Threat Flash Alert
WCry Ransomware Worming Across Globe
20170512:2138
Summary
Wanacrypt 2.0 (WCry) Ransomware has been propagating across the globe infecting over 45000 devices. The ransomware takes advantage of a Microsoft SMB vulnerability that is patched via bulletin MS17-010
Upon infection, computers receive a popup message informing the victim that their files have been encrypted with the “Wana Decrypt0r”. It instructs the user to find file “@WanaDecryptor@.exe” run it and follow the instructions. The instructions provide a three-day countdown to adhere. It requires paying bitcoin to a particular address. It is unclear if the amount fluctuates. The malware claims that if payment is not made after three days the amount doubles, and if it is not paid within seven days, the files will be unrecoverable forever.
Impact Assessment
Infection of this Ransomware would have a major negative effect on impacted system and prevent any files from being accessed or used. As such, any critical files residing on that device would be inaccessible.
Security On-Demand Actions
SOD has been monitoring the events closely. Our Security Operations Center is on high alert and hunting for applicable indicators.
Mitigation Recommendations
For Organizations currently unaffected:
• If not already done, apply Microsoft Patch MS17-010. This completely prevents infection.
• Windows Firewall reportedly blocks this malware from installing. Other end-point protection services may do so as well, but that is unconfirmed. If you use Windows Firewall, ensure it is up-to-date.
Currently affected:
• If files are backed up or stored on a network share, ensure that the backup location or share is not infected. We recommend wiping and restoring the affected system.
• If files are not backed up, follow applicable corporate policy.
Long-Term Ransomware Protection
• Develop a security policy and procedures for handling Ransomware
• Do not store important files on local systems.
• Employ a Disaster Recovery and Business Continuity Plan that includes data backup and restoration procedures
| Type | Indicator |
| FileHash-SHA256 | 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa |
| FileHash-MD5 | 666c806b76568adb5a6c3d34c434820e |
| FileHash-MD5 | a8d30fd8ffd02886818a89ebdd8e7502 |
| FileHash-MD5 | d41d8cd98f00b204e9800998ecf8427e |
| FileHash-SHA1 | 6faeaf98d0eaf6671d74bc8e468bddc8ed1e0597 |
| FileHash-SHA256 | 11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49 |
| FileHash-SHA256 | 149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff |
| FileHash-SHA256 | 16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab |
| FileHash-SHA256 | 190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e |
| FileHash-SHA256 | 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c |
| FileHash-SHA256 | 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd |
| FileHash-SHA256 | 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982 |
| FileHash-SHA256 | 593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af |
| FileHash-SHA256 | 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec |
| FileHash-SHA256 | 6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7 |
| FileHash-SHA256 | 7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff |
| FileHash-SHA256 | 9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640 |
| FileHash-SHA256 | 9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977 |
| FileHash-SHA256 | b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7 |
| FileHash-SHA256 | b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0 |
| FileHash-SHA256 | b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4 |
| FileHash-SHA256 | c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9 |
| FileHash-SHA256 | d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127 |
| FileHash-SHA256 | e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079 |
| FileHash-SHA256 | e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96 |
| FileHash-SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
| FileHash-SHA256 | f01644082db3fa50ba9f4773f11f062ab785c9db02a3a3cfe022cc69763f631d |
| FileHash-SHA256 | f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85 |
| Filename | 109061494281319.bat |
| Filename | !WannaDecryptor!.exe |
| FilePath | C:\WINDOWS\system32\msg |
| hostname | r12.sn-h0j7sn7s.gvt1.com |
| IPv4 | 146.0.32.144 |
| IPv4 | 188.166.23.127 |
| IPv4 | 193.23.244.244 |
| IPv4 | 2.3.69.209 |
| IPv4 | 50.7.161.218 |
| IPv4 | 74.125.104.145 |
| MD5 | 66ddbd108b0c347550f18bb953e1831d |
| Mutex | Global\MsWinZonesCacheCounterMutexA0 |
| Mutex | MsWinZonesCacheCounterMutexA |
| Mutex | RasPbFile |
| Mutex | ShimCacheMutex |
| SHA1 | 432c1a5353bab4dba67ea620ea6c1a3095c5d4fa |
| SHA256 | f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494 |
| URL | http://146.0.32.144:9001 |
| URL | http://188.166.23.127:443 |
| URL | http://193.23.244.244:443 |
| URL | http://2.3.69.209:9001 |
| URL | hA16:B54ttp://50.7.161.218:9001 |
Tags: WCry, wcry, ransomware, wanacrypt, wanacry, malware, campaign