An outbreak of the latest version of “WannaCry” has been claiming victims in several countries. The speed and ferocity of the outbreak has taken many by surprise. Researchers are as yet puzzled as to the origin of the outbreak which hit 11 countries within just three hours. So far Spain and Russia were are among those who were hit hardest.
Like a bolt from the blue
In the early morning hours (CET) of Friday, May 12, a sizeable wave of infections with the latest iteration of the WCry / WannaCry ransomware was spotted. Researchers are not sure where the sudden onslaught came from, but suspicions currently include bot nets, exploit kits, infected emails or malicious advertizing (also called malvertizing). In Spain, Telefónica, a major ISP, was hit with an infection on one of their internal servers. From there, things escalated to a point where IT staff are reaching out to employees to shut down their computers immediately. They were also asked to cut any VPN connections in order to stop the ransomware from ravaging more parts of the company’s network. According to Spanish newspaper El Mundo , some utility companies had their networks affected in a similar fashion. According one data source, Russia has reported the highest number of infections.
So far the extent of the damage is unknown.
Implications
The unfolding events make it abundantly clear that ransomware is a problem for companies of all sizes.
Since utilities and telecommunications are considered “essential and critical infrastructure”, adequate measures must be take to secure those.
Countermeasures
Virus signatures should be updated immediately.
G DATA customers are protected. The WannaCry ransomware is detected by all of G DATA’s solutions as Win32.Trojan-Ransom.WannaCry.A.
Since the vulnerability was addressed in the March update for Windows, updates should be installed as soon as possible. In addition to this, Microsoft has also released a mitigation patch for some legacy versions of Windows which should also be applied immediately.
File-based IOCs
EXE files
“ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa”
“09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa” [Win32.Trojan-Ransom.WannaCry.A]
“ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa” [Win32.Trojan-Ransom.WannaCry.A
]”2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd” [Win32.Trojan-Ransom.WannaCry.A]
“24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c” [Win32.Trojan-Ransom.WannaCry.D]
“4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982” [Win32.Trojan-Ransom.WannaCry.D]
“6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7” [Win32.Trojan-Ransom.WannaCry.D]
“b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7” [Win32.Trojan-Ransom.WannaCry.D]
“b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 [Win32.Trojan-Ransom.WannaCry.E]
DLL:
“CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.E1E” [Win32.Trojan-Ransom.WannaCry.F]
WannaCry Batch component:
“f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077” [BAT.Trojan-Ransom.WannaCry.C]
WannaCry VBS-component:
“51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b” [Script.Trojan-Ransom.WannaCry.B]
WannaCry Shortcut:
“a3b014598d6313c96ab511dc56028ef36f8bafde7f592a1329238718e1c29813” [Win32.Trojan-Ransom.WannaCryLnk.A]
File extension:
.wncry
Ransom note: @[email protected]
Network-based IoCs
The “genuine” WannaCry dropper attempts to contact the following web address:
hxxp[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
This is the original “killswitch” domain.
Preview image credit: MalwareHunter
About us and this blog
We are a digital marketing company with a focus on helping our customers achieve great results across several key areas.
Request a free quote
We offer professional SEO services that help websites increase their organic search score drastically in order to compete for the highest rankings even when it comes to highly competitive keywords.
Subscribe to our newsletter!
More from our blog
See all posts
