Experts at RedSocks analyzed the massive WannaCry Ransomware attack

Pierluigi Paganini May 14, 2017

Currently we are seeing a large scale WannaCry ransomware outbreak. This ransomware outbreak is more devastating than others because it spreads laterally. Enjoy the RedSocks ‘s analysis.

Who does it affect:
Any Windows computer without Windows Patch MS17-010.

What to do:
Apply patch MS17-010 immediately.

MS17-010
The key factor in the ‘success’ of this malware strain called WannaCry is its lateral movement within networks. To achieve lateral network it levarages a bug in Windows SMBv1 and SMBv2. This bug has been found by the NSA and recently cybercriminals that call themselves “The Shadow Brokers” released all of the details of this bug to the public.

On March 14th Microsoft officially released a patch for this bug. And today May 12th Cyber criminals have been successfull in implementing this bug in their malware strain. Resulting in the damage we see today.

Impact
Spreading of this Ransomware strain starts through the normal routes. A spam email is sent containing a malicious link or a malicious document. Once a target activates the malware by either clicking the link or opening the document the malware will hold the computer hostage until a ransom is paid. It does this by encrypting all of the files on the system with an encryption key.
Once a ransom is paid a decryption key is supplied to the customer to decrypt the computer and its files.

Thus far this is ‘normal’ ransomware behaviour. But this malware starts, once a victim is infected scanning the internal network looking for vulnerable other Windows system that didn’t apply the MS17-010 patch. If it finds a vulnerable system it will infect that system as well.

The problem here is that often a company wide policy is applied to roll out patches. Especially in hospitals the IT department doesn’t directly roll out patches. They don’t do this because they are afraid systems might break because of the patch and want to test the patch first. This means, that if one computer within a company gets infected and the MS17-010 patch is not applied company wide… All of the Windows systems will get infected with the malware.

You can have as many backups as you want, but fighting a malware outbreak that infects all your Windows systems is very hard to combat. Anyone can imagine the impact of all Windows computers being disabled.

MS17-010 vs MS08-067
MS17-010 has close similarity with a previous patch named MS08-067. MS08-067 is a very famous bug within hacker communities because almost always guarantees you access within a network. Even after almost 10 years this bug is still very useful for penetration testers.

During the release of patch MS08-067 a major malware outbreak came to light. The malware responsible at the time was Conficker. Conficker spread all over the world and infected computers in many countries causing a lot of problems.

Conficker vs WannaCry
The difference between the Conficker malware at the time and this version of ransomware called WannaCry is that Conficker basically infected the computer but didn’t affact the computers ability to function and perform basic tasks. It did hower download additional malware and tried to install fake antivirus. The WannaCry malware however is completely different. This malware strain basically cripples the computers capabilities. Normal tasks the computer performs cannot be done anymore. The computer besically stops working untill you pay the ransom.Because of this difference the devastating effect WannaCry will cause will be exceptionally bigger.

We have one advice. Apply patch MS17-010 NOW.

BEWARE OF BOGUS RANSOMWARE REMOVAL TOOLS 
There is a massive rise in malware removal sites that use malware outbreaks to earn an online revenue. Some of these sites are bogus sites that provide random instructions to lure unaware users to install fake removal tools. These tools can lead into total annihilation of any success of recovering from an ransomware attack.

We strongly advise everyone not to download a random ransomware removal tool from any untrusted online source. These tools will be used against you.

UPDATE from RedSocks Malware Intelligence Team:

Indicators of Compromise

The RedSocks Malware Intelligence Team has made a collection of WannaCry ransomware indicators of compromise.

Sidenote; The Dutch language pack was seen in the WannaCry ransomware campaign. This indicates that preparations were made by the cybercriminals to handle Dutch infected clients, despite the fact that no infections have been seen in The Netherlands up till this moment.

The following language packs were found:

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

WannaCry ransomware

Sidenote2: The WannaCry Ransomware kill switch has been activated, although, this does not mean that other cybercriminals will not adapt the cyber kill chain of the WannaCry ransomware campaign, another posibility is of course that the cybercriminals will remove the Kill Switch from the source code.

Filetypes used by the campaign:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Hardcoded Bitcoin payment addresses

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

WannaCry SHA256 Hashes

01b628fa60560c0cb4a332818cb380a65d0616d19976c084e0c3eaa433288b88

02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47

0345782378ee7a8b48c296a120625fd439ed8699ae857c4f84befeb56e727366

03b41fac10c02b67c99a9f2a462055df590f26f86a5dfe1b15940a6bcfad0d83

043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

09dc146765eb44849c4fca7eed228efc82a02132968245e613e163799c318a23

0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894

0b1ea4458dbc6e6f71c8c548da2d2ef21cc51d938240b2168252c188a797d5dc

0bb221bf62d875cca625778324fe5bd6907640f6998d21f3106a0447aabc1e3c

0c2d3094ce5f7b2d5aa1788503e37b8db2e550d10a87650e6a0c4dcca2af8ff6

0d9eb4c1de7622e13ccd4dcde11fec95d6662152f6ef5e3ebf1fdc8195596175

0fc245e8a1134e31b7687fb7501faa05628813c87b9561ee26f2092cb76e5a36

11011a590796f6c52b046262f2f60694310fa71441363d9116ada7248e58509a

112e2973f11414b94df3ec9547eaa717765d7c06646bc606f2a6d48407013422

11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49

12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b

146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff

16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab

16a2a471038f5e4e79c816ceb0c2eb272463c37268b7b4e845f287f5027f070d

190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e

191f3e94249f21fb596b4dba7eb197ab89bacae93f1b1fdbd9db733904bd5438

1be07198c324c9732d4e2676945ec021eeacd78775aea2100f49ca0483d3f901

1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830

1e6753f948fa648ef9e0d85795b7f090968ee1f240efc0628283776ea55ccb0f

1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9

22ccdf145e5792a22ad6349aba37d960db77af7e0b6cae826d228b8246705092

23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

285411b4f4df1af43dac8cc84309ff7d0c252aa282686a0d4eb4641f58f6133f

2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e

2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

2d8b8a8000817d3cfe118c68c4d99068e8bcb7fa64df88e1698e1db73a268373

302c232e07e6a30ae1612360570d1fbfdea1631e2589f8f23e7aa931c83c2550

31c2024d0df684a968115e4c3fc5703ef0ea2de1b69ece581589e86ba084568a

3dcbb0c3ede91f8f2e9efb0680fe0d479ff9b9cd94906a86dec415f760c163e1

3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9

3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982

452ecb2ea7b73fa14756fed95602b18a31c8858d60e1def81244bb2ceb2551ed

498b8b889bb1f02a377a6a8f0e39f9db4e70cccad820c6e5bc5652e989ae6204

49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32

4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee

4d67e6c708062e970d020413e460143ed92bebd622e4b8efd6d6a9fdcd07bda8

5078f8440c25ddb5b85beb8edeae143c716a1a01c8a49c5a8d856cf507510c96

519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4

57e3e45af5b9e84b8a548765f90e2232d471535f2844f5196107a24de9f63624

593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af

5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6

5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

5d8123db7094540954061ab1fbc56eedcd9e01110b62d0f54206e3e75a39776a

5dee2ac983640d656f9c0ef2878ee34cda5e82a52d3703f84278ac372877346d

5f2b33deee53390913fd5fb3979685a3db2a7a1ee872d47efc4f8f7d9438341f

63bd325cc229226377342237f59a0af21ae18889ae7c7a130fbe9fd5652707af

63c8a30963265353532d80a41cae5d54b31e5c2d6b2a92551d6f6dcadd0dedeb

646a30f6c9a5e5e3801cfa926c87fc18da395aac86ec0bfd3d0305b45333d384

64cd767309a68a963679a5d2807adc364793d229a5e3dd5c63269d48d823a78c

67eaab37318df65a2ee8480b4a408f7ba823a2f15eb6d23af0aca28a9cca1d27

67eedfe3f13e2638de7d028aaf1e116410562cc5d15a9e62a904f758770dc6bf

68a033e7f563a015386435ca54fe03df4929eea561c5fef2419312d838906af9

6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7

6cb7e4f6539ee9f9107922549d83860399ffc1eb3adb177defde52b1eec1eb3d

6cefed15f21b9e2a50536ed1b58f94b889c58c71e64bfd304183f9e49354ab25

6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

6ed7f244f54f500c1606ba09d92fc2e6989eb9222423e6e8b5e94d3e65ab0376

70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

7108d6793a003695ee8107401cfb17af305fa82ff6c16b7a5db45f15e5c9e12d

72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf

78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

7966d843e5760ece99bd32a15d5cd58dc71b1324fdc87e33be46f377486a1b4b

7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545

7bb9ea2c0f53fa96883c54fa4b107764a6319f6026e4574c9feec2cb7d9e7d21

7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff

7e369022da51937781b3efe6c57f824f05cf43cbd66b4a24367a19488d2939e4

7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

812fedc37236d3d91ff8fd3d34cf8f185f2ce3d6c55acbe8529a80230e535253

8321dfdf54fa41c6ef19abe98df0f5ef80387790e8df000f6fd6dc71ea566c07

845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

84b1d8023123d575eccd1b917d93a5ca9d70e41dcc14c88a6a6b21ecae7bd57d

85466f30e0bdf20bcf6a9860a75ce3ad28673e984ee0e3edaa2123e80b9b6d44

85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186

871d6c43cc02afc9fa156ab9aa8a2d15fbff0e4c22cb633ccdde57e1116986df

88be9ee3ce0f85086aec1f2f8409247e8ab4a2a7c8a07af851f8df9814adeee5

8ef566726496c895c55f4c565363fe607f0f7c7dd3d38b584b1f0ad439c922bb

90245f11ccd958849f9237bc51a6e28dfa0cedff9d74b8273f7d77be5b4cc3b9

940dec2039c7fca4a08d08601971836916c6ad5193be07a88506ba58e06d4b4d

99c0d50b088df94cb0b150a203de6433cb97d4f8fd3b106ce442757c5faa35c4

9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640

9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13

9f670327f8810a5de0a83d56a211f0f0251c348a9178de5e9ce783780abe7ac6

9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977

9fc129c37c545ec23b3c59e3319d31509cb9ecdd2eeed90ff8a1a99a39bfcd1c

a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

a0be20c014e384c5f38847723d11a20c82a34315f8303a2825df6f352ca29503

a141e45c3b121aa084f23ebbff980c4b96ae8db2a8d6fde459781aa6d8a5e99a

a1d23db1f1e3cc2c4aa02f33fec96346d9d5d5039ffc2ed4a3c65c34b79c5d93

a2726df3632eba623ebb76c373ec44ba733af9483326bab4cc6a6efc67f5d566

a373b58673e8434d7ee58f277336482738dbda610874c9b8b992969f67ad334e

a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740

a50d6db532a658ebbebe4c13624bc7bdada0dbf4b0f279e0c151992f7271c726

a582f0fc7b605f4d9370677ec4618b62bc77dd72711f76c18b3856e2f3145e18

a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b

a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3

aa98d85b6a5a50c91899824a6f6fac52d9580e91e1d6390610d520f66d1ce49f

ac7f0fb9a7bb68640612567153a157e91d457095eadfd2a76d27a7f65c53ba82

aea79945c0f2f60de43193e1973fd30485b81d06f3397d397cb02986b31e30d9

aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c

b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7

b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c

b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0

b4d607fae7d9745f9ced081a92a2dcf96f2d0c72389a66e20059e021f0b58618

b55d23b9df8ffe5678234a2ebc473afb3024015c2a79dfef33a1824d08396139

b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4

b845c58ec3a55933e967b0d4f00c2c0d1f91174cf9f301ca2c889c9f80a3bd1c

b8611a4468acb1c980282182eb10d2d9de7518753d1621018f0b99d337028af8

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

bb829a0394fb865eed381eb77ac9de039ad19e0f2318baaf9483b4f817250021

bbc793daa67196de6bcf441ced5df0745300ba6bc8ca43da32e9000b42055b9e

bc8136b40b4164afcbcb4e14f6fd54ca02275ff75b674eb6fd0a8f436f9b1181

bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

c1f929afa37253d28074e8fdaf62f0e3447ca3ed9b51203f676c1244b5b86955

c354a9a0bbb975c15e884916dce251807aae788e68725b512a95f7b580828c64

c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9

c73633e55a1d66af88a3dc2d46e7d47e0a47ce0bab0930a70b97b003adafc9af

c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

ceb51f66c371b5233e474a605a945c05765906494cd272b0b20b5eca11626c61

d06292618fa7ff675d8e4d0989e28387653b8196d5e4cbe9a3bf4b8c07421ea2

d37ab2f01db94d29e94d148ee7c90aa1aa8783fda65062ba457c36ca42ae6662

d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

d849067bf9365d99088cbb935a98477cd38519e3ab8ac1bfe662588f8177d22d

d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127

dca3aaeb2070f63e2ee7c6971e41ef3a9ac2f93885d9cdc317b76035e9114cc6

dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696

e0ec1ad116d44030ad9ef5b51f18ff6160a227a46ffcf64693335c7fb946fad6

e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079

e1ea721788c025755fcefee42347f1e2ff42a6cb374df04c5ea310cc5258d044

e2d1e34c79295e1163481b3683633d031cab9e086b9ae2ac5e30b08def1b0b47

e58b5c6e6cb8798a528d5bb76f7d13eaad206506da12c860bc33553cf0f1c251

e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96

e989935bb173c239a2b3c855161f56de7c24c4e7a79351d3a457dbf082b84d7b

ec9d3423338d3a0bfccacaf685366cfb8a9ece8dedbd08e8a3d6446a85019d3a

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

ed12621045bc438241b4a1b12da4a7f2f8f841324083b7d2405d80dbbe8fa2f2

eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

f5cbff5c100866dd744dcbb68ee65e711f86c257dfcc41790a8f63759220881e

f6101718090f0f7796ed000b9a612f6c4ef4ab920ee99ac25bbb4e3eaaa41b75

f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

faea58c7f806db86d3ab5590b57f0112a55e028d41f544fb6622cb057196d930

fb1cec49c659a35d8529e318437ff46e33fe52d8e39e921bc2e6b6b775fd2626

fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

C&C Domain indicators of compromise

57g7spgrzlojinas.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

gx7ekbenv2riucmf.onion

sqjolphimrr7jqw6.onion

xxlvbrloxvriy2c5.onion

DO NOT Block – URL KILLSWITCH

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.icoiuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

Our advice:

  • Apply patch MS17-010 NOW
  • Until patches are applied, considering blocking zip attachments on your firewall
  • For home users, run windows update
  • Monitor TOR activity

About the Author Niels Groeneveld

Senior Threat Intelligence Analyst at RedSocks Security

Original post available also on RedSocks Website.

[adrotate banner=”9″]

Published by Pierluigi Paganini

(Security Affairs – WannaCry ransomware, cybercrime)

[adrotate banner=”13″]



you might also like

leave a comment