A new worm: Global cyberattack based on Shadowbrokers vulnerability, payments made in order to get back files

by | 12-05-2017 | Blog

A global cybersecurity attack called “WannaCry” has struck several large organisations worldwide. The attack was based on a recently exposed vulnerability by the Shadow brokers publication, a leak of the NSA. This leak included information on a security hole in Microsoft Windows which was fixed on the 14th of March.

Cybersprint’s CEO Pieter Jansen: “This is a global event with the potential to outgrow the impact of the Slammer virus more than a decade ago. We are seeing similar responses to earlier worms: hospitals shutting down, organisations cutting off internet connectivity and business shutting down. We expect the infection to spread on monday when people are logging back into their work and e-mail environments, clicking on attachments and creating more infections.”

What can you do?

Organizations and end-users should apply Windows Updates immediately. These updates have been around since 14th of March, but have not been applied by all Windows users. Apart from keeping your systems up-to-date, users should never open attachments from unknown e-mail addresses. And even with known addresses caution is required, as it is still unknown what the exact characteristics of this virus are.

Matter of time before this happened

Cybersprint’s CEO Pieter Jansen: “It was a matter of time before this happened: the capabilities of malware have been increasing, tactics have changed. This case proves that somebody was able to combine the best aspects of earlier malware tactics and created a ‘Monster malware'”.

Worm-like behavior

Initial infections are spreading through malicious e-mail attachments. Once infected, computers will try to exploit other neighbor computers through “worm-like” behavior.  The last big Worm attack was Slammer in 2003, which hit 75000 computers within its first 10 minutes.

Indicators of Compromise (IOC’s) are being shared between security organisations, in order to collaboratively deter the threat of this global cybersecurity attack. Alienvault’s public IOC-exchangenow contains several patterns that can be applied to organisations in order to determine if they have been hit by WannaCry.

Bitcoin payments have been made to the attackers

The attack installs a “ransomware virus”, where a user’s files are being encrypted and held ransom. Once a payment has been made to a certain bitcoin address, the user receives a decryption key and gains access back to their files.
So far, a total of $7k (4 BTC) in payments have been made to the bitcoin addresses specified by the attackers. This is ‘ransom’ that has been paid by victims of the ransomware attack:


https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Additional compromise information

Network administrators should block access to at least the following domains:

  • agrdwrtj.us
  • bctxawdt.us
  • cokfqwjmferc.us
  • cxbenjiikmhjcerbj.us
  • depuisgef.us
  • edoknehyvbl.us
  • enyeikruptiukjorq.com
  • frullndjtkojlu.us
  • gcidpiuvamynj.us
  • gxrytjoclpvv.us
  • hanoluexjqcf.us
  • iarirjjrnuornts.us
  • ifbjoosjqhaeqjjwaerri.us
  • iouenviwrc.us
  • kuuelejkfwk.us
  • lkbsxkitgxttgaobxu.us
  • nnnlafqfnrbynwor.us
  • ns768.com
  • ofdwcjnko.us
  • peuwdchnvn.us
  • pvbeqjbqrslnkmashlsxb.us
  • pxyhybnyv.us
  • qkkftmpy.us
  • rkhlkmpfpoqxmlqmkf.us
  • ryitsfeogisr.us
  • srwcjdfrtnhnjekjerl.us
  • thstlufnunxaksr.us
  • udrgtaxgdyv.us
  • w5q7spejg96n.com
  • xmqlcikldft.us
  • yobvyjmjbsgdfqnh.us
  • yrwgugricfklb.us
  • ywpvqhlqnssecpdemq.us

[iub-cookie-policy]

[/iub-cookie-policy]

Meet Cybersprint at StrategieTage IT Security

On 12 and 13 February 2019, Cybersprint will be present at the ‘StrategieTage IT Security’ congress in Cologne, Germany. The congress features presentations, prearranged meetings, workshops, and the opportunity to network with over 150 potential business partners in IT Security.

read more

Cybersprint Newsletter

All insights, No spam

Cybersprint Newsletter

All insights,
No spam

Cybersprint respects your privacy, read our privacy statement

Cybersprint respects your privacy,
read our privacy statement

Do you have a question?

Our specialists have the answers