On 02 Jun 2017 Wapack Labs obtained several sinkholes associated with the Virut botnet and were able to confirm that the botnet is being used to deliver the Wannacry ransomware. Because the botnet owners are paid by the number of installs, Wannacry is now being deployed globally, and fast. Wapack Labs has reason to believe that Wannacry is now affecting banks and ATM machines, are specifically infecting companies in the Middle East and Northern Africa region.
Why should you care? Virut has been around since at least 2006, and although suffering a 2013 takedown by the Polska CERT, has resurfaced and remains one of the most prevalent distribution networks for spam, phishing, malware, etc… and now, ransomeware. Wannacry is now being spread far and wide, and if you've not installed the patch, there's a high probability that you're about to learn a hard lesson in network hygiene.
And so for now, this ends our public service announcement.
As an aside, and a bit of a science experiment, we're experimenting with some rudimentary artificial intelligence and publishing capabilities. One, is one of the earliest and simplest forms. We've loaded a public (and gratis) version of MediaWiki in an effort to encourage massive crowdsourcing. We call it Wapackapedia(R). Yes, there are LOADS of issues with sharing information like this; it's definitely a Bambi but in cases like this, where hundreds of thousands more computers are now carrying dormant versions of Wannacry, my science experiment goes like this… Get the damn word out!
Here's the link: https://wapackapedia.wapacklabs.com/Wannacry
I also published two other pages.. mostly with computer generated work but one page has some new and interesting stuff on Lazarus (North Korean APT).
Here's that link: https://wapackapedia.wapacklabs.com/Lazarus
I'm looking for maximum crowdsourcing. You guys know me enough.. I believe in machine to machine interfacing but my belief is that real value comes from human communication first, then distilled into machine readable stuff. Of course, any victim information is not posted here. As always, we prefer to not out victims publicly —they've been victimized once already. For that, we've built out private locations behind our Red Sky curtain where we notify our members.
As always, if you'd like to know more, reach out. Jim's the new President and will be happy to set you up with a demo. He can be reached at jmckee@wapacklabs.com.