When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me off to the fact this was something big. Although ransomware on a public sector system isn?t even newsworthy, systems being hit simultaneously across the country is. (Contrary to popular belief, most NHS employees don?t open phishing e-mails, which suggested that something to be this widespread it would have to be propagated using another method.)
I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher. Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered.
Using Cisco Umbrella, we can actually see query volume to the domain prior to my registration of it, which shows that the ransomware campaign started at around 8am UTC.
Bookmarks