Today the FBI released FBI Liaison Alert System #A-000044-mw.

In the release they describe the workings of the malware. It attacks the MBR and all data files. After infection the infected systems to connect to one of three random, one of these three IP addresses (88.53.215.64, 217.96.33.164, 203.131.222.102) via either port 8080 or 8000.
Sony Pictures Entertainment is dealing with the aftermath of a massive infection that must be keeping them very busy and many people out of work.

Snort can be configured to detect the traffic. The FBI also release the following siganture:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42; content: “|ff ff ff ff|”; offset: 26; depth: 4; sid: 314;

It’s time to check your log files and check if those IPs are listed as destination IPs in any of your traffic or log data.