Wannacry

Category: ransomware_worm · Aliases: wanacrypt, wanacry, wannacrypt, wcry, wncry · Sample count (EMBER 2018): 4,876 · Enrichment: hand-curated · Updated: 2026-05-27

Overview

WannaCry is the cryptoworm responsible for the May 2017 global ransomware outbreak that infected over 200,000 systems across 150 countries, including the UK National Health Service, FedEx, Telefonica, and many manufacturing organizations. It propagates using the EternalBlue SMB exploit leaked from the NSA, encrypting files and demanding Bitcoin ransom. Investigators have attributed WannaCry to the North Korean Lazarus Group. Protection requires the MS17-010 patch, disabling SMBv1, and network segmentation to limit lateral movement.

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1210 T1486 T1083 T1490

Authoritative Advisory

CISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2017/05/12/multiple-ransomware-infections-reported

Frequently Asked Questions

What is Wannacry?

WannaCry is the cryptoworm responsible for the May 2017 global ransomware outbreak that infected over 200,000 systems across 150 countries, including the UK National Health Service, FedEx, Telefonica, and many manufacturing organizations. It propagates using the EternalBlue SMB exploit leaked from the NSA, encrypting files and demanding Bitcoin ransom. Investigators have attributed WannaCry to the North Korean Lazarus Group. Protection requires the MS17-010 patch, disabling SMBv1, and network segmentation to limit lateral movement.

How does Wannacry spread?

WannaCry spread in May 2017 using the EternalBlue SMB exploit (MS17-010) and the DoublePulsar backdoor, both leaked from the NSA by the Shadow Brokers.

What are the signs of a Wannacry infection?

Files renamed with .wncry, .wcry, .wnry, or .wncryt extensions, ransom screen demanding $300-$600 in Bitcoin, and AV detections for WannaCry, WanaCrypt, or WCry are signatures.

What should I do if I think I have Wannacry on my system?

If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.

Need help with an active incident? If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/wannacry.json

About this catalog

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.