Wanna Cry Ransomware — A Hacker’s Perspective (Part 2)

File Encryption Summary:

  • Ransomware Executable Imports its RSA Private Key from .data section to Decrypt a Payload DLL to File t.wry.
  • Payload DLL Generates a New RSA Key Pair.
  • New RSA Public Key is saved to 00000000.pky.
  • New RSA Private Key is encrypted by CryptEncrypt API by using Payload DLL’s RSA Public Key from its .data section.
  • Encrypted RSA Private Key is saved to 00000000.eky.
  • Payload DLL Finds the Target Files and generates one AES Key per File.
  • Payload DLL uses NEW Public RSA Key from 00000000.pky to Encrypt AES Key of target File and saves Encrypted AES Key to the target File.
  • Payload DLL AES Encrypts the target File and writes it to new File with .WCRY Extension.
  • To decrypt the files, the WANNACRY Decryptor looks for 00000000.dky file which contains the RSA Private Key from Malware Authors.
  • RSA Private Key from Malware Authors can be used to Decrypt AES Key per File, then Decrypt each File using AES Keys.

Adding Up the Cost of WannaCry:

Over a year after the initial ransomware attack, WannaCry is still making headlines and causing residual damage. The National Health Service (NHS) has revealed WannaCry costs totaled more than $100 million.

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


I try to analyze ransomware attacks | Static Code Analysis | Privacy & Security Updates | Pen Testing | Bug Bounty