• Support
  • Forums
  • Blogs

OTX Pulse: WannaCry/Wcry Ransomware alert - But no WannaCry present??

SEDTISEDTI

New Life Form
Over the past week or so, our appliance has detected 4-5 instances for this alert and it all appears to be centered around the MD5 high-lighted below. Anyone else running into this issue?  Several different websites all with the same 0kb size file with the same MD5 hash, yet all are coming up clean...  Any info appreciated!

"fileinfo": 
        {
            "filename": "",
            "tx_id": 2,
            "state": "CLOSED",
            "stored": false,
            "size": 0,
            "md5": "d41d8cd98f00b204e9800998ecf8427e"

Share post:

Best Answer

  • Answer ✓
    SEDTI,

    MD5s are a very good indicator of a match, but are not a perfect indicator. There may occasionally be a false positive on a file match. we will always choose a false positive over a false negative if there is any risk of us missing alerts.

    This said, I have checked history since this signature was released, and only see two cases opened with concerns about this pulse in USM, one which was a positive and another which was not able to provide the raw event for review. In such, there does not seem to be a common match false positive for this pulse.
    SEDTI
Sign In or Register to comment.