Note on WannaCrypt Infection Count Accuracy

Our sinkhole is designed to collect any and all HTTP requests to sinkholed domain for investigation purposes (these are then sent to a back-end database). What this means is that around the period when infections started being prevented the data on https://intel.malwaretech.com/botnet/wcrypt had almost pinpoint accuracy; however, as the news went global people began posting links to the sinkhole domains which people ended up clicking in their thousands.

Although we have ways to differentiate between regular and bot visits, this can only be done during data export, therefore graph data became less accurate as the sinkhole domain was posted around the internet. Data sent out for purpose of victim notification has already been filtered to ensure best accuracy possible, whereas graph data is unfiltered. As a result the graph data will show a slightly higher count than actual until the graph can be regenerated (this was supposed to be done immediately, but we have been busy dealing with attacks against our sinkhole infrastructure).

Until data can be exported, processed, then re imported; below is an accurate count of total non-browser connections to our sinkhole (these are almost all infections which have been stopped by our ‘kill-switch’ domain).

[Last Updated 2017-05-19 09:00 UTC]
416,989

Threat Intelligence
2
Investigating Command and Control Infrastructure (Emotet)

Although the majority of botnets still use a basic client-server model, with most relying on HTTP servers to receive commands, many prominent threats now use more advanced infrastructure to evade endpoint blacklisting and be resilient to take-down. In this article I will go through and explain my process of identifying …

Threat Intelligence
22
Petya Ransomware Attack – What’s Known

Petya The jury is still out on whether the malware is Petya or something that just looks like it (it messes with the Master Boot Record in a way which is very similar to Petya and not commonly used in other ransomware). Hasherzade who is a researcher well known for …

Threat Intelligence
4
The Kelihos Botnet

A while ago I started writing a series of articles documenting the Kelihos Peer-to-Peer infrastructure but had to pull them due to an ongoing operation. As most of you have probably seen, the botnet operator was arrested a few days ago and the FBI have begun sinkholing the botnet (which will …