Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica.

We have observed a massive peak in WanaCrypt0r 2.0 (aka WCry) ransomware attacks today, with more than 57,000 detections, so far. According to our data, the ransomware is mainly being targeted to Russia, Ukraine and Taiwan, but the ransomware has successfully infected major institutions, like hospitals across England and Spanish telecommunications company, Telefonica.

Below is a map showing the countries being targeted most by WanaCrpytor 2.0:

e saw the first version of WanaCrypt0r in February and now the ransomware is available in 28 different languages, from languages like Bulgarian to Vietnamese. Today at 8 am CET, we noticed an increase in activity of this strain, which quickly escalated into a massive spreading, beginning at 10 am.

The ransomware changes the affected file extension names to “.WNCRY”, so an infected file will look something like: original_name_of_file.jpg.WNCRY, for example. The encrypted files are also marked by the “WANACRY!” string at the beginning of the file.

This ransomware drops the following ransom notes in a text file:

Furthermore, the ransom being demanded is $300 worth of bitcoins. The ransom message, where instructions on how to pay the ransom, an explanation of what happened, and a countdown timer are displayed in what the cybercriminals behind the ransomware are referring to as “Wana Decrypt0r 2.0”:

Additionally, the victim’s wallpaper is changed to the following image:

This attack once again proves that ransomware is a powerful weapon that can be used against consumers and businesses alike. Ransomware becomes particularly nasty when it infects institutions like hospitals, where it can put people’s lives in danger.

Infection vector: WanaCrypt0r 2.0

WanaCrypt0r 2.0 is most likely spreading on so many computers by using an exploit the Equation Group, which is a group that is widely suspected of being tied to the NSA, used for its dirty business. A hacker group called ShadowBrokers has stolen Equation Group’s hacking tools and has publicly released them. As confirmed by security researcher, Kafeine, the exploit, known as ETERNALBLUE or MS17-010, was probably used by the cybercriminals behind WanaCrypt0r and is a Windows SMB (Server Message Block, a network file sharing protocol) vulnerability.

Avast detects all known versions of WanaCrypt0r 2.0, but we strongly recommend all Windows users fully update their system with the latest available patches. We will continue to monitor this outbreak and update this blog post when we have further updates.

IOCs:

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79

B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25

d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

«1

Comments

  • pikepike Veteran
    edited May 2017
  • A parking place ticket provider has it as well here in NL.

  • BopieBopie Member

    it's fairly interesting just to sit and watch all the people's computers who are being saved from the ransomware ;)

    https://intel.malwaretech.com/WannaCrypt.html

    interesting how they have managed to get it so widespread but it was stopped in it tracks by something they had added to try and stop it being looked at in a sandbox environment,

    Still my local hospitals sent out a new press release saying that they have not been infected and that to combat it happening there is no emails in and out of the hospital locally

  • @Bopie said:
    it's fairly interesting just to sit and watch all the people's computers who are being saved from the ransomware ;)

    https://intel.malwaretech.com/WannaCrypt.html

    interesting how they have managed to get it so widespread but it was stopped in it tracks by something they had added to try and stop it being looked at in a sandbox environment,

    Still my local hospitals sent out a new press release saying that they have not been infected and that to combat it happening there is no emails in and out of the hospital locally

    So they've just disabled email? Interesting maybe @jarland should offer them MXRoute ;)

  • BopieBopie Member

    @GenjiSwitchPls said:

    @Bopie said:
    it's fairly interesting just to sit and watch all the people's computers who are being saved from the ransomware ;)

    https://intel.malwaretech.com/WannaCrypt.html

    interesting how they have managed to get it so widespread but it was stopped in it tracks by something they had added to try and stop it being looked at in a sandbox environment,

    Still my local hospitals sent out a new press release saying that they have not been infected and that to combat it happening there is no emails in and out of the hospital locally

    So they've just disabled email? Interesting maybe @jarland should offer them MXRoute ;)

    http://www.dudleynews.co.uk/news/15284428.Dudley_Group_bosses_say_borough_hospitals_escaped_NHS_cyber_attack/

    And hell id recommend them that's who i use ;)

  • @Bopie said:

    @GenjiSwitchPls said:

    @Bopie said:
    it's fairly interesting just to sit and watch all the people's computers who are being saved from the ransomware ;)

    https://intel.malwaretech.com/WannaCrypt.html

    interesting how they have managed to get it so widespread but it was stopped in it tracks by something they had added to try and stop it being looked at in a sandbox environment,

    Still my local hospitals sent out a new press release saying that they have not been infected and that to combat it happening there is no emails in and out of the hospital locally

    So they've just disabled email? Interesting maybe @jarland should offer them MXRoute ;)

    http://www.dudleynews.co.uk/news/15284428.Dudley_Group_bosses_say_borough_hospitals_escaped_NHS_cyber_attack/

    And hell id recommend them that's who i use ;)

    The thing is they can stay on XP EOL or move to windows 10 and have the PC reboot mid operation which one is most likely to kill the patient

  • BopieBopie Member

    GenjiSwitchPls said: The thing is they can stay on XP EOL or move to windows 10 and have the PC reboot mid operation which one is most likely to kill the patient

    Our local authority upgraded ages ago, all of our hospitals run at least windows 8 last time I was there.

    That being said only the two local to me that is.

  • blackblack Member

    Download your security updates if you haven't. It's nice of Microsoft to patch all the way back to XP https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

  • YmpkerYmpker Member

    Do Eset Nod32 and Malwarebytes Premium detect it?

  • YuraYura Member
    edited May 2017

    Why a second thread? Merge?

  • Spent most of my weekend fixing our systems within a local NHS Trust, the whole thing a total and logistical nightmare. Working 14 hour shifts to fix the thing is beginning to take its toll. Hopefully can get a reasonable chunk of the network online and thankfully Linux was unaffected.

    Thanked by 1Yura
  • NoermanNoerman Member

    Your device is up to date. Last checked: Today, ‏‎7:31 PM

    I hope I will be safe.

  • @Ympker said:
    Do Eset Nod32 and Malwarebytes Premium detect it?

    https://www.virustotal.com/en/file/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/analysis/
    Looks like they detect it.

    Thanked by 1Ympker
  • mik997mik997 Member

    @HyperSpeed said:
    Spent most of my weekend fixing our systems within a local NHS Trust, the whole thing a total and logistical nightmare. Working 14 hour shifts to fix the thing is beginning to take its toll. Hopefully can get a reasonable chunk of the network online and thankfully Linux was unaffected.

    feel ur pain .. HSE over here have disabled a load of XP boxes the past two days ..

  • moonmartinmoonmartin Member
    edited May 2017

    This is one good way to get people to stop using XP I guess. Great for hardware manufacturers as well. So as far as I can tell, a lot of legit companies are going to make money from this.

    How hard can it be to track down the perps? Just follow the money. Even if they use bitcoin there are ways to track them.

  • racksxracksx Member
    edited May 2017

    @moonmartin said:

    The big question here is, who has more to benefit from this? the perps or the legit companies :), then ask yourself who made this nice virus and why? to get $300 in a bitcoin address really :)

  • Thank god for bitcoin.

  • WebProjectWebProject Host Rep, Veteran
    edited May 2017

    Does anyone still use RedHat 9 or Centos 3? Or some other "dead horse" os? By "dead horse" os I mean the os which is discontinued 10 or more years ago. How stupid you need to be to use such historical os?

  • @mik997 said:

    @HyperSpeed said:
    Spent most of my weekend fixing our systems within a local NHS Trust, the whole thing a total and logistical nightmare. Working 14 hour shifts to fix the thing is beginning to take its toll. Hopefully can get a reasonable chunk of the network online and thankfully Linux was unaffected.

    feel ur pain .. HSE over here have disabled a load of XP boxes the past two days ..

    Indeed, seen more Windows 7 machines affected than XP to be honest... i'm actually certain none of the XP machines were but anything on a W7 type variant such as server 2008 has been affected, windows 8 but windows 10 is absolutely fine from we have seen

  • Gamma17Gamma17 Member
    edited May 2017

    @WebProject said:
    Does anyone still use RedHat 9 or Centos 3? Or some other "dead horse" os? By "dead horse" os I mean the os which is discontinued 10 or more years ago. How stupid you need to be to use such historical os?

    It typically happens because of some software or hardware, which was developed for specific task and continues to be good enough for it, but is not compatible with never OS versions.
    And there is nothing stupid about it, just a matter of money, because those software/hardware can cost a lot of money to make and the process can be slow. To the point when you take current os to start with, and when the thing is done those OS is already obsolete.

  • defaultdefault Veteran

    Microsoft is selling right now. Please do not bother Windows and it's sales.

    If you really want to give your soul to the devils, use FreeBSD or Linux, but you could not watch heaven's bliss through the colored windows any more.

  • WebProjectWebProject Host Rep, Veteran

    We do software development and some software has been developed in php 4 and MySQL 3.x environment and still uptodate as very small modification is done to be compatible with php 7.x and new databases. To me it sounds that some companies used very cheap outsource developers who developed the software to specific os only and nothing more, as for regarding hardware - nowadays hardware is cheaper than 10 years ago.

  • NekkiNekki Veteran

    @WebProject said:
    We do software development and some software has been developed in php 4 and MySQL 3.x environment and still uptodate as very small modification is done to be compatible with php 7.x and new databases. To me it sounds that some companies used very cheap outsource developers who developed the software to specific os only and nothing more, as for regarding hardware - nowadays hardware is cheaper than 10 years ago.

    You're thinking way too small mate. You just can't unpick something embedded at the core of enterprise-level applications like that. ATMs are a prime example.

  • WebProjectWebProject Host Rep, Veteran
    edited May 2017

    @Nekki said:

    @WebProject said:
    We do software development and some software has been developed in php 4 and MySQL 3.x environment and still uptodate as very small modification is done to be compatible with php 7.x and new databases. To me it sounds that some companies used very cheap outsource developers who developed the software to specific os only and nothing more, as for regarding hardware - nowadays hardware is cheaper than 10 years ago.

    You're thinking way too small mate. You just can't unpick something embedded at the core of enterprise-level applications like that. ATMs are a prime example.

    I understand that my example is to small, but corps had plenty of time to migrate to new software as mainstream support ended on April 14, 2009, I do believe that 8 years it's enough to develop a new software compatible with new windows os, for Microsoft it was enough time to develop windows 7, 8, 8.1 and 10, the .NET language is not changed dramatically.

    And I do believe the engineers can install remotely any software on every ATM, don't need to revisit everyone and do by hand.

  • risharderisharde Patron Provider, Veteran

    Hi guys, I was reliably informed that some companies and corporations also did not upgrade their systems since the specialised hardware devices they use costs millions of dollars. So simply put, they didn't see the value of buying entirely new hardware just to he compatible with Windows 10. To he honest, I feel sorry for such companies because I understand that ROI would not he achieved for them if they had to purchase the new hardware when the old hardware is working perfectly fine with the old Windows OSes. After all, most of these companies would rather spend to get a windows 10 license than buy a million dollar device. Not all of those who got hit were 'complete idiots' so to speak.

  • risharderisharde Patron Provider, Veteran

    Apologies for the spelling errors... I am on mobile and cant seem to edit the posts.

  • NekkiNekki Veteran

    WebProject said: I understand that my example is to small, but corps had plenty of time to migrate to new software as mainstream support ended on April 14, 2009, I do believe that 8 years it's enough to develop a new software compatible with new windows os, for Microsoft it was enough time to develop windows 7, 8, 8.1 and 10, the .NET language is not changed dramatically.

    And I do believe the engineers can install remotely any software on every ATM, don't need to revisit everyone and do by hand.

    Your belief is wrong. 8 years isn't really that long when you're talking about systems underpinning things like banking systems.

  • @Nekki said:

    WebProject said: I understand that my example is to small, but corps had plenty of time to migrate to new software as mainstream support ended on April 14, 2009, I do believe that 8 years it's enough to develop a new software compatible with new windows os, for Microsoft it was enough time to develop windows 7, 8, 8.1 and 10, the .NET language is not changed dramatically.

    And I do believe the engineers can install remotely any software on every ATM, don't need to revisit everyone and do by hand.

    Your belief is wrong. 8 years isn't really that long when you're talking about systems underpinning things like banking systems.

    Agree. If you consider that the backbone of the banking & financial industry runs on a mainframe with software from the 1960s, 8 years is hardly worth mentioning. Mainframe passwords cannot be longer than 8 characters, COBOL doesn't have good support for doing anything remotely close to DES, just to name a few. However, no enterprise would spend millions to move to a distributed system when a majority of their processing is nightly & not real time.

  • NeoonNeoon Community Contributor, Veteran

    @WebProject said:
    We do software development and some software has been developed in php 4 and MySQL 3.x environment and still uptodate as very small modification is done to be compatible with php 7.x and new databases. To me it sounds that some companies used very cheap outsource developers who developed the software to specific os only and nothing more, as for regarding hardware - nowadays hardware is cheaper than 10 years ago.

    It depends on the size, some are not upgradable and some need Years to get upgraded.

Sign In or Register to comment.