2017-05-12 • Comae •
https://www.comae.com/posts/wannacry-the-largest-ransom-ware-infection-in-history/
Comae described WannaCry as a ransomware outbreak affecting more than 70 countries, including Telefonica in Spain and the NHS in England, while noting an update about links to Lazarus Group. The malware used MS17-010 SMB exploitation and DOUBLEPULSAR checks to spread, with a kill-switch domain registration temporarily limiting one wave of infections. The dropper extracted a password-protected archive containing ransomware components, ransom notes in 28 languages, Tor communication tooling, configuration files, and UI/payment routines. The report lists three Bitcoin payment addresses, a SHA-256 hash for the main dropper, Tor endpoint infrastructure, and 179 targeted file extensions, giving defenders concrete artifacts to validate against vulnerable Windows systems and network telemetry.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 2ca2d550e603d74dedda03156023135… | 2017-05-12 | 2021-12-02 |
| HASH | 4a468603fdcb7a2eb5770705898cf9e… | 2017-05-12 | 2021-12-02 |
| HASH | b9c5d4339809e0ad9a00d4d3dd26fdf… | 2017-05-12 | 2021-12-02 |
| HASH | ed01ebfbc9eb5bbea545af4d01bf5f1… | 2017-05-12 | 2021-12-02 |
| DOMAIN | xxlvbrloxvriy2c5.onion | 2017-05-12 | 2021-12-02 |
| DOMAIN | cwwnhwhlz52maqm7.onion | 2017-05-12 | 2021-12-02 |
| DOMAIN | gx7ekbenv2riucmf.onion | 2017-05-12 | 2021-12-02 |
| DOMAIN | 76jdd2ir2embyv47.onion | 2017-05-12 | 2021-12-02 |
| DOMAIN | 57g7spgrzlojinas.onion | 2017-05-12 | 2021-12-02 |
| HASH | d5e0e8694ddc0548d8e6b87c83d50f4… | 2017-05-12 | 2017-05-12 |
| HASH | 055c7760512c98c8d51e4427227fe2a… | 2017-05-12 | 2017-05-12 |
| HASH | 402751fa49e0cb68fe052cb3db87b05… | 2017-05-12 | 2017-05-12 |
| HASH | 97ebce49b14c46bebc9ec2448d00e1e… | 2017-05-12 | 2017-05-12 |
| HASH | e18fdd912dfe5b45776e68d578c3af3… | 2017-05-12 | 2017-05-12 |