WCRY or WannaCry Ransomware Technical Analysis

May 24, 2017 | Views: 5184

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome Back!

As you are all aware of the facts surrounding the ransomware attacks, they are increasing rapidly from past years. Consider the biggest hits till now, you will come across these well-known names i.e.
1. CryptXXX
2. Dogspectus
3. Crypto Locker
4. Petya
5. Cerber
6. Locky
Now we have WCry/WannaCry and Uiwix.

Executive Summary
Organizations affected across the world with the ransomware variant based malware known as “WCry/WannaCry”. Major Ransomware attack of its kind named “CryptoWorm”.
Capability to scan & spread based on vulnerabilities (TCP port 445-SMB), dispersal as a worm, compromise vulnerable hosts, encrypting files stored on. The worst part is that it also deletes shadow copies by using vssadmin.exe, WMIC.exe & cmd.exe (if any on the victim’s host so that will make difficult recovery model).

Note: Based on NSA’s Leaked Exploits by Shadow Broker specifically related to SMB services for Windows.


For initial exploitation of SMB vulnerability, it primarily utilizes “ETERNALBLUE”. Implantation of “DOUBLEPULSAR” backdoor happened on successful exploitation of victim’s machine for further utilization in malware installation. What If the “DOUBLEPULSAR” backdoor is already present then it has the power to install ransomware payload which makes WCry or WannaCry as “CryptoWorm”.

Let’s start with the psychiatry based on little machinery like execution *&* encryption flow of this ransomware.

Encryption Based Analysis
WCry / WannaCry used two encryption algorithms for ransomware infection. Below are the details:
 –   AES (Advanced Encryption Standard)
 –   RSA (Ron Rivest, Adi Shamir and Leonard Adleman)

AES considered to be the well-built ciphers & would not be able to decrypt until or unless the author makes a mistake in the encryption code. Whereas RSA is also in combination with AES for unique public & private keys generation specifically for each file.

Steps for encryption by WCRY / WannaCry are;

I. Each file is encrypted by Random AES-128 Key.

II. The key is further encrypted by an RSA-2048 public key and stored in 0000000.py file.

III. Private RSA key of the above public RSA key is further encrypted by RSA Master public key.IV. The private RSA key of the RSA Master public key is known only by the “Ransomware Authors”.

Graphical presentation



Targeted files;



Execution Based Analysis
It begins with an initial bonfire or a killswitch (High-level view as reported other researchers too), now execution begins when a user downloads the attachments having (.js, .exe). In some circumstances, they are also related with malicious macros which can be activated when the user enables the content on a document.

Steps for encryption by WCRY / WannaCry are;
I. Exploit ETERNALBLUE & spread to other hosts.
II. The damaging process starts with laying the foundation for.
III. Starts encrypting files with above-mentioned algorithms in combination with RSA and AES.

Graphical Presentation: 


You can download a pdf version from here:

For the latest attacks and proof of concept, please subscribe and follow me at:
https://www.fishyseclab.com – https://s3curityedge.wordpress.com – https://www.cybrary.it/members/sconnect/
https://www.facebook.com/alitabishofficial – https://www.facebook.com/FishySecLab/ – https://www.facebook.com/s3curityedge/
Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?