WannaCryptor 2.0 Ransomware

WannaCryptor 2.0 Ransomware

A new ransomware variant, WannaCryptor 2.0, has spread rapidly to many countries (including UK, Spain, Russia, Vietnam and Germany) in the course of hours today. WannaCryptor 2.0 is utilizing MS17-010, or ETERNALBLUE, a vulnerability disclosed by the Shadow Brokers to distribute this strain of ransomware. ETERNALBLUE uses Windows SMB remote code execution (CVE-2017-0143 through CVE-2017-0148).

Additional information can be found at:



Immediately ensure systems are patched against MS17-010.
Ensure TCP ports 139, 445, 22, 23, 3389 and UDP 137 and 138 are not accessible from the Internet.
Ensure proper backup procedures to protect against data loss.
Disable SMBv1 for those running Windows Vista and later.
Secure RDP under VPN.


Alternative method for customers running Windows 8.1 or Windows Server 2012 R2 and later.

For client operating systems:

Open Control Panel, click Programs, and then click Turn Windows features on or off.
In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
Restart the system.

For server operating systems:

Open Server Manager and then click the Manage menu and select Remove Roles and Features.
In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
Restart the system.

Vulnerable Versions:

Windows Server 2008 R2
Windows 8.1
Windows Server 2016
Windows Server 2012 and Windows Server 2012 R2
Windows 7
WIndows 10
Windows Vista
Windows RT 8.1


Microsoft released patches for MS17-010 on March 14, 2017.

Indicators of Compromise:

FileHash-SHA256            2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
FileHash-SHA256            ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
FileHash-SHA256           09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
FileHash-SHA256            24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
FileHash-SHA256            f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
hostname – www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
FileHash-MD5   509c41ec97bb81b0567b059aa2f50fe8
FileHash-MD5   7bf2b57f2a205768755c07f238fb32cc
FileHash-MD5   7f7ccaa16fb15eb1c7399d422f8363e8
FileHash-MD5   84c82835a5d21bbcf75a61706d8ab549
FileHash-MD5   db349b97c37d22f5ea1d1841e3c89eb4
FileHash-MD5   f107a717f76f4f910ae9cb4dc5290594
FileHash-SHA1 51e4307093f8ca8854359c0ac882ddca427a813c
FileHash-SHA1 87420a2791d18dad3f18be436045280a4cc16fc4
FileHash-SHA1 e889544aff85ffaf8b0d0da705105dee7c97fe26
FilePath   C:\WINDOWS\tasksche.exe
FilePath   C:\Windows\mssecsvc.exe
FileHash-SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
FileHash-SHA1 bd44d0ab543bf814d93b719c24e90d8dd7111234
BTC-Address   13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Alert detection:

The Masergy Threat Intelligence Team has deployed the following alerts to detect the exploitation of this vulnerability:


Possible ETERNALBLUE exploit attempt which exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. This vulnerability was patched by Microsoft in the MS17-010 update.


SMB echo request indicating possible exploit attempt for the ETERNALBLUE exploit.


SMB echo response indicating possible exploit usage of the ETERNALBLUE exploit. The ETERNALBLUE exploit was patched by Microsoft in MS17-010.


Detected the generation of a QR code containing a Bitcoin address. The BTCFrog service has been used by the WannaCry/WannaCrypt0r ransomware to provide payment instructions to infected users.