WannaCry — The largest ransom-ware infection in History

More than 70 countries are reported to be infected.

Read More: Part 1 -  Part 2 -  Part 3 -  Part 4 - @msuiche (Twitter)

UPDATE: Latest development (15May): Links to Lazarus Group

UPDATE2: -  Decrypting files

IMPORTANT NOTE: Microsoft released an emergency patch (KB4012598)for unsupported version of Windows (Windows XP, 2003, Vista, 2008). APPLY NOW!

NOTE2: On Sunday 14 May, We just stopped the second wave of attack by registering a second killswitch but this is temporary. Read more.

On Friday 12th May 2017, a ransom-ware called WannaCry infecting and spreading machines in 70+ countries - using nation state grade offensive capabilities released last month by the ShadowBrowkers  - including telco companies like Telefonica in Spain, or healthcare authority like the NHS in England - and the number of infected machines keeps growing.

This ransom-ware supports 28 different languages, encrypts 179 different type of files and requires victims to wire money ($300-$600) over bitcoins in order to get the control back of their machines.

Main dropper/encrypter: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Infection

It is believed the ransom-ware used an SMB vulnerability patched by Microsoft (MS17-010) in March. A public exploit for this vulnerability had been released in April by a group subbed as ShadowBrokers (which emerged for the first time in August 2016) while leaking files containing offensive tools belonging to the NSA including a remote SMB exploit called ETERNALBLUE which affects the above vulnerability.

This vulnerability is believed to have been used by the NSA to take over their targets including the backbone of financial institutions in the Middle East.

Last month, I covered the latest Shadow Brokers leak  - which I strongly recommend to read to learn more about what ETERNALBLUE and DOUBLEPULSAR are.

Thanks to Darien Huss for highlighting the binary that infects the system, Zammis Clark wrote a good write-up on the infection part and the domain name www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com that was register as part of a kill switch for the malware.

  • If for some reason your intranet does not have access to internet, which is fairly common (remember the infection is done over the SMB network) - the infector won’t be able to access this domain name and then will proceed with the infection.
  • Although, this blocks the current version - the malware authors probably already wrote and dropped variants with a different killswitch mechanism.
  • This is only temporary relief, most of systems are still vulnerable due to dependence to legacy operating system such as Windows XP - and won’t be able to be safe until they apply MS17-010 patch which requires for them to upgrade their O.S. as legacy O.S. are out of support from Microsoft.

Below is the most interesting discovery form Darien Huss, which enabled @MalwareTechBlog to register the domain name to prevent further infection -  for now. Although, it is important to note that:

  • If DOUBLEPULSAR is present, it will leverage it to install its payload.
  • If DOUBLEPULSAR is not present, it will attempt to exploit the target machine using the SMB vulnerabilities (MS17-010 / KB4012598).

I was curious on the DOUBLEPULSAR part, so I decided to look in details at the routine - WannaCry not only check if DOUBLEPULSAR is present but also has a (unused) flag to potentially uninstall the backdoor and kick any parasite out.

Without any surprised, the packets and checks are very similar to the DOUBLEPULSAR detection tool written by countercept.

You can find out more about the references to DOUBLEPULSAR within WannaCry here.

WannaCry?

Extraction

The dropper extracts a password protected (“WNcry@2ol7”) archive containing the ransom-ware from its resources (XIA/2058).

Payment

The ransom-ware uses 3 different addresses to receive payments:

  • \msg - This folder contains the RTF describing the different instructions for the ransom-ware. Totaling 28 languages.
  • b.wnry - BMP image used as a background image replacement by the malware.
  • c.wnry - configuration file containing the target address, but also the tor communication endpoints information.
  • s.wnry - Tor client to communication with the above endpoints.
  • u.wnry - UI interface of the ransom-ware, containing the communications routines and password validation (currently being analyzed)
  • t.wnry - ”WANACRY!” file - contains default keys
  • r.wnry - Q&A file used by the application containing payment instructions
  • taskdl.exe / taskse.exe –
  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Files

Command & Control

Tor Endpoint Addresses recovered from the configuration file :

The malware also downloads the version 0.2.9.10 of tor browser: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

It had been reported/rumored that the initial attack vector (pre-SMB) comes from file attachments over emails, make sure to tell your employees to open suspicious documents.

Encryption

Here is the list of the 179 different type of files encrypted by the ransom-ware.

What to do to avoid to be the next victim ?

APPLY MS17-010 NOW if you didn’t !

If you are using unsupported versions of Windows such as XP and Vista, you are in big trouble and should do a crisis meeting now. This is going to be a very long week-end for a lot of companies around the World.

Appendix A - Files

PS D:\Analysis\Wannacry\toto> dir
Directory: D:\Analysis\Wannacry\toto
Mode                LastWriteTime         Length Name
---- ------------- ------ ----
d----- 5/12/2017 11:45 PM msg
-a---- 5/11/2017 8:13 PM 1440054 b.wnry
-a---- 5/11/2017 8:11 PM 780 c.wnry
-a---- 5/11/2017 3:59 PM 864 r.wnry
-a---- 5/9/2017 4:58 PM 3038286 s.wnry
------ 5/12/2017 2:22 AM 65816 t.wnry
-a---- 5/12/2017 2:22 AM 20480 taskdl.exe
-a---- 5/12/2017 2:22 AM 20480 taskse.exe
-a---- 5/12/2017 2:22 AM 245760 u.wnry
PS D:\Analysis\Wannacry\toto> dir msg
Directory: D:\Analysis\Wannacry\toto\msg
Mode                LastWriteTime         Length Name
---- ------------- ------ ----
-a---- 11/20/2010 4:16 AM 47879 m_bulgarian.wnry
-a---- 11/20/2010 4:16 AM 54359 m_chinese (simplified).wnry
-a---- 11/20/2010 4:16 AM 79346 m_chinese (traditional).wnry
-a---- 11/20/2010 4:16 AM 39070 m_croatian.wnry
-a---- 11/20/2010 4:16 AM 40512 m_czech.wnry
-a---- 11/20/2010 4:16 AM 37045 m_danish.wnry
-a---- 11/20/2010 4:16 AM 36987 m_dutch.wnry
-a---- 11/20/2010 4:16 AM 36973 m_english.wnry
-a---- 11/20/2010 4:16 AM 37580 m_filipino.wnry
-a---- 11/20/2010 4:16 AM 38377 m_finnish.wnry
-a---- 11/20/2010 4:16 AM 38437 m_french.wnry
-a---- 11/20/2010 4:16 AM 37181 m_german.wnry
-a---- 11/20/2010 4:16 AM 49044 m_greek.wnry
-a---- 11/20/2010 4:16 AM 37196 m_indonesian.wnry
-a---- 11/20/2010 4:16 AM 36883 m_italian.wnry
-a---- 11/20/2010 4:16 AM 81844 m_japanese.wnry
-a---- 11/20/2010 4:16 AM 91501 m_korean.wnry
-a---- 11/20/2010 4:16 AM 41169 m_latvian.wnry
-a---- 11/20/2010 4:16 AM 37577 m_norwegian.wnry
-a---- 11/20/2010 4:16 AM 39896 m_polish.wnry
-a---- 11/20/2010 4:16 AM 37917 m_portuguese.wnry
-a---- 11/20/2010 4:16 AM 52161 m_romanian.wnry
-a---- 11/20/2010 4:16 AM 47108 m_russian.wnry
-a---- 11/20/2010 4:16 AM 41391 m_slovak.wnry
-a---- 11/20/2010 4:16 AM 37381 m_spanish.wnry
-a---- 11/20/2010 4:16 AM 38483 m_swedish.wnry
-a---- 11/20/2010 4:16 AM 42582 m_turkish.wnry
-a---- 11/20/2010 4:16 AM 93778 m_vietnamese.wnry

Appendix B - Detailed files extracted

VersionInfo   :
Name : msg
LastWriteTime : 5/12/2017 11:45:24 PM
Length : 1
Algorithm :
MD5 :
Profile Picture
by TDTP Importer

Browse

Article by channel:

Search

Everything you need to know about Digital Transformation

Read more articles tagged: Ransomware

Cyber Security
© Copyright The Digital Transformation People 2018