(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
 

(credit: fdecomite)

WCry, the National Security Agency exploit-powered ransomware worm that began spreading worldwide on Friday, had reportedly affected hundreds of thousands of computers before the weekend, but the malware had only brought in about $20,000 in ransom payments. However, as the world returned to the office on Monday, those payments have been rapidly mounting, based on tracking data for the three Bitcoin wallets tied by researchers to the malware. As of noon Eastern Time on Monday, payments had reached an estimated $71,000 since May 12. So far, 263 payments have been made to the three wallets linked to the code in the malware.

The payment history for each wallet shows individual transactions ranging mostly between 0.16 and 0.34 Bitcoin (approximately $300 and $600, respectively), with the number of larger payments increasing over time. Different ransom amounts have been presented to victims, and the price of Bitcoin has climbed dramatically over the past week, causing some variation in the payment sizes.

According to researchers at Symantec Security Response, tracking ransom transactions would have been much more difficult if not for a bug in code that was supposed to create an individual bitcoin wallet for each victim:

Read 1 remaining paragraphs | Comments

 

Enlarge / WASHINGTON, DC - MAY 15: National Security Adviser Army Lt. Gen. H.R. McMaster preparing to make a statement to reporters on May 15 regarding President Trump's sharing of intelligence with Russian officials. (credit: Photo by Jabin Botsford/The Washington Post via Getty Images)

In an Oval Office meeting the day after firing FBI Director James Comey, President Donald Trump reportedly shared intelligence from an allied nation's sources on an Islamic State plot to bring down passenger airplanes with laptop computers turned into bombs. The intelligence, which was apparently behind reports that the US will extend a ban on laptops to include flights from Europe, had been highly classified because of the sensitivity of its source.

Statements from President Trump on Twitter and from White House National Security Advisor Lt. Gen. H.R. McMaster did not directly contradict details initially reported by the Washington Post late on Monday. McMaster said that no sources or methods were exposed in the conversation. However, the unnamed officials cited in the Post report were concerned that Trump's citing of the exact location "in the Islamic State’s territory where the US intelligence partner detected the threat" could expose the source. Tuesday morning, Trump tweeted:

Trump also lashed out at the intelligence community for leaking about his actions:

Read 4 remaining paragraphs | Comments

 

In God we trust. All others must bring data. ~Bob Rudis

With endless amounts of data, technical detail, and insights on WannaCrypt/WannaCry, and even more FUD, speculation, and even downright trolling, herein is a proposal for you to do your own data-driven security analysis. My favorite book to help you scratch that itch? Data Driven Security: Analysis, Visualization and Dashboards, by Jay Jacobs Bob Rudis. A few quick samples, using WannaCry data and R, the open source programming language and software environment for statistical computing and graphics. If ever you wanted to pick up a bit of immediately useful programming, R is for you.

Our good friends over at Team Cymru tweeted out a great GitHubGist WannaCry factsheet, therein are a number of useful resources, many leading to other good reads. I easily tracked down a list of malicious IPs associated with WannaCry.

width:686px" />

You can always learn interesting insights from IPs and this situation is no different. In very few lines of R, we can identify and visualize the data for further insight. Ill walk you through it. First, lets pull in the libraries we need to do some IP geolocation, create a word cloud, and make said word cloud more color rich, and make a nice plot.

library(rgeolocate)
library(wordcloud)
library(RColorBrewer)
library(plotrix)

We need to then read in Maxmind data (GeoLite2-Country) and call Oliver Key and @hrbrmstrs rgeolocate package

file - system.file(extdata,GeoLite2-Country.mmdb, package = rgeolocate)

Follow that with our malicious WannaCry IP addresses.

ips - c(188.166.23.127,91.219.236.222,46.101.166.19,193.23.244.244,62.210.124.124,2.3.69.209,
144.76.92.176,91.121.65.179,146.0.32.144,148.244.38.101,91.219.237.229,50.7.161.218,
149.202.160.69,217.79.179.177,87.7.10.93,163.172.149.155,212.47.232.237,192.42.115.101,
171.25.193.9,81.30.158.223,178.62.197.82,195.22.26.248,79.172.193.32,212.47.244.98,
197.231.221.221,38.229.72.16,5.35.251.247,198.96.155.3,46.101.166.19,128.31.0.39,
213.61.66.117,23.254.167.231)

Finally, we pull it all together and receive our first results file.

results - maxmind(ips, file, c(continent_name, country_code, country_name width:328px" />

fell swoop, we create a word cloud from our data.

wordcloud(results$country_name, max.words = 100, min.freq = 1, random.order = FALSE, rot.per=0.35, colors=brewer.pal(8, Dark2 width:267px" />

like most of the malicious IPs are in Germany. :-)

Prefer to visualize that a different way? No problem, well run a quick count and use plotH to create a scatterplot with histogram-like bars.

ct - count(results$country_name)
plotH(freq~x,data=ct,ylab=Frequency,xlab=Country,col=blue width:434px" />

ry for yourself. When events such as WannaCry have you frustrated and down, you can at least take data-driven security analysis in your own hands.

Resources for this article:

 

(credit: Bureau of Engraving and Printing)

On Friday, ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency.

Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry.

Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. In a blog post published Monday afternoon, Kafeine wrote:

Read 4 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status