A ransomware outbreak is wreaking havoc all over the world, but especially in Spain, where Telefonica — one of the country’s biggest telecommunications companies — has fallen victim, and its IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.
The culprit for these attacks is v2.0 of the WCry ransomware, also known as WannaCry or WanaCrypt0r ransomware.
WCry ransomware explodes in massive distribution wave
Version 1.0 of this ransomware was discovered by Malwarebytes researcher S!Ri on February 10 and then spotted in a brief campaign on March 25 by GData security researcher Karsten Hahn.
Version 2.0 was detected for the first time around four hours ago by independent security researcher MalwareHunter. The security researcher says the ransomware came out of nowhere and started spreading like wildfire.
In these first four hours, WCry 2.0 made more victims than Jaff, a ransomware spotted this week distributed via the Necurs botnet, the former home of the Locky ransomware. In numbers, in just four hours WCry made 1.5 times more victims than Jaff did all week.
Currently, researchers weren’t able to pinpoint the exact origin of the WCry distribution campaign. At the moment, it could be from malvertising, exploit kits, email spam, or hand-cranked RDP attacks.
WCry outbreak making high-profile victims in Spain
Citing data from ID-Ransomware, a service that helps users identify ransomware infections, MalwareHunter told Bleeping Computer the ransomware had made victims all over the world, in countries such as Taiwan, Russia, Turkey, Kazakhstan, Indonesia, Vietnam, Japan, Spain, Germany, Ukraine, and the Philippines.
By far, the most affected country seems to be Spain. According to Spanish newspaper El Mundo, there are hundreds of PCs infected with WCry 2.0 at Telefonica, a local ISP.
The publication has confirmed the infections, and also heard back from employees, who told the newspaper they’ve been advised to shut down their computers and not use any of the company’s internal VPNs.
In Twitter conversations, Telefonica employees and collaborators told Bleeping Computer that the company had sent several internal memos, telling employees to also disconnect from the company’s internal WiFi network. Additionally, the company blasted warnings throgh audio speakers inside their Madrid headquarters, warning employees to shut down their computers.
From these details, it appears that the ransomware managed to infect an internal server, from where it spread to employee PCs. Below is an image El Mundo reporters obtained from Telefonica employees.
But Telefonica is not the only one affected by the WCry outbreak. El Mundo has also confirmed WCry infections at other Spanish companies, such as Gas Natural (natural gas provider) and Iberdrola (electric utility).
Other companies such as Vodafone Spain and Capgemini told the newspaper they were still investigating. The BBVA bank denied on Twitter it was one of the victims in the WCry outbreak.
Telefonica’s ability to provide Internet and telephony services to its customers was not affected, and the incident appears to have affected the work computers of employees and collaborators at the company’s Madrid headquarters building.
UPDATE [May 12, 2017, 09:50 AM ET]: Felow Spannish newspaper El Pais reports that Santander bank and consultancy firm KPMG may have also been affected.
SHA256 hash: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
File extension: .wncry
Ransom note name: @Please_Read_Me@.txt