Summary
Trojan.Ransom.WannaCryptor identifies the WannaCry ransomware, which encrypts the affected device and demands payment of a ransom to restore normal use.
WannaCry is also known as Wanna Decryptor and WCryr.
F-Secure security products detect all known variants of this threat with a combination of generic detections and family-specific detections, including (but not limited to):
Please ensure your F-Secure security product is up-to-date with the the latest updates and has Deepguard turned on for maximum coverage.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
WannaCry came to public notice in a major outbreak that was first reported on Friday, 13 May 2017:
- The Guardian: NHS services in England and Scotland hit by global cyber-attack
- Channel News Asia: Several Spanish firms including telecom giant Telefonica targeted in cyber attacks
- The Register: WanaCrypt ransomware snatches NSA exploit, fscks over Telefnica, other orgs in Spain
- ZDNet: WannaCrypt ransomware: Microsoft issues emergency patch for Windows XP
For more information about this incident, see:
- F-Secure Labs Weblog: WCry: Knowns And Unknowns
- F-Secure Safe and Savvy: How to protect your business against Ransomware; UPDATE ON WannaCry-Ransomware 13.05.2017
Infection
The WannaCry ransomware is spread by a dropper component that exploits known vulnerabilities in Windows to drop the ransomware binary onto a vulnerable machine. If the dropper is successful in exploiting an Internet-facing machine, it can also use vulnerabilities in Windows SMB Server to infect other computers on the same local area network.
As part of its attack, the WannaCry dropper component uses an exploit known as EternalBlue, which was first publicized in the data allegedly stolen from the US's National Security Agency (NSA) and released by hacking group The Shadow Brokers.
The vulnerabilities used to spread WannaCry have already been fixed by Microsoft in March 2017 with the MS17-010 patch; systems that have not yet received the fix however remain vulnerable. It is strongly recommended that users and administrators ensure that all their systems have received the MS17-010 patch to prevent the WannaCry ransomware from gaining entry to their machines.
Encryption
The WannaCry ransomware encrypts all files stored on the affected machine. The encryption uses the AES 128-bit encryption algorithms, which are extremely difficult to break.
It encrypts the following file types: .doc, .docx, .docb, .docm, .dot, .dotm, .dotx, .xls, .xlsx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .ppt, .pptx, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .pst, .ost, .msg, .eml, .edb, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .jpeg, .jpg, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
Ransom demand
Once the files have been encrypted, WannaCry displays a ransom demand for up to $300 in Bitcoin. A video and screenshots of the ransomware in action can be seen in the following post on F-Secure's Safe and Savvy blog:
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.