{ "id": "a9da01f1-ea71-4de0-abbb-401e311e029a", "created_at": "2026-04-06T00:09:20.53838Z", "updated_at": "2026-04-10T03:29:45.3291Z", "deleted_at": null, "sha1_hash": "07031be253bbc3a7d47f2a6a3056717aef41a816", "title": "WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 786901, "plain_text": "WannaCry ransomware that infected Telefonica and NHS hospitals\r\nis spreading aggressively, with over 50,000 attacks so far today\r\nBy Jakub Křoustek 12 May 2017\r\nArchived: 2026-04-05 20:37:28 UTC\r\nAvast protects you from WannaCry ransomware that infected NHS and Telefonica.\r\nUpdate (4:23 CET, Monday, May 15th): We are now seeing more than 213,000 detections of WannaCry, in 112\r\ncountries.\r\nWe have observed a massive peak in WannaCry (aka WCry) ransomware attacks today, with more than 57,000\r\ndetections, so far. According to our data, the ransomware is mainly being targeted to Russia, Ukraine and Taiwan,\r\nbut the ransomware has successfully infected major institutions, like hospitals across England and Spanish\r\ntelecommunications company, Telefonica.\r\nBelow is a map showing the countries being targeted most by WannaCry:\r\nWe saw the first version of WannaCry in February and now the ransomware is available in 28 different languages,\r\nfrom languages like Bulgarian to Vietnamese. Today at 8 am CET, we noticed an increase in activity of this strain,\r\nwhich quickly escalated into a massive spreading, beginning at 10 am.\r\nThe ransomware changes the affected file extension names to “.WNCRY”, so an infected file will look something\r\nlike: original_name_of_file.jpg.WNCRY, for example. The encrypted files are also marked by the “WANACRY!”\r\nstring at the beginning of the file.\r\nThis ransomware drops the following ransom notes in a text file:\r\nhttps://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today\r\nPage 1 of 4\n\nFurthermore, the ransom being demanded is $300 worth of bitcoins. The ransom message, where instructions on\r\nhow to pay the ransom, an explanation of what happened, and a countdown timer are displayed in what the\r\ncybercriminals behind the ransomware are referring to as “Wana Decrypt0r 2.0”:\r\nAdditionally, the victim’s wallpaper is changed to the following image:\r\nhttps://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today\r\nPage 2 of 4\n\nThis attack once again proves that ransomware is a powerful weapon that can be used against consumers and\r\nbusinesses alike. Ransomware becomes particularly nasty when it infects institutions like hospitals, where it can\r\nput people’s lives in danger.\r\nInfection vector: WannaCry\r\nWannaCry is most likely spreading on so many computers by using an exploit the Equation Group, which is a\r\ngroup that is widely suspected of being tied to the NSA, used for its dirty business. A hacker group called\r\nShadowBrokers has stolen Equation Group’s hacking tools and has publicly released them. As confirmed by\r\nsecurity researcher, Kafeine, the exploit, known as ETERNALBLUE or MS17-010, was probably used by the\r\ncybercriminals behind WannaCry and is a Windows SMB (Server Message Block, a network file sharing protocol)\r\nvulnerability.\r\nAvast antivirus detects all known versions of WannaCry, but we strongly recommend all Windows users fully\r\nupdate their system with the latest available patches. We will continue to monitor this outbreak and update this\r\nblog post when we have further updates.\r\nIOCs:\r\n09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa\r\n24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\r\nhttps://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today\r\nPage 3 of 4\n\n2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd\r\n2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\r\n4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79\r\nB9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25\r\nd8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127\r\ned01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\r\nf8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85\r\nSource: https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-fa\r\nr-today\r\nhttps://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today" ], "report_names": [ "ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434160, "ts_updated_at": 1775791785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07031be253bbc3a7d47f2a6a3056717aef41a816.pdf", "text": "https://archive.orkl.eu/07031be253bbc3a7d47f2a6a3056717aef41a816.txt", "img": "https://archive.orkl.eu/07031be253bbc3a7d47f2a6a3056717aef41a816.jpg" } }