Your Data Zen starts here.

Ransomware during the Outbreak: Do you just WannaCry?

On the picture above, there is a landscape of ransomware attempted infection observed in “the perimeter” as it was during the so called WannaCry outbreak.

Entities are:

  • Mailicious IP’s
  • Malware hashes
  • VirusTotal names of malware
  • File paths on host OS
  • System process used in the attack
  • Targeted OS name
  • Country of origin of the attack


{Green} : Blocked attacks, followed by successful deletion of the file.

{Blue-ish} : Malicious IP’ s used to initiate the infection. The vector itself might be URL used in social engineering as well as direct attack, unwanted malware download or accidents during the malware analysis.

{Red-ish}: The WannaCry related.

Picture below shows how many different sources from various countries use files with different hashes to generate the “C:\Windows\mssecsvc.exe” file.

{Kidney – like shaped region} : These are artifacts of WannaCry infection. This shows on the other hand, how aggressive the infection process is in comparison to other ransomware.

{Orange} : This belongs to Country of origin association. I tried to spot “patient X” by this analysis but due to nature of data sources, it was not possible after all as the attacks was driven from more countries already.


Different shapes on the picture below shows the same data as the introductory picture, added just for fun.


Next Post

Previous Post

© 2020 4n6strider

Theme by Anders Norén