Concerned About Your Business Cyber Security?

(877) 321--7374

Massive wave of ransomware ongoing, (Fri, May 12th)

For a few hours, bad news are spreading quickly about a massive wave of infections by a new ransomware called WannaCry width:600px” />
(Source: MalwareTech)

Big targets have been telecom operators (ex: Telefonica in Spain) and hospitals in UK. Once the malware has infected a computer, it spreads across the network looking for new victims using the SMB protocol.

The ransomware usesthe Microsoft vulnerability MS17-10[1]. (This vulnerability was used by ETERNALBLUE[2])

Here are some IOCs that we already collected:


  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79


  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
  • 51e4307093f8ca8854359c0ac882ddca427a813c


  • 509c41ec97bb81b0567b059aa2f50fe8
  • 7bf2b57f2a205768755c07f238fb32cc
  • 7f7ccaa16fb15eb1c7399d422f8363e8

File extension: .wncry

Ransomware notification: padding:5px 10px”>
alert tcp $HOME_NET 445 – any any (msg:ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response content:|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0| content:|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|)

Until now, the best protection is of course to patch your systems as soon as possible and keep your users aware of the new ransomware campaign to preven them to open suspicious emails/files.


We will update this diary with more information if available.

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Ready For ASuperheroI.T. Solution?

Real Time Web Analytics