Wannacry

Category: ransomware_worm · Aliases: WannaCry, WanaCrypt0r, WCry · Sample count (EMBER 2018): 4,876 · Enrichment: curated_sourced · Updated: 2026-06-09

Overview

WannaCry is ransomware first seen in a global attack in May 2017 that, per MITRE ATT&CK, affected more than 150 countries. It contains worm-like features that let it spread across networks using the SMBv1 exploit known as EternalBlue. Once on a machine it encrypts files and demands a Bitcoin ransom. The outbreak slowed after a researcher registered a 'kill-switch' domain found in the code. Systems that had applied the relevant Microsoft SMB security update were protected from the exploit it relied on.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1210 T1486 T1083 T1490

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_WANNACRY {
    meta:
        description = "Detects Wannacry (ransomware_worm)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "wannacry" ascii wide nocase
        $s2 = "wannacry" ascii wide nocase
        $s3 = "wanacrypt0r" ascii wide nocase
        $s4 = "wcry" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Wannacry Activity
id: 9678a98e2905327e855263bb52ade7e0
status: experimental
description: Detects generic indicators of the wannacry malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*wannacry*"
            - "*wannacry*"
            - "*wanacrypt0r*"
            - "*wcry*"
    condition: selection
level: medium

References & External Analysis

Authoritative Advisory

CISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2017/05/12/multiple-ransomware-infections-reported

Frequently Asked Questions

What is WannaCry?

A ransomware worm from May 2017 that encrypted files and demanded Bitcoin, and spread itself automatically across networks.

How did WannaCry spread so quickly?

It used the wormable SMBv1 exploit EternalBlue to move between machines without user interaction, which is why it reached more than 150 countries so fast.

What is EternalBlue?

A Windows SMBv1 vulnerability exploit; applying the Microsoft patch released before the outbreak protected systems from it.

What was the WannaCry kill-switch?

The malware checked for a specific unregistered domain. A researcher registered it, which caused many samples to stop encrypting and slowed the global spread.

Could WannaCry have been prevented?

Largely yes — the SMB vulnerability it exploited had a Microsoft patch available before the outbreak, so patched systems were not vulnerable to its spreading mechanism.

Is paying the WannaCry ransom recommended?

Security guidance generally discourages paying ransoms; for WannaCry specifically, paying did not reliably restore files. Restore from clean backups and consult professional incident-response resources instead.

How do I protect against ransomware worms like WannaCry?

Apply security updates promptly, disable obsolete protocols like SMBv1, segment networks, and keep tested offline backups.

Where can I read the authoritative details?

MITRE ATT&CK's WannaCry entry (S0366), linked here, documents its techniques and references.

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/wannacry.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.