FortiGuard Labs Threat Research

WannaCry: Evolving History from Beta to 2.0

By Kyle Yang | May 15, 2017

The WannaCry malware was responsible for a massive infection beginning that affected organizations and systems around the world. FortiGuard Labs has been monitoring this malware carefully. We have provided an analysis of this attack, along with how to protect your organization here.  In this blog post I’ll briefly describe some of the distinct characteristics of each version of this malware, from beta to the latest 2.0 version, and share some interesting findings.

Note: More information below as well as in these other related blogs.

Protecting Your Organization from the WannaCry Ransomware

Critical Update: WannaCry Ransomware

Beta Version:

We discovered this beta version around Feb 9th, 2017.  The author’s basic idea was to encrypt the “important” files (including smb sharefolders’ file) using AES-128. The file encryption routine is almost the same except for the encrypted file format. It didn’t have any propagation method yet.


Bitcoin wallet address:





The encrypted file format is the following:

DWORD - 0x8F701CD3, Magic Header

DWORD – key_Length

BYTE[key_length] – AES Key encrypted with RSA

QWORD – encrypted_data_length

BYTE[encrypted_data_length] – encrypted data


WannaCry 1.0

We found this version around Mar 28th, 2017. It has some improvement from the beta version, including:

Password protected compressed resources, it tasked the encryption routine as a single payload (which is encrypted), updated the encrypted file format, it attempted to access the SMB share folders file using a hardcoded dictionary, it put the Tor download link into the cfg file, and it changed the hardcoded RSA key.

Bitcoin wallet address:





WannaCry 2.0

The most critical improvement was that it included a propagation method.

Bitcoin wallet address:











During this investigation, I Found out the fact that the author tried to hide some information not related to this malware in the config file, c.wry.

So, let’s go through the c.wry backwards.




What you can see in the highlighted lines from these screenshots is that the author is trying to remove data with some information related to the host, and that could possibly generate this config file. And from the last one, you can see the data “KDMS/bitu.skaria.” KDMS is the name of a known hacker group.  Is the name of the author Bitu Skaria? I’ll keep looking and keep you posted.