CIB-052017: WanaCrypt0r 2.0 ransomware

What is it?

WanaCrypt0r is a ransomware variant that was initially tracked in February. WannaCrypt0r 2.0 (aka WCry) is now available in 28 different languages across the world and has already reached 99 countries. Various End point security solution providers are reporting a massive increase in WannaCrypt0r 2.0 incident at this time. Over 60,000+ infections have been reported including hospitals across England and Spanish telecommunication company Telefonica.

What do you need to do?

  1. If your end point is not managed by your enterprise network administrator, ensure Microsoft Automatic updates are configured and active. More information here
  2. Ensure your end point protection solution is active and is up to date
  3. If you suspect infection, learn how to identify the symptoms and contact us for additional support.

Additional details

The ransomware changes the affected file extension names to “.WNCRY”. The encrypted files are also marked by the “WANACRY!” string at the beginning of the file.

The ransomware will be similar to the image below with $300 worth of bitcoins demand.:


The ransom message, where instructions on how to pay the ransom, an explanation of what happened, and a countdown timer are displayed similar to the image below


The wallpaper of the infected endpoint is also changed to:


source: avast, microsoft, peer network