Menu
Browse

Cyber Threat Actor: WannaCry Group

Actor Type Location Known Incidents
 Icon
Nation State
North Korea
9 incidents
Profile

The WannaCry Group, operating under that alias, is a threat actor publicly attributed to North Korea. This entity gained notoriety for orchestrating the globally disruptive WannaCry ransomware campaign in May 2017, which targeted a wide range of sectors including healthcare, energy, telecommunications, government services, transportation, and education across approximately 150 countries. The attack demonstrated a primary objective of widespread operational disruption through data encryption and financial extortion, demanding Bitcoin payments for decryption. Victims spanned critical infrastructure providers like China National Petroleum Corp, telecommunications firms such as Telefonica and MEGAFON, governmental bodies including the UK National Health Service and Brazilian Foreign Ministry, and educational institutions. The campaign's indiscriminate propagation caused cascading failures in payment systems, hospital operations, industrial production, and public services, forcing organizations to suspend network operations and revert to manual processes.

The group exploited the EternalBlue vulnerability in unpatched Microsoft Windows systems as its primary initial access vector, leveraging a tool derived from stolen NSA cyber weapons to enable rapid lateral movement across networks. Their deployment of the WannaCry ransomware encrypted files while demanding ransom payments, demonstrating reliance on worm-like propagation mechanisms for maximum impact. Public attribution by multiple governments to North Korean state-sponsored actors establishes a clear state nexus for the operation. The 2017 campaign remains their most significant publicly documented operation, compromising over 200,000 systems and causing global disruptions that included halted automotive production lines, disabled police databases, inoperable petrol station payment terminals, and paralyzed hospital record systems. Forensic investigations and emergency patching efforts were required to contain the malware's spread and mitigate damages across affected infrastructures.

Incidents
Attributed incidents available to members
8 incidents
Sources
Sources available to members
0 sources