An outbreak of the latest version of “WannaCry” has been claiming victims in several countries. The speed and ferocity of the outbreak has taken many by surprise. Researchers are as yet puzzled as to the origin of the outbreak which hit 11 countries within just three hours. So far Spain and Russia were are among those who were hit hardest.

Like a bolt from the blue

In the early morning hours (CET) of Friday, May 12, a sizeable wave of infections with the latest iteration of the WCry / WannaCry ransomware was spotted. Researchers are not sure where the sudden onslaught came from, but suspicions currently include bot nets, exploit kits, infected emails or malicious advertizing (also called malvertizing). In Spain,  Telefónica, a major ISP, was hit with an infection on one of their internal servers. From there, things escalated to a point where IT staff are reaching out to employees to shut down their computers immediately. They were also asked to cut any VPN connections in order to stop the ransomware from ravaging more parts of the company’s network. According to Spanish newspaper El Mundo , some utility companies had their networks affected in a similar fashion. According one data source, Russia has reported the highest number of infections.

So far the extent of the damage is unknown.


The unfolding events make it abundantly clear that ransomware is a problem for companies of all sizes.
Since utilities and telecommunications are considered “essential and critical infrastructure”, adequate measures must be take to secure those.


Virus signatures should be updated immediately.
G DATA customers are protected. The WannaCry ransomware is detected by all of G DATA’s solutions as Win32.Trojan-Ransom.WannaCry.A.

Since the vulnerability was addressed in the March update for Windows, updates should be installed as soon as possible. In addition to this, Microsoft has also released a mitigation patch for some legacy versions of Windows which should also be applied immediately.

File-based IOCs

EXE files

“09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa” [Win32.Trojan-Ransom.WannaCry.A]
“ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa” [Win32.Trojan-Ransom.WannaCry.A
]”2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd” [Win32.Trojan-Ransom.WannaCry.A]
“24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c” [Win32.Trojan-Ransom.WannaCry.D]
“4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982” [Win32.Trojan-Ransom.WannaCry.D]
“6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7” [Win32.Trojan-Ransom.WannaCry.D]
“b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7” [Win32.Trojan-Ransom.WannaCry.D]
“b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25  [Win32.Trojan-Ransom.WannaCry.E]

“CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.E1E” [Win32.Trojan-Ransom.WannaCry.F]

WannaCry Batch component:
“f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077” [BAT.Trojan-Ransom.WannaCry.C]

WannaCry VBS-component:
“51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b” [Script.Trojan-Ransom.WannaCry.B]

WannaCry Shortcut:
“a3b014598d6313c96ab511dc56028ef36f8bafde7f592a1329238718e1c29813” [Win32.Trojan-Ransom.WannaCryLnk.A]
File extension:

Ransom note: @[email protected]

Network-based IoCs

The “genuine” WannaCry dropper attempts to contact the following web address:


This is the original “killswitch” domain.

Preview image credit: MalwareHunter