Security Advisory: WannaCry Extortion Email Circulation
Security vendors and researchers have issued warnings following the detection of a wave of extortion emails purporting to be from the WannaCry hackers currently circulating in the wild.
The emails, purporting to come from the group ‘WannaCry-Hack-team’ warn recipients that their machines have been compromised and that software leveraging ‘one-of-a-kind’ code has been deployed and will shortly be encrypting and erasing all data unless a pseudo-ransom of 0.1 bitcoin (~$825 AUD) is paid to the specified bitcoin wallet address, and a follow-up email is sent to support_wc@bitmessage.ch.
The email goes on to state that the software that has been deployed is undetectable by AV software, and can spread across the local network to infect other network machines, remote servers, and cloud data.
Cause for concern?
First and foremost, the emails currently contain no malicious payload and are nothing more than an extortion scam leveraging the threat of a WannaCry infection in order to extort payment.
The InfoTrust Cyber Defense Team has reviewed and analysed samples of the extortion emails and can reveal that they appear to be being sent from a compromised SendGrid account, using a variety of different addresses in the display from field, with all identified samples sharing the common display name ‘WannaCry-Hack-team’
Of the samples reviewed, a number of different email subjects have been used including ‘!!!Attantion WannaCry-Team!!!’, ‘Wanna-Cry Attantion!!!’, and ‘!!!Warning Wannacrypt!!!’.
Multiple Bitcoin wallet addresses have been provided alongside the payment instructions, a selection of which are shown below:
- 1Mvz5SVStiE6M7pdvUk9fstDn1vp4fpCEg
- 16Tq8gaad5FJ3c6mrC86e1pmqQ666dYSvv
- 13AEiPcnqHRRwbJRUsPLbcgX3roTTPGSMu
- 15TxgGK5AMvdeupbcKbk3g36zctnS9ThnU
- 1FXZ9yoagBMnnrkZscQzKnC2hkgX5uDgUR
Pleasingly, a review of the bitcoin blockchain shows that as of 2pm AEST, no payments have been sent to any of the above wallet addresses as yet.
Various indicators associated with these emails, including incorrect spelling and poor grammar, as well as an unorthodox approach to ransom demands reflect a low level of proficiency on behalf of the author/s and suggest that these emails are in fact not being sent by the actors behind the original WannaCry attack.
Given the damage inflicted globally by WannaCry in May last year, and the NotPetya and BadRabbit attacks that followed shortly after, recent industry suggestions and warnings that a WannaCry 2.0 style event is inevitable have a number of organizations on edge, particularly those who remain uncertain as to their ability to successfully fend off another similar or more potent attack moving forward.
You’ve received the email, now what.
If you have received one of these emails, we recommend that the following steps be taken:
- Delete the email immediately
- Do not attempt to pay
- Do not attempt to reply to or contact the email sender
- Ensure that fundamental security controls including effective patching, verified backup’s, network segmentation, disabling of unused services and next-gen endpoint protect are in place.
Reviewing your Cyber Defense Strategy:
Keeping your organization protected from the next wave of damaging Cyber Attacks requires a comprehensive and holistic Cyber Defense strategy involving people, process, and technology-based controls, as well as a comprehensive understanding of the tactics, techniques and procedures (TTP’s) being deployed by threat actors.
For help in reviewing your existing Cyber Security controls, or to discuss this threat in further detail, please reach out to the InfoTrust Cyber Defense team at securityteam@infotrust.com.au
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help