3 Bitcoin Addresses has been identified – Ransomware Attack 12 May 2017

An recent ransomware attack that affected more than 100k+ systems on Friday(12th May 2017) has spread to 90+ countries, locking doctors in the U.K. out of patient records at NHS. The attack has also reportedly hit a Spanish telecommunications company and a Russian cellphone operator.

Ransomware is a form of malware that encrypts a computer’s files and displays a message to the user, saying it will decrypt the files for a payment, typically via bitcoin. The message displaying on NHS(National Health Service) computers and others has been circulated in photos on social media, and it includes instructions to send $300 or $3000 to a bitcoin address.

Security experts say the strain of ransomware being used, called the “Wanna Decryptor” or “WannaCry” or “WCry” is exploiting a vulnerability in Microsoft Windows that was leaked last month by an anonymous hacker group calling itself the “Shadow Brokers”. The group claimed it had stolen the exploits it released from the US National Security Agency(NSA).

Those bitcoin addresses are publicly accessible, and you can view their associated wallets as victims send the hackers money in hopes of regaining access to their files.

Here are 3 of those bitcoin wallets –

Bitcoin Address 1 – https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Bitcoin Address 2 – https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Bitcoin Address 3 – https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

As per records(14th May 2017, 1:30AM, GMT+5:30)

S.No Bitcoin Address Total Amount Received Total No. of Transactions
1 Bitcoin Address 1 $8318.76 (Approx 5 BTC) 33
2 Bitcoin Address 2 $11,745.00 (Approx 7 BTC) 38
3 Bitcoin Address 3 $6283.98 (Approx 3.5 BTC) 30

As per records(14th May 2017, 7:00PM, GMT+5:30)

S.No Bitcoin Address Total Amount Received Total No. of Transactions
1 Bitcoin Address 1 $10,748.34 (Approx 6 BTC) 43
2 Bitcoin Address 2 $15,412.65 (Approx 8.6 BTC) 48
3 Bitcoin Address 3 $7,462.26 (Approx 4.1 BTC) 36

As per records(15th May 2017, 1:30PM, GMT+5:30)

S.No Bitcoin Address Total Amount Received Total No. of Transactions
1 Bitcoin Address 1 $14,535.92 (Approx 8.3 BTC) 57
2 Bitcoin Address 2 $17,893.70 (Approx 10.2 BTC) 59
3 Bitcoin Address 3 $10,441.15 (Approx 5.9 BTC) 48

As per records(16th May 2017, 9:46PM, GMT+5:30)

S.No Bitcoin Address Total Amount Received Total No. of Transactions
1 Bitcoin Address 1 $28,057.82 (Approx 16.1 BTC) 101
2 Bitcoin Address 2 $24,549.44 (Approx 14.1 BTC) 85
3 Bitcoin Address 3 $18,838.08 (Approx 10.8 BTC) 78

We also want to thanks Kaspersky’s ransomware decrypter, through which you can easily decrypt your files free of charge.

What WCRy is ?

WCry is a ransomware that uses NSA’s EternalBlue SMB exploit (leaked by Shadow Brokers) to spread in networks, and drops DoublePulsar to infected machines as well. This ransomware has attacked Telefonica, UK’s NHS, Sbahn, Portugal Telecom, Russian Interior Minister, lots of universities in China, etc.

About EternalBlue

French security researcher Kafeine was the first to notice the usage of EternalBlue in WCry, as it triggered ET rule 2024218. EternalBlue works by exploiting a vulnerability in the SMBv1 protocol to get a foothold on vulnerable machines connected online. Microsoft has patched this vulnerability in March (MS17-010), but PC owners mostly didn’t take a shit about it.

About DoublePulsar

CERT Spain and other security experts confirmed seeing WCry also dropping DoublePulsar on infected systems as well. DoublePulsar is a Windows kernel Ring-0 exploit (also developed by NSA and leaked by Shadow Brokers). The payload of the exploit can be used to remotely download and install other malware on the infected machine.

Infections & Heatmap

WCrypt has infected a total of 220,000 machines at the time of writing this. MalwareTechBlog has put together a handy WCry infection map updating every minute.

Protection

The spread of WCry has been stopped after MalwareTechBlog has registered a hardcoded domain included in the ransomware’s source code. WCry checked this domain before it has started it’s execution. If it was unregistered, it would execute. If it wasn’t, it would stop spreading, acting like a kill switch. Cisco Talos has confirmed the information.

If you are still paranoid, what you can do to protect you is INSTALL THE UPDATES. Turning the automatic updates off in this world of ransomware is the worst thing you can ever do to your data.

Related Posts

One Response

  1. Alex
    May 19, 2017