A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers.

The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected, with Russia being disproportionately affected, followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States. The malware is notable for its multi-lingual ransom demands, which support more than two-dozen languages.

(credit: Kaspersky Lab)

Wcry is reportedly causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government's National Health Service, and Spanish telecom Telefonica have all been hit. The Spanish CERT has called it a "massive ransomware attack" that is encrypting all the files of entire networks and spreading laterally through organizations.

Read 11 remaining paragraphs | Comments


For a few hours, bad news are spreading quickly about a massive wave of infections by a new ransomware called WannaCry width:600px" />
(Source: MalwareTech)

Big targets have been telecom operators (ex: Telefonica in Spain) and hospitals in UK. Once the malware has infected a computer, it spreads across the network looking for new victims using the SMB protocol.

The ransomware usesthe Microsoft vulnerability MS17-10[1]. (This vulnerability was used by ETERNALBLUE[2])

Here are some IOCs that we already collected:


  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79


  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
  • 51e4307093f8ca8854359c0ac882ddca427a813c


  • 509c41ec97bb81b0567b059aa2f50fe8
  • 7bf2b57f2a205768755c07f238fb32cc
  • 7f7ccaa16fb15eb1c7399d422f8363e8

File extension: .wncry

Ransomware notification: padding:5px 10px"> alert tcp $HOME_NET 445 - any any (msg:ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response content:|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0| content:|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|)

Until now, the best protection is of course to patch your systems as soon as possible and keep your users aware of the new ransomware campaign to preven them to open suspicious emails/files.


We will update this diary with more information if available.

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Enlarge (credit: Health Service Journal)

A large number of hospitals, GPs, and walk-in clinics across England have been locked down by a ransomware attack, reports suggest. There are also some reports of a ransomware attack hitting institutions in Portugal and Spain, though it isn't known if the incidents are connected.

NHS England says it is aware of the issue, but hasn't yet issued an official statement. At this point it isn't clear whether a central NHS network has been knocked offline by the ransomware, or whether individual computers connected to the network are being locked out. In any case, some hospitals and clinics are reporting that their computer systems are inaccessible and some telephone services are down too.

Read 7 remaining paragraphs | Comments


Enlarge / Go phishing the White House and you may need a bigger boat. (credit: Lsuff)

Earlier this week, the team at Gizmodo's Special Projects Desk published a report on how they "phished" members of the administration and campaign teams of President Donald Trump. Gizmodo identified 15 prominent figures on Trump's team and sent e-mails to each posing as friends, family members, or associates containing a faked Google Docs link.

"This was a test of how public officials in an administration whose president has been highly critical of the security failures of the DNC stand up to the sort of techniques that hackers use to penetrate networks," said John Cook, executive editor of Gizmodo's Special Projects Desk, in an e-mail conversation with Ars. Gizmodo targeted some marquee names connected to the Trump administration, including Newt Gingrich, Peter Thiel, (now-ex) FBI director James Comey, FCC chairman Ajit Pai, White House press secretary Sean Spicer, presidential advisor Sebastian Gorka, and the administration's chief policymakers for cybersecurity.

The test didn't appear to prove much. Gingrich and Comey responded to the e-mail questioning its provenance. And while about half of the targeted officials may have clicked the link—eight devices' IP addresses were recorded accessing the linked test page—none entered their login credentials. The test could not determine whose devices clicked on the link.

Read 23 remaining paragraphs | Comments


A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. Theyre plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip width:801px" />

Im pretty sure that some people are using web shells as a remote administration tool. Is it really a good idea? Not sure When we install a software on our computer, one of the recommendations is to check the hash of the files/archives with the one provided by the developer to be sure that the software has not been altered by any means. It could be a good idea to make the same with web shells!

While preparing a presentation about web shells and testing some of them in a lab, I found a specific version of the RC-Shell (v2.0.2011.0827) that started to generatesuspicious traffic. Almost at the same time, I was contacted by one of our readers that reported to me the same behaviour. He did some analysis on his side and the conclusion was thatthe web shell was backdoored! The PHP code contains anarray of Base64 encoded images which are icons used to identify the file types. In the backdoored version, the unknown padding:5px 10px"> $images = array( small_unk = iVBORw0KGgoAAAANSU ..., unknown = iVBORw0KGgoAAAANSU ...

MD5 (unknown.png) = 1470521de78ef3d0795f83ea7af7c6ad

If you have a look at the picture metadata, you will see that the unknown width:800px" />

Multiple functions have been added to the web shell to deploy the backdoor. padding:5px 10px"> function z8t($i, $o)//run backdoor { $r = @create_function($o, return @ . z7v($o, 0) . }

Note: I found different versions of the web shell with different function names.

The decoding of the PNG image comment and the installation of the backdoor is available here[3]. The code of the backdoor is located here[4]. Basically, it collects juicy information (local PHP variables and details about the web shell and phone home via two channels:

  • SMTP is used to drop an email to [email protected][.]com
  • HTTP is used to post the same data to padding:5px 10px"> To: [email protected] Subject: Linux|http://shiva/lab/VW4Zy8Yg.php? X-PHP-Originating-Script: 1000:VW4Zy8Yg.php(830) : runtime-created function(1) : eval()d code Message-Id: [email protected] .NET CLR SERVER_NAME=xxxxxx SERVER_ADDR= SERVER_PORT=80 HTTP_REFERER=http://shiva/lab/ PHP_SELF=/lab/VW4Zy8Yg.php REQUEST_URI=/lab/VW4Zy8Yg.php SCRIPT_NAME=/lab/VW4Zy8Yg.php SCRIPT_FILENAME=/var/www/lab/VW4Zy8Yg.php REMOTE_ADDR=

    So, be warned when you download and use tools from unknown or unreliable sources. Even underground tools can be backdoored!


    Xavier Mertens (@xme)
    ISC Handler - Freelance Security Consultant
    PGP Key

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Internet Storm Center Infocon Status