Inside WannaCry: How the Ransomware Infects, Encrypts, and Demands Bitcoin

Background

On May 12, 2017, the WannaCry worm exploded worldwide via the MS17‑010 vulnerability, encrypting files and demanding ransom. This article provides a detailed analysis.

Worm Overview

WannaCry uses the EternalBlue exploit from the leaked Equation Group toolkit to scan ports, download the malware, and propagate rapidly across the internet and LAN.

The malware executable is mssecsvc.exe , which scans random IPs on the internet and the same subnet on LAN, then releases the ransomware program tasksche.exe to encrypt files.

Encryption uses AES for file content and RSA‑2048 to encrypt the random AES key; each file gets a unique key, making decryption theoretically impossible.

Detailed Analysis

mssecsvc.exe behavior

1. Switch – The worm checks connectivity to a control domain (http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com). If reachable, it terminates the process to stop spreading. The domain is now seized by a security firm.

2. Worm behavior – It creates a service to start automatically on boot.

It reads the MS17‑010 exploit code from its own resources; the payload has x86 and x64 versions.

Two threads are created to scan the internet and the internal network, targeting port 445.

For public IPs it scans random addresses; for LAN it scans the local subnet.

If a connection to port 445 succeeds, the worm attempts the exploit and infection.

Ransomware payload

tasksche.exe behavior – Decompresses numerous ransomware modules and configuration files (password: WNcry@2ol7). It first terminates specific processes to avoid file locks, then traverses the disk, skipping protected directories such as ProgramData, Intel, WINDOWS, Program Files, etc.

\ProgramData \Intel \WINDOWS \Program Files \Program Files (x86) \AppData\Local\Temp \Local Settings\Temp

The malware encrypts files with 178 extensions (list omitted for brevity) using a randomly generated 256‑byte AES key. Two RSA‑2048 public keys are embedded; one has a matching private key for demonstration, the other is used for real encryption.

The file header contains flags, key size, RSA‑encrypted AES key, and file size. The encrypted content is written after the header, saved with a .WNCRY extension, and the original file is overwritten with random data to prevent recovery.

After encryption, a ransom note is displayed, demanding payment to one of three hard‑coded Bitcoin addresses:

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Decryption program

The decryption tool contains the private key matching one of the embedded public keys, allowing it to decrypt demonstration files and lure victims into paying.

If a file named “00000000.dky” (the real private key) exists, the program uses it to decrypt; otherwise it checks for taskhsvc.exe in the extracted Tor directory, generates it if missing, and launches it via CreateProcessA.

The Tor component acts as an anonymous proxy listening on local port 9050, enabling the malware to communicate with its command‑and‑control server.

When the victim clicks “Check Payment”, the server may deliver the private key, which is saved as a .dky file; however, no successful decryption cases have been reported.

File list and purpose

b.wnry – ransom wallpaper c.wnry – configuration (onion domain, Bitcoin addresses, Tor download URL) r.wnry – ransom note s.wnry – zip containing Tor client t.wnry – test file u.wnry – decryption program f.wnry – files that can be decrypted without payment

Security recommendations

Because many attacks exploit the SMB port 445, ISPs often block it for residential users. Campus networks usually leave it open, leading to infections. Recommendations:

Close ports 445 and 139 (see linked guide).

Apply Microsoft patches for MS17‑010 (links for various Windows versions).

Install Tencent PC Manager for proactive protection.

Do not pay the Bitcoin ransom; keep encrypted files and await possible decryption.