{
	"id": "07652aec-976d-4f03-b1c8-60c4592bc5d8",
	"created_at": "2026-04-06T00:06:18.81138Z",
	"updated_at": "2026-04-10T03:21:04.9484Z",
	"deleted_at": null,
	"sha1_hash": "a71650e272ebace154fe51cac23d6b921782e6de",
	"title": "Warning: Massive \"WannaCry\" Ransomware campaign launched",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 266676,
	"plain_text": "Warning: Massive \"WannaCry\" Ransomware campaign launched\r\nBy Tim Berghoff\r\nPublished: 2017-06-08 · Archived: 2026-04-05 17:48:23 UTC\r\n05/12/2017\r\nReading time: 8 min (2073 words)\r\nAn outbreak of the latest version of \"WannaCry\" has been claiming victims in several countries. The speed and\r\nferocity of the outbreak has taken many by surprise. Researchers are as yet puzzled as to the origin of the outbreak\r\nwhich hit 11 countries within just three hours. So far Spain and Russia were are among those who were hit\r\nhardest.\r\nLike a bolt from the blue\r\nIn the early morning hours (CET) of Friday, May 12, a sizeable wave of infections with the latest iteration of the\r\nWCry / WannaCry ransomware was spotted. Researchers are not sure where the sudden onslaught came from, but\r\nsuspicions currently include bot nets, exploit kits, infected emails or malicious advertizing (also called\r\nmalvertizing). In Spain,  Telefónica, a major ISP, was hit with an infection on one of their internal servers. From\r\nthere, things escalated to a point where IT staff are reaching out to employees to shut down their computers\r\nimmediately. They were also asked to cut any VPN connections in order to stop the ransomware from ravaging\r\nmore parts of the company's network. According to Spanish newspaper El Mundo, some utility companies had\r\ntheir networks affected in a similar fashion. According one data source, Russia has reported the highest number of\r\ninfections.\r\nSo far the extent of the damage is unknown.\r\nImplications\r\nThe unfolding events make it abundantly clear that ransomware is a problem for companies of all sizes.\r\nSince utilities and telecommunications are considered \"essential and critical infrastructure\", adequate measures\r\nmust be take to secure those.\r\nCountermeasures\r\nVirus signatures should be updated immediately.\r\nG DATA customers are protected. The WannaCry ransomware is detected by all of G DATA's solutions as\r\nWin32.Trojan-Ransom.WannaCry.A.\r\nhttps://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign\r\nPage 1 of 7\n\nSince the vulnerability was addressed in the March update for Windows, updates should be installed as soon as\r\npossible. In addition to this, Microsoft has also released a mitigation patch for some legacy versions of Windows\r\nwhich should also be applied immediately.\r\nFile-based IOCs\r\nEXE files\r\n\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"\r\n\"09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa\" [Win32.Trojan-Ransom.WannaCry.A]\r\n\"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\" [Win32.Trojan-Ransom.WannaCry.A\r\n]\"2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd\" [Win32.Trojan-Ransom.WannaCry.A]\r\n\"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\" [Win32.Trojan-Ransom.WannaCry.D]\r\n\"4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982\" [Win32.Trojan-Ransom.WannaCry.D]\r\n\"6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7\" [Win32.Trojan-Ransom.WannaCry.D]\r\n\"b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7\" [Win32.Trojan-Ransom.WannaCry.D]\r\n\"b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25  [Win32.Trojan-Ransom.WannaCry.E]\r\nDLL:\r\n\"CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.E1E\" [Win32.Trojan-Ransom.WannaCry.F]\r\nWannaCry Batch component:\r\n\"f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077\" [BAT.Trojan-Ransom.WannaCry.C]\r\nWannaCry VBS-component:\r\n\"51432d3196d9b78bdc9867a77d601caffd4adaa66dcac944a5ba0b3112bbea3b\" [Script.Trojan-Ransom.WannaCry.B]\r\nWannaCry Shortcut:\r\n\"a3b014598d6313c96ab511dc56028ef36f8bafde7f592a1329238718e1c29813\" [Win32.Trojan-Ransom.WannaCryLnk.A]\r\nFile extension:\r\nhttps://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign\r\nPage 2 of 7\n\n.wncry\r\nRansom note: @Please_Read_Me@.txt\r\nhttps://twitter.com/malwrhunterteam/\r\nNetwork-based IoCs\r\nThe \"genuine\" WannaCry dropper attempts to contact the following web address:\r\nhxxp[:]//www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\r\nThis is the original \"killswitch\" domain.\r\nPreview image credit: MalwareHunter\r\nUpdate: May 12, 8:20 pm: WannaCry uses a leaked NSA exploit to infect machines\r\n- how to mitigate\r\nIt seems that the mechanism used by WannaCry is based on exploit code originally developed by the NSA. The\r\nExploit is called ETERNALBLUE and was part of a series of files which were leaked last month.\r\nThe security flaw in SMB which made the exploit possible (also referenced in the NVD) and which was rated\r\n\"critical\" has been patched by Microsoft during March patch day.\r\nG DATA strongly recommends to install all Windows updates or implement the workaround suggested by\r\nMicrosoft as soon as possible.\r\nUpdate: May 12, 11:20 pm\r\nIOC list updated \u0026 Detection names added\r\nUpdate: May 13, 7:30 am: train timetable displays in Germany infected, NHS\r\ndeclares \"major incident\"\r\nFirst WannaCry infections were reported in the timetable displays of various train stations in Germany. The\r\ninfection wave has spread across several hospitals in the UK, forcing staff to use paper-based fallbacks to maintain\r\na basic service level. The NHS declared this a \"major incident\". Doctors are joining in with warnings that the\r\nWannaCry infections may cost lives.\r\nUpdate: May 13, 9:15 am - Microsoft releases a mitigation patch for Windows XP,\r\nWindows 8, Server 2003 to address vulnerability\r\nGiven that there is still a large number of Windows XP installations out there (including those in critical places),\r\nMicrosoft has made an unusual move and issued an update for Windows XP, Windows 8 and Windows Server\r\n2003.\r\nhttps://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign\r\nPage 3 of 7\n\nUpdate: May 15, 8:30 am: Accidental hero throws a wrench in WannaCry's works\r\nA security researcher had begun analyzing WannaCry as soon as it hit the ground. During his examinations he\r\nfound out that WannaCry attempts to contact a specific domain. The domain was not registered at the time, so he\r\ntook it on himself to do so in order to find out what WannaCry wanted to chat about. This is a common procedure\r\nin security research.\r\nIt later turned out that the domain was in effect a \"killswitch\" for WannaCry. The principle is rather simple:\r\nWannaCry contacts the domain and waits for a reply. If a reply comes back, it shuts off and does not infect the\r\nsystem. Initially, the researcher was not aware of the fact that this killswitch existed, so the fact that this discovery\r\nhelped slow down the infection wave significantly was a happy accident - many news portals refer to him as \"The\r\naccidental hero of WannaCry\".\r\nThis is good news of course: new infections are stopped in their tracks. There are two major caveats about this,\r\nthough: the killswitch only works on machines which were not previously infected. It cannot \"clean\" an infected\r\nsystem and it will not bring back encrypted files. Also, the killswitch domain will not work if the to-be-infected\r\nmachines are located behing a proxy server.\r\nStill, the slowdown allowed security staff to breathe a sigh of relief, albeit a cautious one.\r\nUpdate: May 15, 8:50 am: \"Brace for impact\"\r\nAs mentioned previosly, the full extent of the infection wave may only become apparent this Monday morning\r\nwhen workers return to their offices. Therefore users should pay really close attention to any messages they see on\r\nscreen and alert their IT department immediately as soon as a ransom note appears on screen. \r\nIt is also goes without saying that email attachments should be treated with utmost caution, especially if they were\r\nreceived after Thursday, May 11.  \r\nUpdate: May 16, 3:00 pm: Some things are not adding up - Copycats give\r\nresearchers trouble - Attribution attempts\r\nAlthough many researchers are warning that \"this is not over yet\", there are some things that strike us as odd\r\naround WannaCry. First and foremost, the intention of any ransomware campaign is to rake in as much money as\r\npossible in the shortet amount of time. With the infection count at over 200,000 and counting, one would expect\r\nthe attackers' Bitcoin wallets almost bursting at the seams. However, only three BTC wallets have been identified\r\nso far and they only have a meager 60.000 dollars to show between them. Even if we calculate this in a very\r\nconservative manner and assume that about 2,5% of the victims actually pay up, we should still at least be looking\r\nat seven-figures in Bitcoins. That does not seem to be the case, though, which opens up room for speculations.\r\nThere are several possibilities as to why there does not seem to be any money transferred. For instance, the people\r\nbehind the ransomware attack may not have anticipated that their creation would be so wildly successful and were\r\njust overwhelmed by the infection rates - triggering decryption in WannaCry's case is a manual process which on\r\nthis scale requires a lot of resources.\r\nhttps://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign\r\nPage 4 of 7\n\nTo make life even more difficult, there are large numbers of \"copycat\" version circulating. After many people had\r\ngotten their hands on a sample, they started experimenting with it. In some cases, they disabled the killswitch\r\ndomain, in other cases its URL is changed. Some of the versions would not even work as other modifications were\r\nmade in the file. Those modifications often \"break\" a file and make it unusable for infecting a machine. At the\r\ntime of this writing, several hundred modified versions of the file have been counted by G DATA and were also\r\nadded to our detection database.  \r\nAs with any man-made event that causes great damage, the question of \"who done it?\" inevitably comes up. This\r\ncase is no different. Some researchers point out that some routines of the malware bear characterisitics that were\r\nseen in attacks by an APT group called Lazarus. At this point we cannot rule out this possibility, but neither can\r\nwe confim it.\r\nUpdate: May 17, 9:45 am: Copycats vs. Duplicates\r\nAs mentioned in our previosu update, numerous updates of the WannaCry files are in circulation at this time.\r\nWe need to distinguish several categories here:\r\nVariations of the original file with the killswitch removed\r\nVariations with a modified killswitch domain\r\nVariations without ransomware components; those are able to spread without performing any malicious\r\nactivities on a system.\r\n\"Real\" copycats which imitate the ransom note of Wannacry, but do not have any connection to WannaCry\r\non the technical side.\r\nCorrection:\r\nContrary to what was mentioned in the previous update, the decryption components do not need to be created\r\nmanually as they are part of the malware already. However, the decryption process must still be triggered\r\nmanually by the attackers.\r\nUpdate: 17.05., 10:00 Uhr - IoC list updated\r\nKillswitch domain added under \"Network-based IoCs\"\r\nUpdate: May 18, 12:30 pm: parking garages in Germany hit with WannaCry -\r\ndistribution method still unclear\r\nAccording to current reports, the payment systems in some German parking garages are affected by the WannaCry\r\ninfection wave. The company that rund the parking garages has not issued a statement about how much money\r\nwas lost due to the outage, but this example show very clearly what a direct effect a ransomware infection can\r\nhave on everyday operations. This development is problematic for another reason: should the outage continue for\r\nlonger, traffic jams may develop because it is now impossible to keep track of how much parking space (if any) is\r\nleft in the garage. This would cause drivers to attempt entering a (full) parking garage.\r\nhttps://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign\r\nPage 5 of 7\n\nThe exact mehtod used by WannaCry to spread this rapidly is still unclear. However, at this point it seems unlikely\r\nthat email attachments were used as a vessel. As previously reported, WannaCry uses a security flaw in the fil and\r\nfolder sharing protocol of Microsoft Windows. This akes it possible to distribute the malware over the internet as\r\nthe protocol is usually not filtered out by ISPs. This makes an infection more likely if a system is connected\r\ndirectly to the internet with this feature enabled. Note, though, that this is also based on conjecture, but for a\r\ndefinitive answer, more information is needed.\r\nUpdate: May 18,12:30 pm: Makers of WannaCry are speaking up\r\nThe message some victims of WannaCry are starting to see right now (Image credit: Twitter / Thijs\r\nBosschert)\r\nAs we have learned about an hour ago, some victims of the WannaCry infection are getting messages on their\r\nscreens which appear to come from the attackers. The message asks victims to send the attackers their unique\r\nBitcoin ID one hour prior to making the payment to speed up the process of receiving their decryption key.\r\nThis is the first time since the infection wave has started that the attackers seem to speak up. We had already\r\nsuspected that they may have been overwhelmed by their own success and had difficulties coping with it.\r\nWhat is still unclear, though, is where the ransom payment are supposed to go - up to now, only three BTC wallets\r\nhave been identified that were associated with the attackers.\r\nWe still strongly discourage making any ransom payments.\r\nUpdate: June 8, 12:00 pm: WannaCry is still no blunt axe\r\nhttps://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign\r\nPage 6 of 7\n\nReports from the Health \u0026 Human Services department clearly show that despite its famed kill switch the danger\r\nfrom WannaCry is not over. Since machines in several hospitals are still affected, HHS experts advise affected\r\norganizations to rebuild (or reimage) affected systems and to install the latest updates as quickly as possible. Even\r\nthough the kill switch prevents WannaCry's ransomware module to kick in and encrypt files, the worm part of\r\nWannaCry is not affected by this - WannaCry remains on the lookout for vulnerable machines. \r\nRelated articles:\r\nShare Article\r\nSource: https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign\r\nhttps://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign"
	],
	"report_names": [
		"29751-wannacry-ransomware-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775433978,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a71650e272ebace154fe51cac23d6b921782e6de.pdf",
		"text": "https://archive.orkl.eu/a71650e272ebace154fe51cac23d6b921782e6de.txt",
		"img": "https://archive.orkl.eu/a71650e272ebace154fe51cac23d6b921782e6de.jpg"
	}
}