Trustlook Has Identified 26 EternalRocks Samples

Trustlook has collected 26 samples from the EternalRocks attack – an attack that comes on the heels of the devastating WannaCry Ransomware attack from last week. The hash for each of the 26 samples is listed below.

EternalRocks uses seven exploits first discovered by the National Security Agency and leaked in April by the Shadow Brokers group. They include EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch. For reference, WannaCry used only two vulnerabilities, leading some to believe that EternalRocks could pose a bigger problem than WannaCry.

It is unclear what EternalRocks will do to the computers it has infected. For now, it remains dormant as it continues to spread and infect more computers. But it can be weaponized at anytime and strike suddenly.

Users should make it a habit to patch their systems regularly and often. The single best thing you can do to protect your networks against malware attacks, worms and ransomware is to patch the known vulnerabilities.

Stay tuned to Trustlook’s blog for further updates on EternalRocks…

1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d
20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1
2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70
23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64
44472436a5b46d19cb34fa0e74924e4efc80dfa2ed491773a2852b03853221a2
589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31
64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15
6bc73659a9f251eef5c4e4e4aa7c05ff95b3df58cde829686ceee8bd845f3442
70ec0e2b6f9ff88b54618a5f7fbd55b383cf62f8e7c3795c25e2f613bfddf45d
7b8674c8f0f7c0963f2c04c35ae880e87d4c8ed836fc651e8c976197468bd98a
94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97
9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b
a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0
a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392
ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa
aedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35
b2ca4093b2e0271cb7a3230118843fccc094e0160a0968994ed9f10c8702d867
c4762489488f797b4b33382c8b1b71c94a42c846f1f28e0e118c83fe032848f0
c999bf5da5ea3960408d3cba154f965d3436b497ac9d4959b412bfcd956c8491
cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30
d43c10a2c983049d4a32487ab1e8fe7727646052228554e0112f6651f4833d2c
d86af736644e20e62807f03c49f4d0ad7de9cbd0723049f34ec79f8c7308fdd5
e049d8f69ddee0c2d360c27b98fa9e61b7202bb0d3884dd3ca63f8aa288422dc
e77306d2e3d656fa04856f658885803243aef204760889ca2c09fbe9ba36581d
f152ed03e4383592ce7dd548c34f73da53fc457ce8f26d165155a331cde643a9
fc75410aa8f76154f5ae8fe035b9a13c76f6e132077346101a0d673ed9f3a0dd

Thank you for visiting us at IoT World

Trustlook would like to express thanks to everyone who visited our booth at this week’s IoT World Conference at the Santa Clara (California) Convention Center. It was a terrific show, and we were thrilled to be able to showcase the IoT security solution that the engineering team at Trustlook has been developing for over a year.

Our robot arm demonstration received a lot of interest and attention at the show. The purpose of the demo was to illustrate how our host-based security solution, SECUREai IoT, can protect industrial IoT devices such as robots or other factory floor equipment.

If you are interested in learning more about our IoT Security solution, please contact us at bd@trustlook.com.

2017-05-17 11.48.30

Update: 386 WannaCry Ransomware Samples Now Collected

Trustlook has collected 386 samples from the WannaCry ransomware attack. The hash for each file is listed below.

Trustlook has released a scanner and vaccine toolkit to help system administrators protect Windows computers that are either vulnerable to or have been infected with the dangerous strain of ransomware known as WannaCry. The toolkit can be found on GitHub.

000de89bb90f7a8683144868ee84d91c2312b55038fb71e52a15e0d0befb9b8e
00c3ddb3a4bccb0577041f0a4fc536a0a9fbc29aadc68e92359ec20373b94ede
01541daa8c2bde09d6c82dfeec4e739d4f37652b970a6ed6a0bfde5677d53691
01b628fa60560c0cb4a332818cb380a65d0616d19976c084e0c3eaa433288b88
025b6509cfcfd42544b456c112eab58134e05015bd828222cf3c73a1abeaee90
02d52143da7a5037ca9e1de5e59885022ab6d16de5db58ed903ae759d1e1fb24
036e3aa8a3ee2e5df8f957922067abba1f37633d02fbc8566e020079d1e223bd
03b04cc3f9d64cf981be6aeb3ce0cf6a8694ecfc7425ac99bf03cd40e9550218
03e2f8bcb0c93df0cf994a622677907ecd558f8fa3d7625a97d638df36900d07
041f7e78b8724c60fb2e7a730e2893422a62899dadb3488012c5bd15a0e91c39
049b7ea5eccbfc53fcef6d35ba85cd809be4ab175074ae7321fd9ace076a0b58
06111d44f4ea9149277253696e12fa655c87fb6181e9dc33cdb9296e311a3304
062334a986407eef80056f553306ebfd8bb0916320dd271c24e6a2d51f177feb
065e46dbdf5251bf334f6a383fbaef19be8da04d2b5692f1aba6f9b533b40974
07bd75c4c6dc26be6a21c044c0535a7b06ba3b1834cbade71427436bde6763fb
07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
09da29bf8ff58a5d1157c5b3b1af8ac8af1f5f64254c3fc4562fbf1a0bf77a00
0bb221bf62d875cca625778324fe5bd6907640f6998d21f3106a0447aabc1e3c
0caa1566e439c01d88c953382b26f9d2f7f279594ebe986c06e7781a71cf9d74
0db89e1b814f04ea526dd40df5de12f0c1f1c1fae2ae511b52092172ee1e51cf
0db91ff8822f1623fe36d712b5f56d339dc21008f1ecc617a5de2f522039c5b3
0dc0ab72dfa5682e7db8d26c13abb34fa1cc68b5d97c82c258d8f1dd5388a047
0e6b4811cef5f0f2e507c6629ef798520b8fb0485014760831b27604ddf836e8
0eb975bfb48165abd4be164a4ec28340bab4e937ead15ad77a3575f36d5b221f
0ec811324df2c93c2bf2d005ede23d0ae28fc25137d1e9cbdb83e208999eb93f
11011a590796f6c52b046262f2f60694310fa71441363d9116ada7248e58509a
11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49
11fd66b4e1090c9af7ea59daf7f62fa6ae3090c10042aa0826eacb3e226636ad
1214e010178a1bdab5ce0ee9fe1bd2ef425f1a315798afa1390a98f8e3857898
149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff
14c498948724d72311aa6fea90a3a6473927daaa3836051d5ca97fad377459e3
14f124f2dff97ca2d0fa8c53f1225c5307b50b43b4a401d2a708b0c1c12584dc
16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab
1729b1140f6f139e57f42d6f26ae78d74745588871190ee74b901aed860f3280
17562244efbb12ef52284086b8ee56192693d81812a2001d598a08c4715a963b
190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e
191f3e94249f21fb596b4dba7eb197ab89bacae93f1b1fdbd9db733904bd5438
198a25e52018dce7b2f76c3b49948211761dd4f29fc43599077155e61b335234
19ee90ce04745337b6808d0714ec6b4e07e86fdc21506dbc9253bc4c9d95ca13
1a84fd4b0e9b475cf09dd78668ce77c7c56f23c07d9ef969b8abaf3fecd43e4b
1ae2047619133abac5f00792e0ffc5d86ac9be1ed2074a40b0a839573dc97b1f
1b974d46cde9f6e837ec369120dd2727eb774ca58fa8d552b9baeb2c41fc0cdc
1be07198c324c9732d4e2676945ec021eeacd78775aea2100f49ca0483d3f901
1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830
1c50aab8555945315f9850222c95ccf9335b6eeea990cfe6424f2d3d14f4ae0b
1cbcbf5a77d2d235bfc6dcf769169f6b0d96c0377bcaa128589025bb9d8cec9a
1ce19a047850426923598ae0722f38800ef500327a8f9062e473bd6ec05c39be
1d55e742356c5318e59ff68111f0b6468fc75daad48d3cf9c277d8123b5baac3
1e06140672b73dfe337dfde7bc9dead5612bdbf4a8069be5de78fe68da6c75c4
1e650e9dfb7cc094c389534c483719028886eafa143cca548c7b0b2916540bb7
1e6753f948fa648ef9e0d85795b7f090968ee1f240efc0628283776ea55ccb0f
1f01ed57b60951c4fd7de05a5d4b324a9ffff272a34aa2f1d4859e4936d99e26
1f14937ccb88737f786a247fc91ea99338f8f99a42852d8fbc3fdce4d7b5ce75
1f40615d6a9986a92453215e874e9aa63be2f241cb588c6810bcc889cc51d2da
1fd1b393afc46ee0303c2a0981637da0028ca344b12bc3b816e1f8ddd282e1c5
2134dd25d73096e4c0c88fd2496c1774b8f4d3a9d576b9060318d78cf31feb69
22ccdf145e5792a22ad6349aba37d960db77af7e0b6cae826d228b8246705092
232dbde8473a1b4f40ab553930c0141686ba8880aa230b663a694baf4a4671fd
247b4c95e9a38c9d9c96fef676175188db8bf2e50e6272e37e6414c6aad4301e
24c423c767031d7c9ce1c61234eaf6a41df850ed4552e35d77c68e94ece2725b
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
263f6a2f0777852c72fd68251081de63a1d8f30d453a5c94339e520ae535e63e
2909c8a4855622619836421164b75795002075d9948957bf741e62abd47569b7
290f06eb156695165317a4b7f9668be7ae18cf8322e4fc2aeeb0af3dd6bc0801
295c33e0b7c7be8081a5930d0cf5454af3b0b801da6126e4402365ece539c4da
29611b3b709c2faab693d1d6cb2d104f48f4ef0dfee9d3e0d82e61673902934d
2a09035e5c36c6f73309cd7fb8ad873255e791750f6767054eb32f90071ab2bf
2a5f6043855a9bd09c9d765c438a33efd0fbca3c9199a68e73103eb3685a722c
2bc87f1bbfdb23fe503ef89bcbf6908ffd7218433e0fbfa51282c0dc51dece01
2c53cb08978c62cebcb561cbc7edf59592544c13cf60cc0ef317f94a9f48e1a2
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
2cea9032615df2e36a25bdc95542c2865a009589c8bd8bc612d903a268be37b9
2d80b45f96384837870a4f1c07a24b2bbecce0c17b7c4861f2bbc44ea64e9415
2f1b9bab6fb911ae02c381df00892f94b25876f2c3808623d13089069e6ee380
2f7bc3fe585f22346717be42b384fcaf82225b9b6737973f92dd825b1c21981b
2ffdbd1ddbbca371faa526c2ccef80072e44a42e919662af538b8534f1efa51c
30d208b5d8ea43a36d1a279f5556205570a9c0177a120277083f4ef6f6f47aed
3177a1287600a09ec1ab861a456ebd7925bae2d8488c34203850682c6fee375f
31c2024d0df684a968115e4c3fc5703ef0ea2de1b69ece581589e86ba084568a
31c48b65f89004a1b899299e26c2652822a84699a817068e5d3a6e92aa976e46
31ec99404e5376abe9b1870b85706b6ad816673d8a3051ff9276806fa4816149
321ecb0d9b2f1cfef92ce76dbae37adaeb78d16af81eb3d7e20258031afb75b1
32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
3351c7e77d06b512cedb8fbbf91c197bff95479a346de858699726b0fe6fb3f5
3463ea99389ef4836cfe0565539ee80c4c3a8159930c408f86147a59632d593a
34b241fd68dda597088741ba9d5640d8f4ce6f92a328d4af4aa4d90659de705c
35094db7809455a9cc81a2d8db57a944a722b4310b1e823fb6accbf43d2cfe62
3739ce45a5a5f575e7acb2d7dbe24ca0f4a7d9925b440001ab8e78063307a89c
37c58ce8e10fccd21a33d0c81d1d26ec793c4c2ec727f0f930a0d2d259df5422
37dc2e0ffbdbc0c65276eedf2bc370bf3298e832518315243b1f8bb22f13279c
3857448d484e1257dc9f19e940b3422c5c8ddac3ff759fa568087c6c5b4303f4
386e5bfe2b9a202ea06b1839d689268a6c7237dfb49db57d1173de79344b093c
38c6efb48b32a3f22cc4c307e9043d59aedb0e008300663f83803819e5f260b3
39e4284f74ba4f057048acef80e7dbace207b77f8f1d9bc11c89804c9775a6f0
3aac36c35e24b913f2b3740364cd4d15936b7b65a8799918eb1ff843cebbe1db
3b396c0f8063d52cf4791f1214ff55da29b1bddd26bb8503b104a76e7ef89361
3bdb6c85d9b8d3024f47112c18bbb8e653f7624893e27af8e0e226acc92cc634
3dc6191c1255cfbaf94461e9a44f5b698c5563bbf846c94c4edd343828943a1e
3dcbb0c3ede91f8f2e9efb0680fe0d479ff9b9cd94906a86dec415f760c163e1
3fd4a7ed93da3ad3730e6a40c01ee1a7747bba33468a1b505441fb32d8bed022
40064d86201a4abfb03b4661586ac116c1c144d1d90fdb49b2d66817ce0d9e82
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
43844b5a72fe84cc93b0625e2b676fa92a2ddd0e2c5a39f7114f4ec08e68bd2e
4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359
470dfc18e05c01ebd66fb8b320ff7e6e76d8017feb530fb23b981982c737b490
484533ff228258023623e6ffc2395fc0051fcca3842595db711d8f541a175a61
498b8b889bb1f02a377a6a8f0e39f9db4e70cccad820c6e5bc5652e989ae6204
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
4ac6310fbd64135ae28cfbd2a06b0370aabe7b7c11ad7213532236b53a554330
4c30c556c6f4d2ab885a7f9ba3cf87c05ad5840a9f466df1b76c1e6d4d85a075
4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee
4d67e6c708062e970d020413e460143ed92bebd622e4b8efd6d6a9fdcd07bda8
4e452d88eadd0ca11539d18bbf7a0ef243dc06c6df230f5dbb7310dc00ec62e3
4e5e41e90191707c18c4db385871ebc6c143663968e68994e65fd238025bcf33
5107aa7322019da49b14e0b3f4919079f1e0a5131a2fb65523018f0a4c230c9c
51ac5cf254439f3f9c94d37718397af7cb7d0ecb349865fcb09807d4899dd635
51e3ea5d000e25696c63bc52c6d56d8c9660cb088afe77de070e3ded36e2e02f
521fa83e6bea2847b7610d4edb19a1f806326918fbb8c518cb7a8b797d6a70b4
526e155f9039c409eccf69814245e3c35aa4d11632ee8d5cb5e6de75e620fa9e
5366d1a9a5c277e382ad745e01909effa777731e448354389ab706e17a8a7577
54aa27cf685934679680f9398a8194249e0780464853b4cc834d46db5328ad79
54d5a0678185a4a536599d0b7a0815638256c83b2d6e2ad54aa2317322e4693f
55454390f7be33ab5c11b5e0683800dd9a892ce136f1962b0989526fff5592d5
55640108459b93e85c66c1f099b5e3df145da8700b0573fc7619b921d2cde4a8
55a50e4616c23740ed0be93003accfe29a516b6c00778349d7fad3c72e05d1ee
55b6440065821ccfa70aab78a29dc3528b93cb6374ff9f779f517738f6530afb
55bc52ead4c668b4dad978bebd80821a68eccd36b3927072a5d113cd5d79a27a
55d663234fecda8223ec5e8d2997305a2a3bb4c007b6dc93931264f3f1846c77
55e1f8362676a8f79c3af8d1605f330d58443d0509888703f37edfb77a5aec28
561a42ac76a35c86452d6cc3e59304c51a506644a4287930d8c3b506ec7fea75
565c4e1f84996c1cbf1dec1aa301bcda0cdcb1df3a7c531cb574a0d35b17d706
568c2d499633766cd5f7090f55315f364eab42f63431aa215ca49b563c9228c7
57bf2fbb8e42993d96f0e00f1d0140713a6676156ad83ad81e983099123f776e
57e3e45af5b9e84b8a548765f90e2232d471535f2844f5196107a24de9f63624
593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af
5a7c7f50d61c3c3de0ce6970f8b244186bf34bef7ed193eb33005f3d66fe2545
5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
5b0898edb0713e607a8a5b32e6456bd362b6f9e7bfb108320c0def943d216738
5b4322ec672fdfeb292941057125d00afcf1a904e31f9ec0fb9e650177dba500
5c87f1504d5a60ca22989bb433de2290c1de25ce7b4556e903442d474cf52207
5cdd80ec5d4797ed6e5039d84ea3a9d4aa9171c6aeed34a0d717d6b0782db013
5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
5d8123db7094540954061ab1fbc56eedcd9e01110b62d0f54206e3e75a39776a
5dee2ac983640d656f9c0ef2878ee34cda5e82a52d3703f84278ac372877346d
5e4e5966d893c1ba3ff427c893d6ddd635a117878de265787ee96abfe3e728f4
5e9c560697166dbbc3b829d3859d5d3be562dd10733e278f34287a204c78f701
5e9def1a16ced30c438889eda7a10396b185e381b4b4dcb58b66053c6a0c93b4
5f2b33deee53390913fd5fb3979685a3db2a7a1ee872d47efc4f8f7d9438341f
5fe88059cf0239a2d1cdf60a604b382ec033d7672e364cd576d0ff4bda4c3dcb
61955ecb3bdb234a0ac4ca995f8774afb59def2e4ec942cf50919f3e304c3360
61ae3f35acdd8ccd82cf0243bd434c417dbdffabfccd93fd16f6d9d4c9a40368
623c84b1bbf30ffaa8e8b28587b3c072b817a8b64cbaac698663178662dfc81c
623ddb86effd4cc43712e765689097b54e803a67349e60f3c423b37029d5ead3
63bd325cc229226377342237f59a0af21ae18889ae7c7a130fbe9fd5652707af
63c8a30963265353532d80a41cae5d54b31e5c2d6b2a92551d6f6dcadd0dedeb
6597264aebd4e93cac5bded90d477e5bf8538769fb3a29fccadb78b4244e6d6f
65ba7695114d5a2fd73095170604e3115892f1a1574670c32bd440243c48a165
668628d820e75e08ef4daef160766220da434e152ae81d588690f7823ef13d97
66943a7eacae666b0e8ac2ef057bfa872f3dd58eb52c2a378f04303a1a391c2b
66f2154a3cd3213832e0fd21f761c9e827d0f9ff0ea2390efedf3bdff0121bfb
67db4c0c444758bd5debbb3aad18e3cfcd3f04d51e9eae8c633c0a6174e8d27c
6843b32928fa10365c31a71bf7786f5576e731cc395576b23af71ea26fdba75f
687c33436156410b764e80f8d12ae745f178f0ce685931af3d6aff207b185c06
6988040b041a5de6bae136352928dd2c39045088b70493ae711bf2a4416518c6
69af3c36cec9cf007a77b834560a4309352e3fd85f6728e15ce707119a5b6a67
6a1da955b2eb6be429b2e3b4b515436f5f76fd62802d4e2aa79dc63770d80be0
6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7
6c919a18a766a06cd517f30c0ae4cd71f9e1889ee7d57f931e6ebd9f0df9bf3e
6dc947aa0e2fcc34064246d89f1489a628eda21162b24d80c8f7f8dcb922a293
6e06f1fd9c22e2487fd2417c52a48cf9d84814b4e3fcbd7c793b9555da83b371
6fba72ddd939c8e22efb4ec1a42d72299cb061524600acd7104bea421eabceba
700fe06054b120eecb64debf531d3e819d263f69b8f9d0dfd39e8255b8f94459
7108d6793a003695ee8107401cfb17af305fa82ff6c16b7a5db45f15e5c9e12d
719b7732a38567fd18c357eb99e2561a0d0dfc0ae3c6806f3e9e44d1a38de512
71a878487ed0f03da46dafefce972bb19a39c495a34f0bf9e5d0a5bbb8a5d333
71deace25a88a120229b93e133ad54726044cb888a2858a441bf6913cad6d668
7364309a71d45c46e274f3cf6481ce5bb8a9908397da26ee9372932368e5f4b9
74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0
77c65bfebfdc7c510bd811d58ed8ce1a1ab883cee95750bfa697dfe0fea092a5
77d7d3093b9d5dffc4e1fde417967c7a4efbc3aad4685afed0e47d8377639cd7
792086844b28832bbc04ccb2b2ee5f17cbee7f7c48aedbf00db0555adcc63705
7966d843e5760ece99bd32a15d5cd58dc71b1324fdc87e33be46f377486a1b4b
7981e429e464b39dee8d35cef1afb03c7cbcbb78993e82f9e628aaca8d385f25
79fc3ef98f7baae1e3aa0c1db06f5583c2efa4c696773cae6e9fac9638d4324b
7a515968c18102f5fa2d66573e94dc0d18745d9c5abd5781d80bec9b47960295
7b6b45000ae901d633e9dbfcf8e597323f52c0a21f9872877400cbccad813980
7b7aa67a3d47cb39d46ed556b220a7a55e357d2a9759f0c1dcbacc72735aabb1
7ba79b326c239de15f4e5f42662bf422d0c041bfdf025ca2ae3ba54045c50569
7bb9ea2c0f53fa96883c54fa4b107764a6319f6026e4574c9feec2cb7d9e7d21
7c096cadac0301cb6063db981f37bfb19f987a18fe6311bbd25658a7b26daf4d
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
7d3afcb184c58a515146d1f41d5aff4e04ede402f070373c7db5aee0f39ba955
7e369022da51937781b3efe6c57f824f05cf43cbd66b4a24367a19488d2939e4
7edc4f216f4002a76e6c20616fea74c649b31da01fd65a73fd52bdcd929b3f48
7f48ece80cc82fc0f4d88fa077cc211cb1a1c6c29326ae71365950f444159d51
802d815d1cd9e4193cf586124622bde16ecb5d7127a1c0aa9a13d1e3e46f564a
80e349c72d1762d2b3f34045685145c0c0388ea694e4240e053e209288fc393d
818f1109bdee7f187e36bf6df3a496374dd510f33eaaaebc3e8b108951d0cd11
819b915eed8de289ca1f1f4b1f69bdd000fc23891d2d469e43b03950b18d7032
81e14281c63dcd2e38492d302a9368742b5542a946d1fcb7fa3829d8489591af
8215640b3572bc67478365f42913b247a18702df4155492f4feed59860cfd56a
83bc43e2339338bb932f35e4255c5a7f52963bc159a1df2860ef6385d4845dd5
8586a22fba83501152d41a009a7719fb0a764bd7e164148381f3c832333e3d0f
8631e5020027543c2353560b6a604b3df1892210bded678d6337d84c9d16a4e8
86ba25d63cd96e826073339c26993b0fdec6613283dd05fbe4481c0c0b278d10
884c24b6091057590de7e4280bb0004dfb54bde9a85dc56c3de64b687611a619
88be9ee3ce0f85086aec1f2f8409247e8ab4a2a7c8a07af851f8df9814adeee5
8b82dcf297752fc46a6b755f836b6aca297fca41b1d2387f4fd17b3a9c20bd40
8bd1ff78ca93250d52b7c1004293a49fcfc19306b82dfa32d551d809e6c21181
8c6c481e18b96eb4bcae87cdd3aa104757cb1a19740bc145d73d653c34274c81
8d5d7134c50bd34e90f7595d7b2ae5c480ada52932f826c769929d08314e4fc2
8da5bc1d2b979e1e7f4d9643c2431e90540822d7d80554159dc7fa3a6458457c
901bcc902e4aac785a31ebbc651d666deab619a174a200138cb6da51cd185408
91ca0febaa0c337e7d098bd0628e47abf9c4cea25efe9f367bd21a9b344af3e0
91d7433fc106172b8de564dbacd8489806a652223d5b93ea51593027e13ef087
92b4266317ea9c697fdda4515e2960d01f086d8e5bb2d681d170979d7f1eaf19
93dfcb73371b38320a6dc633cd5eb22f94e4dc3be36cbaf834896dd62059efc3
940dec2039c7fca4a08d08601971836916c6ad5193be07a88506ba58e06d4b4d
942bd43d9e3fbce9b110964b3b4af284b62da86b278b8145d97c455ee10a355c
9498fc07fe4d516f32a37e5df2e9b9940b68043ed4759aca738fd660d09d9585
9625cf3aa21a1aff64dc6d5e56c5915df3567c2a4cfa5e9027d8cf75b54eac63
9727be564431c50cad790d13306a5848a230a41761ec550d13a569e7992a193c
973b785ccaed118a61504255470ab3c881c895cb8634dc11bf4129e9cbfa507c
97627a13d2715875ddaaf658ed2657754612d3b368ae099453a3733595d53041
98af59d3448e804d6f5a53d995b73121afed7aeb12cfee396915419c7c129a82
99a8ab5be4bc755989479049267a2cfeda3b54af08fc0ea3037578e94cf470e4
99ef8c1bb5b4060958e6db5b092ddd167e307a7cf34d366afabdb5ceb1a9035d
9ae39945353bcd8dcb4def3df1f975c39ffd37b8659239da92291d5df68d60a1
9af86cdc671026210d36fc597de8252417797c3bb1588c4937d876dc59f8111c
9b49ec7a5b598887011107f0b20e88b27739900d4fcd9a3ed285d8b22ac7989a
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
9bde3b313a2161f01ec0165d7871771b37fdc9311b4ccfbba02e14ae765d0761
9ceeb38655f5f978b0ea2f7a83ba396814239fd26d0009c6c667cd3e5274dac7
9dd562129aa0cef4cee8f7e4cf1f1ac0747d7bd50744cb2d597fe3a824a177a8
9df44327ad68c835e9f79355744bf868a8df6cdb54852a2ac5d7f03f4f485a1c
9e387fd488870c1aa421dffe1b99840af91e298dc086b6b56552da2738bca808
9f35e3393e442b4a35422e4b927e530712bac8ee2034a884b6ef724f0d8ec0ef
9f68404d5c1c1c3e7a237ed0b87dae4d8af42ffe9c736514524783eabcb7ae30
9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977
9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05
a02748c3078a897cff8c4c66292662712d62e39b580465251bca6851ab6931a3
a0f77a386b0129c4c584ed1426f4aa271a816e676cfd80ef2ff8d8d3d7470785
a141e45c3b121aa084f23ebbff980c4b96ae8db2a8d6fde459781aa6d8a5e99a
a1d23db1f1e3cc2c4aa02f33fec96346d9d5d5039ffc2ed4a3c65c34b79c5d93
a2726df3632eba623ebb76c373ec44ba733af9483326bab4cc6a6efc67f5d566
a295f3ab2850aa2404130de71385512625fd7ec2472fb97c92bd15f0b801fa28
a32fc8db1b6a3693fa65f7cfbd1043cade8e4b48133eacbe9f0a34fe96f5d890
a38ac3c96620b74b382a3cd66f943c942cdbf5d24cc5b8d3c0059c86dadee695
a4138a49806c238ab0119abf0ac08abc60d07670438ed41fccc93970a4c88cf8
a4915232a46759dd27bd939e5a9161571a5e00038e4f2bd95c6b2213edf09b38
a50d6db532a658ebbebe4c13624bc7bdada0dbf4b0f279e0c151992f7271c726
a62e11d394fdeabae7ce5429666bed1502d9da466db9ac4e22e1aaf94c7a47bf
a67d2464b05192eff486da02fe3ead8a238124adf0166f7b9ce75e32bf0487a1
a6907dfad873af22d3fd90ec2aa4dacda56a221fcc49e1304f71d7e1c257e065
a715453bd661b1228cddc0f9ddc4fd6bd2ba6d8a21ecc2c9c405c4bd4874df15
a74783bb813b2e053013a8ac9afdc89d250c2c086bbe9f793bec6b64bb95c9f4
a75aac5859118701e6a664c69d47e9e3a8f517dbc879d5688ab4186dbbae4417
aa62afcbec704531ce9707f5b076f611abd365844c3e0a4a81f8c06739d6bb52
aa958f00e889dc65530ced1797ebaf366a18ec17d2c82ffcb7747e570da7e0ea
aa98d85b6a5a50c91899824a6f6fac52d9580e91e1d6390610d520f66d1ce49f
aaa9c17fb9e8ef253c9c43aa476c8229e1693dcc04298e85ef048c0b4cda99f6
aac531855bb3fee8f2e792893d9cb905cd8ce793a385127a424774b63cd076d4
ab126afab8ebf378534f7799c3a3da96b98da43a95994ed7012cabc2ff04acef
ac7f0fb9a7bb68640612567153a157e91d457095eadfd2a76d27a7f65c53ba82
adaf41fbe68f33f8c9da8e9d0cd79591d43e1104fc131b138293ce9f44d5c874
ae0ab8cb25dbf55cf19a5d928eba38be34b105b492295dc5b710b774447d8711
aea79945c0f2f60de43193e1973fd30485b81d06f3397d397cb02986b31e30d9
aff06a59ebf0fde8773eea9366228f08ea2cc46254d424538f85a251a124fd72
b0e6b16b85f804e9327e722ce618c54db3116f39d369f8958ba6a935fb35c2b6
b229b5683fa5e2273fa861435ee6b9d4202cb6dd24572110ee2cafe2c730873d
b25a1434ceb65cdd4d629cd84c5476ce66bdf3c8a5b794d5c262d9256c6d5662
b28007fb07e229647db0952fa4acd3a814e3c9aa34eae5a8cd84fb055989005c
b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7
b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0
b4d607fae7d9745f9ced081a92a2dcf96f2d0c72389a66e20059e021f0b58618
b55d23b9df8ffe5678234a2ebc473afb3024015c2a79dfef33a1824d08396139
b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4
b6c412c273c62126cbfa4131fc5a91a16f8ac98e059a9d5a1495f32166795dd7
b6c603ba9cd54717b72a4346782dc50e4e5bf5cc4b7684e92047a042d8a045e7
b7e68aa87b80a4d0f53c92626803c95456d4daa30b0fff4a3df06f0da60a7f28
b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06
b975c04e2678fbda8df680e3818f6ea4dd55a5c2c0f1695574df5a1f1cc58b8e
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ba471a114092812161da8b0473a80ffedad64764f445bfd1caef96181dbb8e57
bc8136b40b4164afcbcb4e14f6fd54ca02275ff75b674eb6fd0a8f436f9b1181
bcde73d2180388ba065a29d99616ec07b7eba3881b805d72c6855e50da10ade9
bd7824d2d96aca1f4260c92e6888c93ef6a64bd8f98d5a0ef0bbe217f0a3b9fa
bd8d4ca2fb657e55427b11d980939c4b5c60c9279473fe38bf227470b6cfde56
bd927d915f19a89468391133465b1f2fb78d7a58178867933c44411f4d5de8eb
bdba2a30fc1e852495c0da8fe48aad003698e19578a98592ed43ce5ca06d41d0
be86f17026a0325145d9a41a6176204800eece2348f366871ca8a879dae5f1b1
bf29ee9b6ff3c8609f3d6908bd0aeaa38f2c66eb76fa18ce69811f7a888fa7d7
bf40d69a938e922c073632937b565015b262139884ffe138d4d9358295203b65
bf446589a7208b81b436a0c0fe7e54c6e2994a80b07097bfef6091af3a4fe710
c1e73b220cad449d045e972ac263e234ea93853758afb3f48340495a33d0c6cd
c26e5eb8ec5b72e2c6368156f112f78906a57b393845233e727a8b2e3df790a4
c354a9a0bbb975c15e884916dce251807aae788e68725b512a95f7b580828c64
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
c38eea1588b8bffe4e19a8af09bfe17281e6e6afc7e2fbbecef3af96df9a347a
c56df1fbf0e190a6c9a010b57099bbbd5dbfab4a8dfefa821746fb2ad3e9984b
c5d0817617551bf5bae966e0c95ad66a1f536633b44b0eeb09ae3ee33ac67980
c6547663f0d8bd87cda36cbcdfe336b59242479798d2eb584815444fa0e13eda
c6d42940dfbc801b0e8d5999a8571ef534c9d494b799da076527e42035917d97
c6f545fe6e99e10d593c3f86d40f46533bc13839cf9b2469fb9b23db504a9dcb
c8c2131e1d22bff3ef6342254a43d658a3c5fc8081c4ffb7d9b0ced78b7892f1
c8d816410ebfb134ee14d287a34cea9d34d627a2c5e16234ab726cf9fde47ec6
cb41ed25f735d55c8c258ed5ea90c38e96fd70bb1722cf558ac19d8520a42242
cb788066b7be02e3611f95645f743456f1629caa1cf846bd2ea3f9a765190a64
cc77b10283cc371ec5d2655d118144e4c16dd4df98e18dd269b2babb79a0521a
cce675d3970408c16a6e4fd559aaac69c30a296cc55445835594a958fe5d831c
cd53771c1aa9d8b91d362feec69a03a02fbfcc8c922e2ed538854b77f9d806f2
ceb51f66c371b5233e474a605a945c05765906494cd272b0b20b5eca11626c61
cfa22c9f9e4653831276538aa315cbf8cc7687be589e558c34304754e204d808
cfea4103d55c9d340e0bf0341a55a1e26b36c4e6296a4018013c6913c3a88615
cffa23a57ce8b7624df7c4876084f752cc3b5e17017d972a82456d6e7d45688b
d0320c5f4a3a3701105b7d731d98a0c344210275e2686f1a21448f8c7a4da4ae
d06292618fa7ff675d8e4d0989e28387653b8196d5e4cbe9a3bf4b8c07421ea2
d147d5bb306c373c8b04a957ffe222e44ee3d9baa957e003bd90887513abb0aa
d1fca643a42082899ec3dcad2fe4f677408b7410510a18c2bb06dda4cf87bbc9
d23f214a62d9b99fb11d864656e3bdf5313effeaceaec4903b9c4a9244f93794
d3e541e3c77e12985ecdbb88f96f9abd4505a82a240951e13568a06c1aff59b2
d436806c5f8950ad9b56362059241790bd4d2437a5b6c38e6e9546fcb4f30b19
d59ac84d6c9892f032502471c5863d812640b7eef4d18b25539650f71a116508
d6a9c5166373781cc94ce54cd366dc0abe1a1e053bd69b7b179f4546305b1103
d6c7eb6f96a35f2e44e3c340ef8f8e5137857f924aa41ce73313a566b2d1d966
d849067bf9365d99088cbb935a98477cd38519e3ab8ac1bfe662588f8177d22d
d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
da7a4fc6f5027c7c8721d66450c3f57da8e517df17d18415db6ad822bde6e243
dbf3890b782ac04136c3336814eef97e3c0f4133f9592e882c131c179161b27b
dc1a3cb7460ebb3433a1798b0b3ed5dfce2d8428ef1256a3bb01ae4d67c77543
dc3eefac660f594e57527ec959d52c210f5897d04734f0ff8b442ea2dc2dd407
dc5fee3a29a9c0b8c8b2051d21ec6d6e69ee96a9215090994594ebf25f12a2d5
dcae75ff6c99c228a9fe099d8a5e52470aa495893d5709c6f35c1af439884d95
dcbd0ca3ab92aa9b7176e9153d9a71678b7091d8c843d09bbac27660ab6b597c
ddf27a57f3988279fcad527bab0c558957f5248ec4f605647957195fc6ad570e
de1fb3f687161900f15243c0912a40bacf4df938a718c75a73f80ffc3bf3a2d3
df039caf180d9c7befc8c4b47885231721005c02344824153c65e694bf17d7b8
e0ec1ad116d44030ad9ef5b51f18ff6160a227a46ffcf64693335c7fb946fad6
e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
e284eeba8e424c7010de58310e3f465da7ec9661d99c644869d816c74c3a4350
e2cb09133788aa73f8ff68f344f084fb676b46f25b40205f21c074dd1d1d2f36
e2d1e34c79295e1163481b3683633d031cab9e086b9ae2ac5e30b08def1b0b47
e365c1bee205f4827adb2198513ac362ee96d027c9cf7c9d838bc37476d4355b
e4024b8c3bce8461d83e0049214d320e6fe8f7e38e1896eba45b53fe6b2cd877
e4aa8cfc4cd8b791eaa38dbe6fd7e11bcaaafab680bd2ed7c87e38063623e941
e5b8e1633b51e432e240f66e7eab378194393dfded7971bc1f8fa1173ed3c5ea
e5c117233e22d08a547c278ae7027815e22c196a083679126ab9646c781acb6c
e7a39735ee8777473c7405a70f470a0e00d6266d3126d3af59660e6a78dab2cf
e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96
e9d1d718f760ce40f8c1d36f99abba247d8b4bcb12d6960b5e60997c896cda19
ea1d5bfe0f011bb515b77728235401ffb698feefd0d07d232b18fe9927083c47
ea685e119f712ed646594e90e95a2b63a7422a2049dfaf71615d9e8888584ee7
ec9d3423338d3a0bfccacaf685366cfb8a9ece8dedbd08e8a3d6446a85019d3a
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
ed43c819cc24b76ac1c48a94680ae1e85f834d6ca128f6e1c0635ede13cb3dc1
ee52964b832e1a44b92a4f0e6cde2e876d70131640856b120c0379ff8cc431aa
ef01bcc893dd06ef87c408dd5746fed32b104a9b62dc33657cc1dfa2033e1e8f
efbc1542b29b798dbbeeb531bbb4b84d422843f9c66d3aff9f301ab9296d8b4c
f0105b922f41b0ee8595e0e7d989c9ba69d4a38337211dcbe86e0bdce346853d
f029548806c8074a36435241d5f5586cd7b37fc651dd2a9178e915d2cef27bae
f0ae40aaec29c4fb88f81b62854c7fe21d16b528c1e2bb30b87ceb71f39e0ce2
f0eb62d9726857df9ccb8dc63187b6965d5af28b9ad1dbd34891b72bf3fd4e38
f107be9046c8e6fc6344e4fd59af124f169ba1fb913d4346d875c2689dc7d7b6
f239f8b061c58058ba53e4f64beddc4076eb7eb67775ab229ae7421507dc68c3
f2e7e528d0e248efa1eabe0b975dfd3725c6f5ced0e417cc7116b859771da5a3
f470fbf340e5ad8be24b29712f565eaff0c67564a4872e0cedb05a1876a838d0
f4918e6e0dd52a8636d1dce97426c2fda9ec0ff6b3cf898f36789b9b15ab5f01
f4be731c48ed2c03830bea9b35831b1fea50b7c24ffeb6017780c7140735eddd
f5a35d7e800b4a8bd1ab6fed37cb2eadfe9a49d797b8340e57045e428620c506
f5cbff5c100866dd744dcbb68ee65e711f86c257dfcc41790a8f63759220881e
f829c6c161261804eb7b1710022e39ce917044c6d266f528ebe1ac0581366077
f8446e8062368dfd0132687b8285f303ffa36535f9a259271f526d4d3651a053
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
f9e05e8e917d852d1d5ac4b29baa328813dff3b487b2d57b84c3964c15bda9b2
fa582e545339ede162f6f0726ed027d16dedf68116019c704ac52fd313a23007
fac0c429fecc007d06ff31b4fefb338b41de59c0300e775b8a4b04e00ef235ee
fb50f85eecafcde8329550353037cafc365c99bb32e0750d6e63bf490c4deeed
fd395bd3a890e0af8b95efee0b20ccdc15fc47694b1ab40a44d787fcc5ebd3c7
fe43045fe3ea26b42b75d0eec447a666a87edbeb1194c902896167b72e7f2358
fe4a90768de3aad02a56de713c57962b33719776d6aa694cd11f0590828abd33
ff2d32717e83c6320de88681a727377376ea2ff9382fd2659a5ca2ec23da1c2f
ff42f05929a4c386996cf6fd6286c20f2724196f2f06c6943a47eab87a83cb17
ff8c6a2bd919496ae639347611681259c60a21762f3411da230998e443aa90cf
ff8fcdc4cae2c9ed5207e53bb5bf1d97eef8147977d2bddfe8f55be91410f32c

WannaCry Ransomware Scanner and Vaccine Toolkit

Trustlook has released a scanner and vaccine toolkit to help system administrators protect Windows computers that are either vulnerable to or have been infected with the dangerous strain of ransomware known as WannaCry. The toolkit can be found on GitHub.

Banks, telephone companies and hospitals have all been ensnared in this worldwide hack, with the malware locking down computers while demanding a hefty sum for freedom. The attack has hit more than 230,000 computers in 150 countries including China, Russia, Spain, Italy and Vietnam, with hospitals in the UK attracting the most attention because real lives have been put at risk while their devices are locked down.  Ransom payments have been demanded in the cryptocurrency bitcoin in 28 languages.

Trustlook Labs has tracked the global wave of WannaCry attacks. The malware exploits the vulnerability identified CVE-2017-0145 (Windows SMB Remote Code Execution vulnerability) to spread itself. The malware uses the publicly available “Eternal Blue exploit” by the hacker group “The Shadow Brokers.” The vulnerability exists in unpatched versions of newer Windows operating system, as well as unsupported versions of Windows XP, 2003 and 8.

The following images are a tracker map and the number of unique IP addresses infected over the last 24 hours.

image1

image8

The WannaCry malware comes as a dropper with two components:

  1. A component utilizes the SMB Remote code vulnerability to spread the other files throughout the network and execute the ransomware component.
  2. After the ransomware component is executed, it extracts the following files from the resource section named “XIA”:
b.wnry: a Bmp file used to display the ransome message
t.wnry:  encrypted file with “WANACRY!” header, decrypted to a DLL module which is the main payload.
c.wnry: configuration file. Contains several Tor server address and link for Tor browser.
s.wnry: ZIP component file
r.wnry: ransomware Q&A
u.wnry: decryptor executable
taskdl.exe: executable used to delete file
taskse.exe: application to start a remote session
msg/m_.wnry: localized language files

If the malware starts with parameter “/i”, it copies itself into:

“C:\ProgramData\<random characters>\tasksche.exe” and creates service “<random characters>”, the service’s BinaryPathName “cmd.exe /c “C:\ProgramData\<random characters>\tasksche.exe”

The malware creates a mutex to make sure only one instance is running in the system. In this version of the malware (2.0) the mutex is:

“Global\\MsWinZonesCacheCounterMutexA0”. Another version of malware (1.) uses mutex “Global\\WINDOWS_TASKCST_MUTEX”.

The malware runs “icacls . /grant Everyone:F /T /C /Q” to grant access to all users on the system.

The malware then decrypts the payload DLL module into memory and calls the export function “TaskStart”. The malware generates a 2048 bit RSA key by calling the “CryptGenKey” function.

The malware then exports a public key and a private key. The public key is saved as “000000000.pky”. The private key is then encrypted by using another public key, which exists in the binary and is saved as “00000000.eky”. The related private key is held by the malware writer. The malware emulates the system and searches for the file with the following extensions:

.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.

Once the file is found, the malware call “CryptGenRandom” to create a random key, then uses the aforementioned generated public key to encrypt it. This key is used to encrypt the file, and the key itself is written into the file. A header string “WANACRY!” is written into the file as a flag to make sure the file is encrypted. The encrypted file is appended with a “.WNCRYT” file extension.

The malware runs the following commands to delete the system shadow copies:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet

The malware then displays the following ransom note:

image9

The user can select a different language:

image5

The malware runs a decryptor application to check if the user has paid the ransom. If so, the “.eky” file is sent to the server and decrypts the files by using the private key held by the writer. The decrypted key is then used to decrypt the file.

Trustlook WannaCry Scanner Tool

Trustlook has released a Wannacry Scanner to help system admin scan their network for vulnerable windows systems.

image4

WannaCry Scanner Download Link
https://github.com/apkjet/TrustlookWannaCryToolkit/tree/master/scanner

Here is an screen capture of the tool:

image3

Trustlook Wannacry Ransomware Vaccine Tool

Trustlook’s WannaCry Ransomware Vaccine tool does not require a system reboot. Just run this tool or add it to your windows startup script to help you block the ransomware attack. 

image7

Screenshot for WannaCry Ransomware Vaccine Tool (Vaccine for both version 1 and version 2)

image3a

Trustlook WannaCry Ransomware vaccine tool download link:
https://github.com/apkjet/TrustlookWannaCryToolkit/tree/master/vaccine

WannaCry Ransomware Samples

As of this writing, Trustlook has collected 49 different WannaCry samples. Each sample has been tested by Trustlook, and each has been detected and safely vaccinated.

Below are the SHA256 hashes related to this ransomware:

dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696
00fdb4c1c49aef198f37b8061eb585b8f9a4d5e6c62251441831fe2f6a0a25b7
043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
11011a590796f6c52b046262f2f60694310fa71441363d9116ada7248e58509a
11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49
16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab
190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e
201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9
22ccdf145e5792a22ad6349aba37d960db77af7e0b6cae826d228b8246705092
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32
4c69f22dfd92b54fbc27f27948af15958adfbc607d68d6ed0faca394c424ccee
57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4
5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
5b4322ec672fdfeb292941057125d00afcf1a904e31f9ec0fb9e650177dba500
5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
6747b820d785398d6fca544b100af624af4c3c6339a69d7ffaf4c2af8301654d
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
80457fd3c283b3da95ee8e9cb62c28c51a05ca6b1b03f84c3737de2d951d17cd
8321dfdf54fa41c6ef19abe98df0f5ef80387790e8df000f6fd6dc71ea566c07
940dec2039c7fca4a08d08601971836916c6ad5193be07a88506ba58e06d4b4d
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977
a141e45c3b121aa084f23ebbff980c4b96ae8db2a8d6fde459781aa6d8a5e99a
a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740
a50d6db532a658ebbebe4c13624bc7bdada0dbf4b0f279e0c151992f7271c726
aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c
b13c1c0dfd66807f6e703e744f6bb5a60b9cbde8bf32403a74edce14f52af305
b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0
b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
c1f929afa37253d28074e8fdaf62f0e3447ca3ed9b51203f676c1244b5b86955
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
dceef54e6670388c81b5a8b8583d5e7c5245ce4dd40a83439afeb4f14693367d
e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96
eb72085fd9b3cf136f84d69643c31a48d1e03dda550268885891d26bf09b469c
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

List of WannaCry ransomware files used in widespread attacks

Ransomware is the number one cybersecurity threat facing consumers and business worldwide. (Trustlook posted research last month on just how big of a problem for consumers ransomware is becoming.)

Today’s WannaCry outbreak is just more evidence of the severe threat posed by ransomware. Banks, telephone companies and hospitals have all been ensnared in the worldwide hack, with the malware locking down computers while demanding a hefty sum for freedom.

The attack has hit close to 100,000 computers across China, Russia, Spain, Italy and Vietnam, but the UK hospitals have attracted the most attention because real lives at risk while their devices are locked down.

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.

wannacry_05

Trustlook has identified the following files used in the WannaCry ransomware attack. Analysis is ongoing, and we will update this blog with more information.

SHA256

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79

B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25

d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

 

MD5

4fef5e34143e646dbf9907c4374276f5

5bef35496fcbdbe841c82f4d1ab8b7c2

775a0631fb8229b2aa3d7621427085ad

7bf2b57f2a205768755c07f238fb32cc

7f7ccaa16fb15eb1c7399d422f8363e8

8495400f199ac77853c53b5a3f278f3e

84c82835a5d21bbcf75a61706d8ab549

86721e64ffbd69aa6944b9672bcabb6d

8dd63adb68ef053e044a5a2f46e0d2cd

b0ad5902366f860f85b892867e5b1e87

d6114ba5f10ad67a4131ab72531f02da

db349b97c37d22f5ea1d1841e3c89eb4

e372d07207b4da75b3434584cd9f3450

f529f4556a5126bba499c26d67892240

38% of Consumers Affected by Ransomware Pay Up

New study reveals shocking statistics on ransomware

If you think ransomware is a problem that impacts only deep-pocketed big businesses like hospitals or banks, new research by cybersecurity firm Trustlook might make you think differently. In its latest research, Trustlook found that consumers are increasingly being targeted with ransomware—and, perhaps surprisingly, many of them are paying up.

Ransomware is malicious software that locks all files on a targeted computer or network until the owner pays the ransom. While it’s true that hackers may have more to gain from large organizations, experts say they see consumers, with their lack of sophistication in security, as lower-hanging fruit. Because consumers usually have fewer information security resources than large organizations, breaches are far easier to achieve and are more likely to have a meaningful impact, and thus are more likely to result in a payment.

Most users are completely unaware of the threat posed by ransomware attacks and are not prepared to handle them. Trustlook’s research shows that this lack of awareness and apathy is resulting in insufficient action taken to protect devices and data. 48% of consumers are not worried about becoming a victim of a ransomware attack, and only 7% of non-impacted consumers say they would pay the ransom if they were hacked. Other findings include:

  • 17% of consumers have been infected with ransomware
  • 38% of affected consumers paid the ransom
  • $100-$500 was the dollar range of ransomware payouts by consumers
  • 45% of consumers have not heard of ransomware
  • 23% of consumers do not backup the files on their computer or mobile device

Since the beginning of 2016, ransomware has gone from a relatively exclusive category of malware utility to a mainstream destructive tool used in wave after wave of phishing attacks against individuals and companies alike. Ransomware is now so widespread that it cost businesses a total of $1 billion in 2016, according to a new report. Moreover, ransomware has been identified by the U.S. Department of Justice as the “biggest cyberthreat” of 2017.

Ransomware is delivered primarily via a phishing email, which means consumers and employees, who are the last lines of defense in any security stack, must be trained to identify it in order to prevent it. This has made traditional security measures, such as antivirus tools, less effective.

In addition, the rise of crypto currencies such as Bitcoin have had a dramatic impact on the number and type of cybercrime opportunities. These tools have become the engine of cybercrime by making it safe and easy to transfer money anonymously.

Trustlook has the following advice for consumers who are worried that they might become a victim of ransomware. “Backup your data to multiple devices, and to at least one device that is not connected to a network,” says Allan Zhang, co-founder and CEO of Trustlook. “Also, be cautious of emails by checking the sender’s email address before clicking any link.”

To see an infographic of Trustlook’s ransomware research findings, please click here. For more information on SECUREai, Trustlook’s artificial intelligence security engine that detects ransomware, please visit http://www.trustlook.com.