WannaCry ransomware analysis: Samples date back to at least early February 2017

VirusTotal results showing the earliest observed sample of Wannacry ransomware

The WannaCry ransomware worm has spread panic and destruction as it infects hundreds of thousands of systems around the world; a rate not seen since the Blaster and Sasser worms of 2003. WannaCry — also known as WannaCrypt, WannaCryptor, WanaCrypt0r, WCry, or WCrypt — leverages vulnerabilities that Microsoft patched in the March MS17-010 Security Bulletin, after taking the unprecedented step of canceling the February Patch Tuesday.

While collecting samples of WannaCry, I found a sample that predates the worm version. The sample was compiled on February 9th, and uploaded to VirusTotal on February 10th. While compile timestamps can be faked, the closeness to the upload date suggests that the compilation timestamp is legitimate.

Read more