Home > Threat descriptions >



Category: Malware

Type: Trojan

Aliases: WCryr, WannaCry.[variant], Wanna Decryptor, Trojan:W32/WannaCry.[variant], Trojan.Ransom.WannaCryptor.[variant], Win32.Trojan-Ransom.WannaCry.[variant], Trojan:W32/WannaCryptor.[variant]!Deepguard


Trojan.Ransom.WannaCryptor identifies the WannaCry ransomware, which encrypts the affected device and demands payment of a ransom to restore normal use.

WannaCry is also known as Wanna Decryptor and WCryr.


F-Secure security products detect all known variants of this threat with a combination of generic detections and family-specific detections, including (but not limited to):

  • Trojan.Ransom.WannaCryptor.H
  • Trojan:W32/WannaCryptor.A!Deepguard
  • Gen:Variant.Ransom.WannaCryptor.1
  • Gen:Trojan.Heur.RP.JtW@aePsbmpi
  • Suspicious:W32/Malware.51e4307093!Online

Please ensure your F-Secure security product is up-to-date with the latest detection database updates and has Deepguard turned on for maximum coverage.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the file by either deleting or renaming it.

Exploit prevention

The WannaCry ransomware attack uses known vulnerabilities in the Windows operating system to spread and infect machines. Microsoft has already released a fix for this issue in its March 2017 Security Bulletin. It is strongly recommended that users and administrators ensure that all their systems have received the patch:

Users on systems using versions such as Windows XP that no longer have mainstream support should refer to Microsoft's blogpost offering more details of emergency security patches they have released in response to this issue:

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

WannaCry came to public notice in a major outbreak that was first reported on Friday, 13 May 2017:

For more information about this incident, see:


The WannaCry ransomware is spread by a dropper component that exploits known vulnerabilities in Windows to drop the ransomware binary onto a vulnerable machine. If the dropper is successful in exploiting an Internet-facing machine, it can also use vulnerabilities in Windows SMB Server to infect other computers on the same local area network.

As part of its attack, the WannaCry dropper component uses an exploit known as EternalBlue, which was first publicized in the data allegedly stolen from the US's National Security Agency (NSA) and released by hacking group The Shadow Brokers.

The vulnerabilities used to spread WannaCry have already been fixed by Microsoft in March 2017 with the MS17-010 patch; systems that have not yet received the fix however remain vulnerable. It is strongly recommended that users and administrators ensure that all their systems have received the MS17-010 patch to prevent the WannaCry ransomware from gaining entry to their machines.


The WannaCry ransomware encrypts all files stored on the affected machine. The encryption uses the AES 128-bit encryption algorithms, which are extremely difficult to break.

It encrypts the following file types: .doc, .docx, .docb, .docm, .dot, .dotm, .dotx, .xls, .xlsx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .ppt, .pptx, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .pst, .ost, .msg, .eml, .edb, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .jpeg, .jpg, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Ransom demand

Once the files have been encrypted, WannaCry displays a ransom demand for up to $300 in Bitcoin. A video and screenshots of the ransomware in action can be seen in the following post on F-Secure's Safe and Savvy blog:

Date Created: 13-May-2017 02:00:00 UTC

Date Last Modified: 15-May-2017 02:20:00 UTC