TTP Tuesday: APT38 - WannaCry
Contents
TTP Tuesday: APT38 - WannaCry
Stop a global ransomware outbreak with this one weird trick
Theme Overview
Our last release looked at multi-stage APT40 malware that used packed JPG files to hide malicious executables.
For this week’s TTP Tuesday we’re releasing a new APT38 themed chain based on WannaCry. In May 2017, WannaCry ransomware spread using then recently released EternalBlue and DoublePulsar exploits to unpatched Windows devices. Since the initial outbreak, WannaCry has resulted in more than $4 billion in damages and 200 000+ infected devices across 150 countries.
Kill switch
WannaCry could have been much, much worse but for some luck and quick thinking. One of the first actions WannaCry takes is to check for the existence of a kill switch domain. This a domain that, when the ransomware can resolve it, acts as the trigger for a kill switch to abort execution of the ransomware. The kill switch, discovered by security researcher Marcus Hutchins …
Stop a global ransomware outbreak with this one weird trick
Theme Overview
Our last release looked at multi-stage APT40 malware that used packed JPG files to hide malicious executables.
For this week’s TTP Tuesday we’re releasing a new APT38 themed chain based on WannaCry. In May 2017, WannaCry ransomware spread using then recently released EternalBlue and DoublePulsar exploits to unpatched Windows devices. Since the initial outbreak, WannaCry has resulted in more than $4 billion in damages and 200 000+ infected devices across 150 countries.
Kill switch
WannaCry could have been much, much worse but for some luck and quick thinking. One of the first actions WannaCry takes is to check for the existence of a kill switch domain. This a domain that, when the ransomware can resolve it, acts as the trigger for a kill switch to abort execution of the ransomware. The kill switch, discovered by security researcher Marcus Hutchins …