A new worm: Global cyberattack based on Shadowbrokers vulnerability, payments made in order to get back files

by Cybersprint Blog May 12, 2017

A global cybersecurity attack called “WannaCry” has struck several large organisations worldwide. The attack was based on a recently exposed vulnerability by the Shadow brokers publication, a leak of the NSA. This leak included information on a security hole in Microsoft Windows which was fixed on the 14th of March.

Cybersprint’s CEO Pieter Jansen: “This is a global event with the potential to outgrow the impact of the Slammer virus more than a decade ago. We are seeing similar responses to earlier worms: hospitals shutting down, organisations cutting off internet connectivity and business shutting down. We expect the infection to spread on monday when people are logging back into their work and e-mail environments, clicking on attachments and creating more infections.”

What can you do?

Organizations and end-users should apply Windows Updates immediately. These updates have been around since 14th of March, but have not been applied by all Windows users. Apart from keeping your systems up-to-date, users should never open attachments from unknown e-mail addresses. And even with known addresses caution is required, as it is still unknown what the exact characteristics of this virus are.

Matter of time before this happened

Cybersprint’s CEO Pieter Jansen: “It was a matter of time before this happened: the capabilities of malware have been increasing, tactics have changed. This case proves that somebody was able to combine the best aspects of earlier malware tactics and created a ‘Monster malware'”.

Worm-like behavior

Initial infections are spreading through malicious e-mail attachments. Once infected, computers will try to exploit other neighbor computers through “worm-like” behavior.  The last big Worm attack was Slammer in 2003, which hit 75000 computers within its first 10 minutes.

Indicators of Compromise (IOC’s) are being shared between security organisations, in order to collaboratively deter the threat of this global cybersecurity attack. Alienvault’s public IOC-exchangenow contains several patterns that can be applied to organisations in order to determine if they have been hit by WannaCry.

Bitcoin payments have been made to the attackers

The attack installs a “ransomware virus”, where a user’s files are being encrypted and held ransom. Once a payment has been made to a certain bitcoin address, the user receives a decryption key and gains access back to their files.
So far, a total of $7k (4 BTC) in payments have been made to the bitcoin addresses specified by the attackers. This is ‘ransom’ that has been paid by victims of the ransomware attack:

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Additional compromise information

Network administrators should block access to at least the following domains:

  • agrdwrtj.us
  • bctxawdt.us
  • cokfqwjmferc.us
  • cxbenjiikmhjcerbj.us
  • depuisgef.us
  • edoknehyvbl.us
  • enyeikruptiukjorq.com
  • frullndjtkojlu.us
  • gcidpiuvamynj.us
  • gxrytjoclpvv.us
  • hanoluexjqcf.us
  • iarirjjrnuornts.us
  • ifbjoosjqhaeqjjwaerri.us
  • iouenviwrc.us
  • kuuelejkfwk.us
  • lkbsxkitgxttgaobxu.us
  • nnnlafqfnrbynwor.us
  • ns768.com
  • ofdwcjnko.us
  • peuwdchnvn.us
  • pvbeqjbqrslnkmashlsxb.us
  • pxyhybnyv.us
  • qkkftmpy.us
  • rkhlkmpfpoqxmlqmkf.us
  • ryitsfeogisr.us
  • srwcjdfrtnhnjekjerl.us
  • thstlufnunxaksr.us
  • udrgtaxgdyv.us
  • w5q7spejg96n.com
  • xmqlcikldft.us
  • yobvyjmjbsgdfqnh.us
  • yrwgugricfklb.us
  • ywpvqhlqnssecpdemq.us

Cybersprint at Infosecurity Europe

Cybersprint will be participating in the Infosecurity Europe in London, from 4-6 June 2019. Our stand will be located in the Holland IT Security House at stand M40. We invite you to come and pay us a visit and learn more about overcoming your organisation’s cyber security challenges with our Digital Risk Protection solutions. Moreover, our colleague Robert Krenn will present on the value of ‘automated hacking’ on Thursday 6 June.

read more

Brand Protection: Protecting your organisation’s value

A good reputation is one of the most important assets for any company. That’s why many organisations invest a lot in building a positive and trustworthy brand identity. Strengthened by the emergence of a digital society, online visibility is of growing relevance for organisations that range from local to multinational. Like with every opportunity, there is also a downside. Strong brand names are immensely prone to abuse. Therefore, brand protection is becoming increasingly important.

read more

Cybersprint present at The Digital Dutch event

On 11 April 2019, KPN organises the fourth edition of The Digital Dutch Event. The event focusses on digital opportunities, inspiration, and innovation in the area of digitisation. Cybersprint will be present with a stand, where we will demonstrate our innovative Digital Risk Protection solutions and how it can assist organisations in their digital security challenges.

read more

Do you have a question?

Our experts have the answers

Contact us →