[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] WannaCry fallout FYI



On 15/05/2017 00:08, Mirimir wrote:
> | WanaCrypt0r will then download a TOR client from
> | https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
> | and extract it into the TaskData folder.  This TOR client is used to
> | communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion,
> | 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion,
> | 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.
> 
> https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/

Was the increased number of downloads from the malware visibile from the
logs?

I mean, if you are able to detect such an event and be reasonably sure
that the downloads do not come from humans you could stop them. If the
URL is hardcoded you could, say, move the file and it would not affect
users.

(this is of course assuming that blocking the possibility of contacting
the said onion services would be of any help in blocking the malware)

Cristian
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays