Three Hyderabad firms fall prey to WannaCry

0
25
WannaCry
Representational Image

Hyderabad: The WannaCry ransomware attack, which debilitated several lakhs of computers across the world, is making its presence felt in the city, with three more firms approaching the police to report such attacks.

While the first instance of the WannaCry ransomware cryptoworm attack was reported from the Rachakonda Commissionerate, the three complaints that came in last week were from the Hyderabad City Police limits. According to Cyber Crime officials here, the complaints were from two visa consultancy agencies and one IT/BPO firm.

Perpetrators demanded USD 21,000 in three cases.

“Since May 17, we have got three complaints, of which two were from firms that provide consultancy services in visas and assist people in going to foreign countries,” said Chand Basha, Inspector, Cyber Crime.

Cyber Crime officials, apart from holding consultations with the firms affected, are drawing up plans as to how the investigation should proceed. Senior police officers feel that the investigation will be a tough task, considering the origin of the ransomware virus and the thin chances of nabbing the perpetrators.

Use of dark net
According to them, analysis of the cases reported in other countries had revealed that perpetrators looking to spread the virus were using dark net, an overlay network that can be accessed only with specific software, configurations, or authorization.

“The virus is of 12 variants, and each has about 12 layers of security net. It is an almost impossible challenge,” a senior official said, adding that complainants were being asked to keep the inflected computers in Safe Mode and to obtain the keys to remove the virus. The key, a 12-digit number, is available in anti-virus software provided by Operating System manufacturing firms like Microsoft.

“For example, it has been seen that computers using Microsoft as OS are more vulnerable. Microsoft has released the anti-virus and by using it the virus can be detected,” the official said, adding that no internet user should open suspicious emails or messages flashing on their computers.

List of IP addresses to be blocked on firewall/anti-virus

Internet Protocols:
-16.0.5.10:135
-16.0.5.10:49 10
-132.0.38:80
-1.127.169.36:445
-1.34.170.174:445
-74.192.131.209:445
-72.251.38.86:445
-154.52.114.185:445
-52.119.18.119:445
-203.232.172.210:445
-95.133.114.179:445
-111.21.235.164:445
-199.168.188.178:445
-102.51.52.149:445
-183.221.171.193:445
-92.131.160.60:445
-139.200.111.109:445
-158.7.250.29:445
-81.189.128.43:445
-143.71.213.16:445
-71.191.195.91:445
-34.132.112.54:445
-189.191.100.197:445
-117.85.163.204:445
-165.137.211.151:445
-3.193.1.89:445
-173.41.236.121:445
-217.62.147.116:445
-16.124.247.16:445
-187.248.193.14:445
-42.51.104.34:445
-76.222.191.53:445
-197.231.221.221:9001
-128.31.0.39:9191
-149.202.160.69:9001
-46.101.166.19:9090
-91.121.65.179:9001
-2.3.69.209:9001
-146.0.32.144:9001
-50.7.161.218:9001
-217.79.179.177:9001
-213.61.66.116:9003
-212.47.232.237:9001
-81.30.158.223:9001
-79.172.193.32:443
-38.229.72.16:443

Domains:
1. iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
2. Rphjmrpwmfv6v2e[dot]onion
3. Gx7ekbenv2riucmf[dot]onion
4. 57g7spgrzlojinas[dot]onion
5. xxlvbrloxvriy2c5[dot]onion
6. 76jdd2ir2embyv47[dot]onion
7. cwwnhwhlz52maqm7[dot]onion

File Names:

1. @Please_Read_Me@.txt
2. @WanaDecryptor@.exe
3. @WanaDecryptor@.exe.lnk
4. Please Read Me!.txt (Older variant)
5. C:\\\\WINDOWS\\\\tasksche.exe
6. C:\\\\WINDOWS\\\\qeriuwjhrf
7. 131181494299235.bat
8. 176641494574290.bat
9. 217201494590800.bat
10. [0-9]{15}.bat #regex
11. !WannaDecryptor!.exe.lnk
12. 00000000.pky
13. 00000000.eky
14. 00000000.res
15. C:\\\\WINDOWSystem32\\\\taskdl.exe
Names of cryptoworms:
WannaCrypt
WannaCry
WanaCrypt0r
WCrypt
WCRY etc