What we know so far?

UPDATE: We have a local vaccine

New ransomware start spreading in Ukraine and shutdown a lot of critical infrastructures (hospitals, airport, banks and power plants).
Some report coming also from Italy, Germany and Spain.

Early comments on VirusTotal indicate the usage of the EternalBlue exploit:


Whe started, the malware clears the windows event log using Wevtutil, writes a message to the raw disk partition and shuts down the machine.

After the restart, the encryption process starts:

And once the encryption is done, the malware display this message:

If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but dont waste your time. Nobody can recover your files without our decryption service.

We guarantee that you can recover all your files safely and easily.
All you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:
1. Send $300 worth of Bitcoin to following address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

2. Send your Bitcoin wallet ID and personal installation key to e-mail wowsmith123456@posteo.net.

How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.


  • The EternalRomance exploit — a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17–010).
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.



The samples

The samples

Some samples has been submitted to HybridAnalysis:

I have extracted a memory dump of a virtual machine running the ransom screen, maybe it can be useful for some researcher:




The ransom

Some victims already paid the ransom:

However, the email address on posteo has been blocked:


So, do not pay the ransom!

Furthermore, researchers by Kaspersky has revealed that the pseudo-ransomware is in fact a wiper, with no potential for successfully recovering from an attack:

The key material displayed as “installation ID” — necessary for decryption in real ransomware — is just random data. There is no possible way to recover the encrypted files as the key is not preserved and given to the user to request a decryption key.

From Twitter
















From websites




Some IOCs












Yara Rules

Developed by Florian Roth.



The killswitch?


copy NUL C:Windowsperfc.dat


Stay tuned!