WANACRYPT0R RANSOMWORM
Contents
BACKGROUND
Since the release of the ETERNALBLUE exploit by ‘The Shadow Brokers’ last month security researchers have been watching for a mass attack on global networks. This came on Friday 12th May when it was bundled with ransomware called WanaCrypt0r and let loose. Initial reports of attacks were highlighted by Telefonica in Spain but the malware quickly spread to networks in the UK where the National Health Service (NHS) was impacted, followed by many other networks across the world.
The infographic below illustrates the key components of the WanaCrypt0r ransomware. This is described in further detail in subsequent sections of this report along with initial clues on attribution.
ANALYSIS: Initial Vector
The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.
There is also a working theory that initial compromise may have come from SMB …
Since the release of the ETERNALBLUE exploit by ‘The Shadow Brokers’ last month security researchers have been watching for a mass attack on global networks. This came on Friday 12th May when it was bundled with ransomware called WanaCrypt0r and let loose. Initial reports of attacks were highlighted by Telefonica in Spain but the malware quickly spread to networks in the UK where the National Health Service (NHS) was impacted, followed by many other networks across the world.
The infographic below illustrates the key components of the WanaCrypt0r ransomware. This is described in further detail in subsequent sections of this report along with initial clues on attribution.
ANALYSIS: Initial Vector
The initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other researchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.
There is also a working theory that initial compromise may have come from SMB …
IoC
192.168.78.1
192.168.78.132
192.168.78.2
192.168.78.254
255.255.255.0
9c7c7149387a1c79679a87dd1ba755bc
ac21c8ad899727137c4b94458d7aa8d8
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
192.168.78.132
192.168.78.2
192.168.78.254
255.255.255.0
9c7c7149387a1c79679a87dd1ba755bc
ac21c8ad899727137c4b94458d7aa8d8
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com