Security Advisory: WannaCry Extortion Email Circulation

Security vendors and researchers have issued warnings following the detection of a wave of extortion emails purporting to be from the WannaCry hackers currently circulating in the wild.

The emails, purporting to come from the group ‘WannaCry-Hack-team’ warn recipients that their machines have been compromised and that software leveraging ‘one-of-a-kind’ code has been deployed and will shortly be encrypting and erasing all data unless a pseudo-ransom of 0.1 bitcoin (~$825 AUD) is paid to the specified bitcoin wallet address, and a follow-up email is sent to support_wc@bitmessage.ch.

The email goes on to state that the software that has been deployed is undetectable by AV software, and can spread across the local network to infect other network machines, remote servers, and cloud data.

Cause for concern?

First and foremost, the emails currently contain no malicious payload and are nothing more than an extortion scam leveraging the threat of a WannaCry infection in order to extort payment.

The InfoTrust Cyber Defense Team has reviewed and analysed samples of the extortion emails and can reveal that they appear to be being sent from a compromised SendGrid account, using a variety of different addresses in the display from field, with all identified samples sharing the common display name ‘WannaCry-Hack-team’

Of the samples reviewed, a number of different email subjects have been used including ‘!!!Attantion WannaCry-Team!!!’, ‘Wanna-Cry Attantion!!!’, and ‘!!!Warning Wannacrypt!!!’.

Multiple Bitcoin wallet addresses have been provided alongside the payment instructions, a selection of which are shown below:

• 1Mvz5SVStiE6M7pdvUk9fstDn1vp4fpCEg
• 16Tq8gaad5FJ3c6mrC86e1pmqQ666dYSvv
• 13AEiPcnqHRRwbJRUsPLbcgX3roTTPGSMu
• 15TxgGK5AMvdeupbcKbk3g36zctnS9ThnU
• 1FXZ9yoagBMnnrkZscQzKnC2hkgX5uDgUR

Pleasingly, a review of the bitcoin blockchain shows that as of 2pm AEST, no payments have been sent to any of the above wallet addresses as yet.

Various indicators associated with these emails, including incorrect spelling and poor grammar, as well as an unorthodox approach to ransom demands reflect a low level of proficiency on behalf of the author/s and suggest that these emails are in fact not being sent by the actors behind the original WannaCry attack.

Given the damage inflicted globally by WannaCry in May last year, and the NotPetya and BadRabbit attacks that followed shortly after, recent industry suggestions and warnings that a WannaCry 2.0 style event is inevitable have a number of organizations on edge, particularly those who remain uncertain as to their ability to successfully fend off another similar or more potent attack moving forward.

You’ve received the email, now what.

If you have received one of these emails, we recommend that the following steps be taken:

1. Delete the email immediately
2. Do not attempt to pay
3. Do not attempt to reply to or contact the email sender
4. Ensure that fundamental security controls including effective patching, verified backup’s, network segmentation, disabling of unused services and next-gen endpoint protect are in place.

Reviewing your Cyber Defense Strategy:

Keeping your organization protected from the next wave of damaging Cyber Attacks requires a comprehensive and holistic Cyber Defense strategy involving people, process, and technology-based controls, as well as a comprehensive understanding of the tactics, techniques and procedures (TTP’s) being deployed by threat actors.

For help in reviewing your existing Cyber Security controls, or to discuss this threat in further detail, please reach out to the InfoTrust Cyber Defense team at securityteam@infotrust.com.au

Email Security

Share