WannaCry ransomware attack: dissecting the campaign By Will Wisser Posted on May 16, 2017 4 min read 0 9,987 Get the lowdown on the recent Wanna Cry, or Wana Decrypt0r, ransomware wave that took data on tens of thousands of computers hostage in less than a week. One of the heftiest ransomware outbreaks to date took root on May 12, 2017. A strain called Wanna Cry started making the rounds in a stealthy fashion, infecting numerous organizations and home users around the globe and holding victims’ valuable data for ransom without a slightest chance of alternative recovery. This extortion wave originally hit the headlines as large Spanish companies Telefonica, Iberdrola, and Gas Natural were forced to shut down part of their operations due to the attack. This was only the wakeup call, though. Later in that day, reports began coming in about many more victims, including a number of British healthcare organizations, a Russian law enforcement ministry, Chinese educational establishments, and Portuguese telco provider. At that point, it became obvious that something went terribly wrong with end users’ and enterprises’ well-trodden security routes. GUI of Wana Decrypt0r, current WannaCry variant The Wanna Cry ransomware has several aliases, and it has already spawned quite a few copycats as of this writing. The infection may additionally manifest itself as WNCry, Wana Decrypt0r, or WanaCrypt0r. The variant currently circulating has distinct indicators of compromise. It appends the .WNCRY, .WNRY, .WCRY or .WNCRYPT extension to encrypted files while leaving the original filename intact. Furthermore, the infection sprinkles ransom how-to’s named @Please_Read_Me@.txt all over the plagued system and replaces the victim’s desktop wallpaper with a warning message. The following sections of this post aggregate all details of the ongoing WannaCry epidemic and shed light on the unique distribution vectors utilized by the threat actors. Genealogy The first version of this crypto hoax surfaced in late March, 2017. It used the .WCRY suffix to blemish scrambled files. It wasn’t propagating on a large scale, staying in the shade of the much more massive campaigns like Cerber and Dharma. However, this edition has since evolved into the monster the world is now confronted with. The second version, which is mainly referred to as WannaCry, Wana Decrypt0r 2.0, or Wana Crypt0r, is the one currently wreaking havoc with the way cyber protection has worked for years. In a nutshell, the full lineage of this strain is as follows: WCry – WannaCry (WannaCryptor) – Wana Decrypt0r 2.0 (WanaCrypt0r 2.0). Once again, disambiguation for version names is quite challenging as there are several concurrently operating spinoffs on the loose. General information about Wana Decrypt0r 2.0 Original version name: Wana Decrypt0r 2.0 Aliases: WannaCry, Wana Crypt0r, WanaCrypt0r 2.0 Associated processes and files: @WanaDecryptor@.exe, WanaDecryptor.exe, taskdl.exe, tasksche.exe, mssecsvc.exe, cliconfig.exe, diskpart.exe, lhdfrgui.exe, @Please_Read_Me@.txt, @WanaDecryptor@.bmp, WanaDecryptor.exe.lnk Location: \AppData\Local\ Extensions appended to encrypted files: .WNCRY (the main one); .WNCRYPT, .WNRY (temporary); .WCRY (atavism from previous version) Targeted file extensions: .123, .3dm, .3ds, .3g2, .3gp, .602, .7z, .accdb, .aes, .ai, .ARC, .asc, .asf, .asm, .asp, .avi, .backup, .bak, .bat, .bmp, .brd, .bz2, .cgm, .class, .cmd, .cpp, .crt, .cs, .csr, .csv, .db, .dbf, .dch, .der, .dif, .dip, .djvu, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .edb, .eml, .fla, .flv, .frm, .gif, .gpg, .gz, .hwp, .ibd, .iso, .jar, .java, .jpeg, .jpg, .js, .jsp, .key, .lay, .lay6, .ldf, .m3u, .m4u, .max, .mdb, .mdf, .mid, .mkv, .mml, .mov, .mp3, .mp4, .mpeg, .mpg, .msg, .myd, .myi, .nef, .odb, .odg, .odp, .ods, .odt, .onetoc2, .ost, .otg, .otp, .ots, .ott, .p12, .PAQ, .pas, .pdf, .pem, .pfx, .php, .pl, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ps1, .psd, .pst, .rar, .raw, .rb, .rtf, .sch, .sh, .sldm, .sldx, .slk, .sln, .snt, .sql, .sqlite3, .sqlitedb, .stc, .std, .sti, .stw, .suo, .svg, .swf, .sxc, .sxd, .sxi, .sxm, .sxw, .tar, .tbk, .tgz, .tif, .tiff, .txt, .uop, .uot, .vb, .vbs, .vcd, .vdi, .vmdk, .vmx, .vob, .vsd, .vsdx, .wav, .wb2, .wk1, .wks, .wma, .wmv, .xlc, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .zip Supported languages: Bulgarian, Chinese (Simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese. The current variant of this perpetrating program encrypts victims’ data using asymmetric RSA-2048 cipher. It demands $300 worth of Bitcoin for decryption. This amount doubles after 3 days expire and reaches a BTC equivalent of $600. For organizations, the fee tends to be bigger. The private decryption key will be supposedly erased after 7 days unless a payment is made. The deadlines for ransom increase and complete data loss are displayed on the lock screen, along with the sum to redeem the hostage data. Ransom notes WannaCry leaves a data decryption walkthrough named @Please_Read_Me@.txt. This document is dropped onto the desktop and into folders with encrypted files. WannaCry drops @Please_Read_Me@.txt help file with ransom instructions The wording of this ransom note edition is as follows: Q: What’s wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let’s start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $ 300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find the application file named “@ WanaDecryptor @ .exe”. It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Do not worry about decryption. We will decrypt your files. * If you need our assistance, send a message by clicking on the decryptor window. Additionally, WannaCry replaces the victim’s desktop background with the following image: This is what the desktop background on a plagued computer looks like The text on this desktop warning goes: Ooops, your important files are encrypted. If you see this text, but don’t see the “Wana Decrypt0r” window, then your antivirus removed the decrypt software or you deleted it from your computer. If you need your files you have to run the decrypt software. Please find an application file named “@WanaDecryptor@.exe” in any folder or restore from the antivirus quarantine. Run and follow the instructions! This message address a possible issue with the infected user’s antimalware suite having removed or quarantined the paid decryption utility added by the ransomware. Distribution vectors The main propagation channel utilized by the architects of the WannaCry campaign involves the notorious NSA exploit dubbed ETERNALBLUE. It was previously leaked by a hacker group identifying themselves as The Shadow Brokers, along with many other NSA exploits that the crooks were able to get hold of. This tactic allows attackers to weaponize the exploit and deploy remote code execution by sending certain messages to Microsoft Server Message Block 1.0 (SMBv1) server. Microsoft had rolled out a patch for this vulnerability in mid-March, 2017, but lots of Windows users never installed it, keeping their machines susceptible to this plague. A noteworthy fact about the proliferation of WannaCry is that it locates vulnerable machines by scanning networks for open TCP port 445. Therefore, unless the SMBv1 vulnerability is patched and the above port is blocked, the infection is capable of arriving without any action on the would-be victim’s end. This is an entirely new thing on the ransomware arena. Additional entry points for the attack may include malicious spam attachments, booby-trapped downloads, rogue updates, web injections, as well as repackaged and infected software installers. However, incidents involving these contamination tactics are not widely reported. Attack workflow As part of the compromise, Wana Decrypt0r creates a mutex called “Global \ MsWinZonesCacheCounterMutexA” and starts deleting shadow copies of files along with restore points. It also disables the debugging of Windows startup errors via the following command: “Cmd.exe / c vssadmin delete shadows / all / quiet & wmic shadowcopy delete & bcdedit / set {default} bootstatuspolicy ignoreallfailures & bcdedit / set {default} recoveryenabled no & wbadmin delete catalog – quiet”. UAC prompt generated by Wana Decrypt0r Be advised the infection displays a User Account Control (UAC) dialog to execute these commands, unless the target user had disabled UAC prior to the attack. So make sure you don’t click OK on this dialog if it pops up. To prepare the computer for encryption, the WannaCry ransomware executes a special iCACLS command to change permissions for files and folders located in the folder the infection is launched from. Then, it terminates processes associated with server databases and mail servers to encrypt the databases and mailboxes. Interestingly, this ransomware uses a kill switch principle to complete the infection chain. Specifically, it attempts to connect to a predefined domain name on the early stage of the compromise. If this connection fails, the attack will be terminated. This network communication facet of Wana Decrypt0r reportedly involves one of the following domains: www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, and www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com. The domains for this verification purpose tend to switch over time. How to avoid WannaCry As opposed to the majority of ransomware threats out there, it’s not as prosaic to prevent WannaCry from infecting a computer. It’s not enough to simply refrain from opening suspicious email attachments. The only efficient technique revolves around the above-mentioned patch from Microsoft. This critical update for Microsoft Windows SMB Server is available in Security Bulletin MS17-010. So be sure to visit the linked-to page, find your Windows version and download the right fix for the vulnerability exploited by this ransom Trojan. Another countermeasure is to block TCP ports 445 and 139 using your Firewall or router. Meanwhile, security researchers are experimenting with WannaCry’s kill switch principle to contain the epidemic. Although the white hats have had some success in this regard and the extortion wave has slowed down a bit, it’s strongly recommended to apply the aforementioned patch immediately and follow safe online practices.
Locky ransomware evolution There are ransomware samples out there whose devs cannot boast professional data encryption practices, …