Information about the WannaCry malware

Kaspersky Lab engineers have analyzed the information on the cases of infection with the file-encrypting malware known as WannaCry, which attacked a number of companies around the world on May, 12. For the attack, the known network vulnerability Microsoft Security Bulletin MS17-010 was used. Then, the rootkit was installed on the infected computers, through which the file-encrypting malware was run.

All Kaspersky Lab solutions now detect this rootkit as MEM:Trojan.Win64.EquationDrug.gen. Kaspersky Lab solutions also detect the encryption malware which was used during this attack under the following names:

  • Trojan-Ransom.Win32.Scatter.uf
  • Trojan-Ransom.Win32.Gen.djd
  • Trojan-Ransom.Win32.Wanna.b
  • Trojan-Ransom.Win32.Wanna.c
  • Trojan-Ransom.Win32.Wanna.d
  • Trojan-Ransom.Win32.Wanna.f
  • Trojan-Ransom.Win32.Zapchast.i
  • Trojan.Win64.EquationDrug.gen
  • PDM:Trojan.Win32.Generic (System Watcher must be enabled for detection of this malware)

We recommend that the companies perform the following actions to minimize the risk of infection:

  • Install the official Microsoft patch, which fixes the vulnerability exploited by this malware.
  • Make sure antivirus solutions are enabled on all nodes in the network.
  • Update databases of all Kaspersky Lab solutions used.

Kaspersky Lab experts are currently analyzing the malware samples to find decryption options. For detailed information about the WannaCry attacks, please refer to the Kaspersky Lab report at

What to do in case of infection?

How to prevent the infection?

Centralized distribution of the Microsoft update through Kaspersky Security Center

How to use the computers safely without installing the Microsoft update