Threat Flash Alert
WCry Ransomware Worming Across Globe
20170512:2138

Summary

Wanacrypt 2.0 (WCry) Ransomware has been propagating across the globe infecting over 45000 devices. The ransomware takes advantage of a Microsoft SMB vulnerability that is patched via bulletin MS17-010

Upon infection, computers receive a popup message informing the victim that their files have been encrypted with the “Wana Decrypt0r”. It instructs the user to find file “@WanaDecryptor@.exe” run it and follow the instructions. The instructions provide a three-day countdown to adhere. It requires paying bitcoin to a particular address. It is unclear if the amount fluctuates. The malware claims that if payment is not made after three days the amount doubles, and if it is not paid within seven days, the files will be unrecoverable forever.

Impact Assessment

Infection of this Ransomware would have a major negative effect on impacted system and prevent any files from being accessed or used. As such, any critical files residing on that device would be inaccessible.

Security On-Demand Actions

SOD has been monitoring the events closely. Our Security Operations Center is on high alert and hunting for applicable indicators.

Mitigation Recommendations

For Organizations currently unaffected:
• If not already done, apply Microsoft Patch MS17-010. This completely prevents infection.
• Windows Firewall reportedly blocks this malware from installing. Other end-point protection services may do so as well, but that is unconfirmed. If you use Windows Firewall, ensure it is up-to-date.

Currently affected:
• If files are backed up or stored on a network share, ensure that the backup location or share is not infected. We recommend wiping and restoring the affected system.
• If files are not backed up, follow applicable corporate policy.

Long-Term Ransomware Protection
• Develop a security policy and procedures for handling Ransomware
• Do not store important files on local systems.
• Employ a Disaster Recovery and Business Continuity Plan that includes data backup and restoration procedures

Type Indicator
FileHash-SHA256 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
FileHash-MD5 666c806b76568adb5a6c3d34c434820e
FileHash-MD5 a8d30fd8ffd02886818a89ebdd8e7502
FileHash-MD5 d41d8cd98f00b204e9800998ecf8427e
FileHash-SHA1 6faeaf98d0eaf6671d74bc8e468bddc8ed1e0597
FileHash-SHA256 11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49
FileHash-SHA256 149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff
FileHash-SHA256 16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab
FileHash-SHA256 190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e
FileHash-SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
FileHash-SHA256 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
FileHash-SHA256 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
FileHash-SHA256 593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af
FileHash-SHA256 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
FileHash-SHA256 6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7
FileHash-SHA256 7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
FileHash-SHA256 9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
FileHash-SHA256 9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977
FileHash-SHA256 b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7
FileHash-SHA256 b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0
FileHash-SHA256 b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4
FileHash-SHA256 c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
FileHash-SHA256 d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
FileHash-SHA256 e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
FileHash-SHA256 e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96
FileHash-SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
FileHash-SHA256 f01644082db3fa50ba9f4773f11f062ab785c9db02a3a3cfe022cc69763f631d
FileHash-SHA256 f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
Filename 109061494281319.bat
Filename !WannaDecryptor!.exe
FilePath C:\WINDOWS\system32\msg
hostname r12.sn-h0j7sn7s.gvt1.com
IPv4 146.0.32.144
IPv4 188.166.23.127
IPv4 193.23.244.244
IPv4 2.3.69.209
IPv4 50.7.161.218
IPv4 74.125.104.145
MD5 66ddbd108b0c347550f18bb953e1831d
Mutex Global\MsWinZonesCacheCounterMutexA0
Mutex MsWinZonesCacheCounterMutexA
Mutex RasPbFile
Mutex ShimCacheMutex
SHA1 432c1a5353bab4dba67ea620ea6c1a3095c5d4fa
SHA256 f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494
URL http://146.0.32.144:9001
URL http://188.166.23.127:443
URL http://193.23.244.244:443
URL http://2.3.69.209:9001
URL hA16:B54ttp://50.7.161.218:9001

 

Tags: WCry, wcry, ransomware, wanacrypt, wanacry, malware, campaign

 

 

 

Contact Us

We're threat hunting! Send us a quick email here and we will get back to you asap.

Not readable? Change text. captcha txt

Start typing and press Enter to search