Hello, welcome to the Thursday, June 1st, 2017 edition of the Sansadet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Pascal today published the second part to his diary about the ACH method and applied it to the Wanna Cry outbreak.

Now, he took what Digital Shadows did last week and expanded it with a couple of additional

hypotheses.

Essentially, his outcome isn't all that different from what they found.

Lazarus Group, state actor, sophisticated financial actor,

all of that actually ranks quite low. He also added a couple of other criteria and is sharing

his spreadsheet so you can play with this a little bit yourself and see what results you come up with.

And security company Crypto's Logic did publish some results from the WannaCry sinkhole that they apparently ran.

Turns out that the domain, the Kill Switch domain, was actually redirected to a sinkhole that they operate

and they published now some data from it. They detected a total of around 700,000 unique

IP addresses hitting their sinkhole. Now, how that correlates with the number of actually

infected hosts is always a tricky

undertaking, but the actual number is likely larger because some of these hosts, of course,

were behind Nat and showed up as one IP address.

The Cryptos research goes a little bit into details on that.

The other thing that they show very obviously here

and was sort of known before that China was hit quite hard by Wanna Cry more than other

countries. Actually, it looks like they have about six times the infection rate of the US and

Russia, in part that has been interpreted to Chinese

systems being usually less often patched. And that again has been interpreted to a lot of Chinese

...