Despite the quick thinking of a security researcher that activated a short circuit domain that was coded into the Wannacry (Or WCRY) ransomware bot the infections continue to grow. Yesterday we took a snapshot while in the soc and it showed that while there were a few infection vectors that the activity was pretty much contained to those systems that were not currently up to date on their patches. After taking the snapshot we setup a saved dashboard so we could track the activity over the next few days and the data shows that the problem is growing despite warnings from security experts to patch those Windows systems.
Attackers noted at 2AM EST 13 May 2017
So we decided to check this evening to see if things were stabilizing or getting worse.
Attackers noted at 11:55PM EST 13 May 2017
As you can see the attackers are having great success and the number of infection vectors are growing.
What is Wannacry (WCRY)?
Wanna Decryptor, also known as WannaCry or wcry, is a specific ransomware program that locks all the data on a computer system and leaves the user with only two files: instructions on what to do next and the Wanna Decryptor program itself.
When the software is opened it tells computer users that their files have been encryted, and gives them a few days to pay up, warning that their files will otherwise be deleted. It demands payment in Bitcoin, gives instructions on how to buy it, and provides a Bitcoin address to send it to.
Most computer security companies have ransomware decryption tools that can bypass the software.
It was used in a major cyber attack that affected organisations across the world including the NHS and Telefonica in Spain.
The Jigsaw Security SOC is monitoring the situation. While our customers have been lucky we have been working nearly non-stop since this outbreak to assist others that have not been so fortunate. In addition to being a threat on the Internet some users are reporting infections via unsecured SMB shares.
Threat Intel Platform Related Events: 9494, 9459, 9489, 9486
Indicators of Compromise for Wannacry (WCRY):
SHA256 Hashes:
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49 149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff 16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab 190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640 9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977 b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7 b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0 b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
MD5 Hashes:
4fef5e34143e646dbf9907c4374276f5
b0ad5902366f860f85b892867e5b1e87 5bef35496fcbdbe841c82f4d1ab8b7c2 775a0631fb8229b2aa3d7621427085ad 7bf2b57f2a205768755c07f238fb32cc 7f7ccaa16fb15eb1c7399d422f8363e8 8495400f199ac77853c53b5a3f278f3e 84c82835a5d21bbcf75a61706d8ab549 86721e64ffbd69aa6944b9672bcabb6d 8dd63adb68ef053e044a5a2f46e0d2cd d6114ba5f10ad67a4131ab72531f02da db349b97c37d22f5ea1d1841e3c89eb4 e372d07207b4da75b3434584cd9f3450 f529f4556a5126bba499c26d67892240
TOR Communications: gx7ekbenv2riucmf.onion sqjolphimrr7jqw6.onion xxlvbrloxvriy2c5.onion
57g7spgrzlojinas.onion
cwwnhwhlz52maqm7.onion
76jdd2ir2embyv47.onion
Note: These are the indicators that have been released publicly. Jigsaw customers wishing to get all of the details on this malware can login to our Threat Intelligence Portal. Those customers using Jigsaw Endpoint Protection have been protected from this attack since February 2017 even before Microsoft issued the patch that removes the vulnerability from Windows machines.
Keywords: Windows, NSA related malware exploit that has been armed for attack, worm.
We fully expect that this activity will continue to get worse with more infections as this malware makes its rounds.
Getting access to Jigsaw Security Threat Intelligence: Those wishing to have access to our threat intelligence can request access here.
Analyst Update 16 May 2017
Update: On 16 May 2017 Crowdstrike put out an alert bulleting CSA-17124 that indicated that they found samples from February as well. We told you yesterday that we believed based on the earlier sample that this attack was the work of North Korea and we stand by that assessment. In addition to the activity in 2017 we saw additional activity on this in 2015 and the exploit being used as far back as 2012. We blocked this activity after seeing the activity in February 2017 so all of our customers were protected prior to this incident.