Mitigate ‘WannaCry’ traffic by blocking Tor Nodes?

A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as ‘WannaCry’.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet.


The tor.exe file is executed by @wanadecryptor@.exe. This newly executed process initiates network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by proxying their traffic through the Tor network.


We have made available a free tor nodes ip blacklist for Mikrotik RouterOS, to make automated importing of the address list for all known tor exit nodes. Which can then be easily fire walled and blocked by a RouterOS device.

You may download the sbl-tornodes.rsc script at the following url.

Credit: This information is an excerpt from a recent security bulletin posted by Talos Intelligence Group.
To read the full security advisory and threat analysis please visit the following url.

One Reply to “Mitigate ‘WannaCry’ traffic by blocking Tor Nodes?”

Leave a Reply

Your email address will not be published. Required fields are marked *