worm-like features that let it spread across networks using the SMBv1 exploit known as EternalBlue. Once on a machine it encrypts files and demands a Bitcoin ransom. The outbreak slowed after a researcher registered a 'kill-switch' domain found in the code. Systems that had applied the relevant Microsoft SMB security update were protected from the exploit it relied on.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1210 T1486 T1083 T1490
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_WANNACRY {
meta:
description = "Detects Wannacry (ransomware_worm)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "wannacry" ascii wide nocase
$s2 = "wannacry" ascii wide nocase
$s3 = "wanacrypt0r" ascii wide nocase
$s4 = "wcry" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Wannacry Activity
id: 9678a98e2905327e855263bb52ade7e0
status: experimental
description: Detects generic indicators of the wannacry malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*wannacry*"
- "*wannacry*"
- "*wanacrypt0r*"
- "*wcry*"
condition: selection
level: mediumCISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2017/05/12/multiple-ransomware-infections-reported
A ransomware worm from May 2017 that encrypted files and demanded Bitcoin, and spread itself automatically across networks.
It used the wormable SMBv1 exploit EternalBlue to move between machines without user interaction, which is why it reached more than 150 countries so fast.
A Windows SMBv1 vulnerability exploit; applying the Microsoft patch released before the outbreak protected systems from it.
The malware checked for a specific unregistered domain. A researcher registered it, which caused many samples to stop encrypting and slowed the global spread.
Largely yes — the SMB vulnerability it exploited had a Microsoft patch available before the outbreak, so patched systems were not vulnerable to its spreading mechanism.
Security guidance generally discourages paying ransoms; for WannaCry specifically, paying did not reliably restore files. Restore from clean backups and consult professional incident-response resources instead.
Apply security updates promptly, disable obsolete protocols like SMBv1, segment networks, and keep tested offline backups.
MITRE ATT&CK's WannaCry entry (S0366), linked here, documents its techniques and references.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/wannacry.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.