Short bio

Ransom.WannaCrypt is a self-propagating ransomware capable of encrypting files in affected systems. It appends affected encrypted files with the .WCRY extension and demands a $300 or $600 ransom in Bitcoin for decryption.

It can also communicate to its command-and-control (C&C) server via encrypted Tor channels.

Common infection method

Infection method:

Ransom.WannaCrypt, unlike most ransomware, is not distributed via an email spam campaign. It is spread by taking advantage of a vulnerability in Microsoft’s Server Message Block (SMB) protocol known as EternalBlue.

Avoidance advice:

  • Update Windows to patch the SMB vulnerability
  • Update your Malwarebytes product


Malwarebytes can remove Ransom.WannaCrypt without further user interaction, but it cannot decrypt the encrypted files.

The third-party decryptor for Ransom.WannaCrypt known as Wanakiwi can be downloaded here.

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language