[tor-relays] WannaCry fallout FYI
Cristian Consonni
cristian at balist.es
Mon May 15 07:17:33 UTC 2017
On 15/05/2017 00:08, Mirimir wrote:
> | WanaCrypt0r will then download a TOR client from
> | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
> | and extract it into the TaskData folder. This TOR client is used to
> | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion,
> | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion,
> | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
>
> https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/
Was the increased number of downloads from the malware visibile from the
logs?
I mean, if you are able to detect such an event and be reasonably sure
that the downloads do not come from humans you could stop them. If the
URL is hardcoded you could, say, move the file and it would not affect
users.
(this is of course assuming that blocking the possibility of contacting
the said onion services would be of any help in blocking the malware)
Cristian
More information about the tor-relays
mailing list