Warning: Massive “WannaCry” Ransomware campaign launched

In the early morning hours (CET) of Friday, May 12, a sizeable wave of infections with the latest iteration of the WCry / WannaCry ransomware was spotted. Researchers are not sure where the sudden onslaught came from, but suspicions currently include bot nets, exploit kits, infected emails or malicious advertizing (also called malvertizing). In Spain,  Telefónica, a major ISP, was hit with an infection on one of their internal servers. From there, things escalated to a point where IT staff are reaching out to employees to shut down their computers immediately. They were also asked to cut any VPN connections in order to stop the ransomware from ravaging more parts of the company’s network. According to Spanish newspaper El Mundo , some utility companies had their networks affected in a similar fashion. According one data source, Russia has reported the highest number of infections.

So far the extent of the damage is unknown.

The unfolding events make it abundantly clear that ransomware is a problem for companies of all sizes.
Since utilities and telecommunications are considered “essential and critical infrastructure”, adequate measures must be take to secure those.

Virus signatures should be updated immediately.
G DATA customers are protected. The WannaCry ransomware is detected by all of G DATA’s solutions as Win32.Trojan-Ransom.WannaCry.A.

Since the vulnerability was addressed in the March update for Windows, updates should be installed as soon as possible. In addition to this, Microsoft has also released a mitigation patch for some legacy versions of Windows which should also be applied immediately.

EXE files

“ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa”
“09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa” [Win32.Trojan-Ransom.WannaCry.A]
“ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa” [Win32.Trojan-Ransom.WannaCry.A
]”2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd” [Win32.Trojan-Ransom.WannaCry.A]
“24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c” [Win32.Trojan-Ransom.WannaCry.D]
“4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982” [Win32.Trojan-Ransom.WannaCry.D]
“6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7” [Win32.Trojan-Ransom.WannaCry.D]
“b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7” [Win32.Trojan-Ransom.WannaCry.D]
“b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25  [Win32.Trojan-Ransom.WannaCry.E]

DLL:
“CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.E1E” [Win32.Trojan-Ransom.WannaCry.F]

WannaCry Batch component:
“f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077” [BAT.Trojan-Ransom.WannaCry.C]

WannaCry VBS-component:
“51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b” [Script.Trojan-Ransom.WannaCry.B]

WannaCry Shortcut:
“a3b014598d6313c96ab511dc56028ef36f8bafde7f592a1329238718e1c29813” [Win32.Trojan-Ransom.WannaCryLnk.A]
File extension:

.wncry
Ransom note: @[email protected]

https://twitter.com/malwrhunterteam/

The “genuine” WannaCry dropper attempts to contact the following web address:

hxxp[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

This is the original “killswitch” domain.

Preview image credit: MalwareHunter