97 reports
Symantec-linked reporting traces Lazarus activity from early DDoS operations against U.S. and South Korean government, financial, and media sites through destructive attacks, espionage, bank fraud, watering holes, and WannaCry. The excerpt highlights repe…
WannaCry/WannaDecrypt0r is described as a ransomware worm for unpatched Windows systems vulnerable to MS17-010, using EternalBlue for SMB propagation through exposed port 445 or hosts already infected with DOUBLEPULSAR. The factsheet notes that the malwar…
FireEye describes WannaCry, also called WCry or WanaCryptor, as a self-propagating ransomware family that spread internally and across the internet by exploiting the MS17-010 SMB vulnerability with EternalBlue. The malware combined a ransomware component …
Symantec assessed that the tools and infrastructure used in WannaCry showed strong links to Lazarus, while cautioning that the technical evidence did not establish a specific nation-state motivation. Before the May 12 global outbreak, earlier WannaCry var…
Comae described WanaKiwi, a WannaCry recovery tool by Benjamin Delpy that builds on Adrien Guinet's Wannakey method for recovering RSA prime numbers from memory. The technique targets infected Windows systems that have not been rebooted and depends on the…
Malwarebytes assessed that WannaCry spread as a self-propagating ransomworm rather than through a malicious email campaign. The infection path centered on scanning vulnerable public-facing SMB services, exploiting EternalBlue over TCP port 445, and using …
WannaCry is analyzed as ransomware that spread globally from 12 May 2017 by abusing Windows SMB vulnerabilities on unpatched systems. The infection chain includes malicious email or websites as initial delivery, then worm-like propagation across local and…
BAE Systems analyzed WanaCrypt0r as a ransomware worm that spread globally after the ETERNALBLUE SMB exploit became publicly available. The executable checked a hard-coded domain before launching its payload, registered itself as a service, and used worm …
Comae examined reported code similarities between a February 2017 WannaCry sample and a 2015 Contopee sample that Symantec had previously attributed to Lazarus Group. The excerpt cites Neel Mehta's initial comparison, Kaspersky's shared suspicion, and Sym…
Operation GoldenAxe describes suspected North Korean activity from June 2016 to May 2017 that compromised more than ten South Korean organization websites tied to diplomacy, aviation, North Korea affairs, unification, parliament, labor, and finance. The a…
Kaspersky reported that a February 2017 WannaCry cryptor sample shared code with a February 2015 Lazarus APT backdoor sample highlighted by Neel Mehta. The researchers treated the finding as a significant clue about WannaCry’s origins, while noting that m…
Comae analyzed WannaCry variants that appeared after the initial outbreak, including one live sample seen in the wild and one no-kill-switch sample that Kaspersky recovered from VirusTotal. The live variant used the kill-switch domain ifferfsodp9ifjaposdf…
The excerpt provides only limited WannaCry-related evidence: a long list of file extensions associated with encrypted or targeted content and a reference to an Endgame technical analysis of WCry/WanaCry ransomware. The listed extensions span Office docume…
CrowdStrike details the WannaCry/Wanna ransomware variant that spread widely in May 2017 by abusing the EternalBlue SMB vulnerability after initial infection. The malware encrypts 177 file types, appends .wncry, continues encrypting renamed or newly creat…
ESTsecurity analyzed the Arabian Night operation using a malicious Word document named Hanssak System that relied on social engineering to prompt macro execution. When macros ran, the document XOR-decoded and dropped a decoy Kuipernet installation survey …