WannaCry Ransomware: What we know so far
A press review constantly updated (last update: 20170515 10:00)
How it works?
Once WannaCry infects a PC behind the firewall, it can move laterally within networks and self-propagate to other systems, scanning and identifying systems with ports 139 and 445 open, listening to inbound connections, and heavily scanning over TCP port 445 (Server Message Block/SMB), which allows the malware to spread on its own in a manner similar to a worm.
The worm then loops through every RDP session on a system to execute the ransomware as that user targeting admin accounts. It also installs the DOUBLEPULSAR backdoor and corrupts shadow volumes to make recovery more difficult.
WannaCry is able to do this where the PC is open to listening and has not been updated with the critical MS-17–010 security patch from Microsoft that was issued on the 14th of March and addresses vulnerabilities in SMBv1. Windows 10 machines were not subject to the vulnerability addressed by this patch and are, therefore, not at risk of the malware propagating via this vector.
Additionally, Talos has observed WannaCry exploiting DOUBLEPULSAR, a persistent backdoor that is generally used to access and execute code on previously compromised systems and that documented the offensive exploitation framework released as part of the Shadow Brokers cache.
C&C centers
gx7ekbenv2riucmf.onion57g7spgrzlojinas.onionxxlvbrloxvriy2c5.onion76jdd2ir2embyv47.onioncwwnhwhlz52maqm7.onion
Malware samples
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
- https://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE
(from https://www.gigamon.com/blog/2017/05/13/wannacry-know-far/)
The variants
As expected, some variants are spreading, some with the “Kill Switch” disabled:
Name : 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd LastWriteTime : 5/14/2017 5:56:00 PM MD5 : D724D8CC6420F06E8A48752F0DA11C66 SHA2 : 07C44729E2C570B37DB695323249474831F5861D45318BF49CCF5D2F5C8EA1CD Length : 3723264
Name : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c LastWriteTime : 5/13/2017 7:26:44 AM MD5 : DB349B97C37D22F5EA1D1841E3C89EB4 SHA2 : 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C Length : 3723264
Name : 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf LastWriteTime : 5/14/2017 4:11:45 PM MD5 : D5DCD28612F4D6FFCA0CFEAEFD606BCF SHA2 : 32F24601153BE0885F11D62E0A8A2F0280A2034FC981D8184180C5D3B1B9E8CF Length : 3723264
An updated list is available on
[embed]https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e[/embed]
Some cryptography details
- Each infection generates a new RSA-2048 keypair.
- The public key is exported as blob and saved to 00000000.pky
- The private key is encrypted with the ransomware public key and saved as 00000000.eky
- Each file is encrypted using AES-128-CBC, with a unique AES key per file.
- Each AES key is generated CryptGenRandom.
- The AES key is encrypted using the infection specific RSA keypair.
Encrypted file format
<64-bit SIGNATURE> - WANACRY!
<length of encrypted key> - 256 for 2048-bit keys, cannot exceed 4096-bits
<encrypted key> - 256 bytes if keys are 2048-bits
<32-bit value> - unknown
<64 bit file size> - return by GetFileSizeEx
<encrypted data> - with custom AES-128 in CBC mode(from https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168)
The ransom
3 bitcoin addresses hard coded into the malware.
- https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
- https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
- https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
[embed]https://twitter.com/bl4sty/status/863143484919828481[/embed]
[embed]https://gist.github.com/andreafortuna/5f76e166ae0857c7ebf824280abab6fd[/embed]
The Kill switch
If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host.
This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied:
Affected organizations
- São Paulo Court of Justice (Brazil)
- Vivo (Telefônica Brasil) (Brazil)
- Lakeridge Health (Canada)
- PetroChina (China)
- Public Security Bureaus (China)
- Sun Yat-sen University (China)
- Instituto Nacional de Salud (Colombia)
- Renault (France)
- Deutsche Bahn (Germany)
- Telenor Hungary (Hungary)
- Andhra Pradesh Police (India)
- Dharmais Hospital (Indonesia)
- Harapan Kita Hospital (Indonesia)
- Cement corporation office (Iran)
- University of Milano-Bicocca (Italy)
- Q-Park (The Netherlands)
- Portugal Telecom (Portugal)
- Automobile Dacia (Romania)
- Ministry of Foreign Affairs (Romania)
- MegaFon (Russia)
- Ministry of Internal Affairs (Russia)
- Russian Railways (Russia)
- Banco Bilbao Vizcaya Argentaria (Spain)
- Telefónica (Spain)
- Sandvik (Sweden)
- Garena Blade and Soul (Thailand)
- NHS -National Health Service (United Kingdom) turning away patients, unable to perform x-rays. (list of affected hospitals)
- Nissan UK (United Kingdom)
- FedEx (United States)
- Q-Park (Netherlands)
(from https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations)
Some Informative Tweets and Links
(from https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168)
- Sample released by ens: https://twitter.com/the_ens/status/863055007842750465
- Onion C&Cs extracted: https://twitter.com/the_ens/status/863069021398339584
- EternalBlue confirmed: https://twitter.com/kafeine/status/863049739583016960
- Shell commands: https://twitter.com/laurilove/status/863065599919915010
- Maps/stats: https://twitter.com/laurilove/status/863066699888824322
- Core DLL: https://twitter.com/laurilove/status/863072240123949059
- Hybrid-analysis: https://twitter.com/PayloadSecurity/status/863024514933956608
- Impact assessment: https://twitter.com/CTIN_Global/status/863095852113571840
- Uses DoublePulsar: https://twitter.com/laurilove/status/863107992425779202
- Your machine is attacking others: https://twitter.com/hackerfantastic/status/863105127196106757
- Tor hidden service C&C: https://twitter.com/hackerfantastic/status/863105031167504385
- FedEx infected via Telefonica? https://twitter.com/jeancreed1/status/863089728253505539
- HOW TO AVOID INFECTION: https://twitter.com/hackerfantastic/status/863070063536091137
- More of this to come: https://twitter.com/hackerfantastic/status/863069142273929217
- C&C hosts: https://twitter.com/hackerfantastic/status/863115568181850113
- Crypted files will be deleted after countdown: https://twitter.com/laurilove/status/863116900829724672
- Claim of attrib [take with salt]: https://twitter.com/0xSpamTech/status/863058605473509378
- Track the bitcoins: https://twitter.com/bl4sty/status/863143484919828481
- keys in pem format: https://twitter.com/e55db081d05f58a/status/863109716456747008
[embed]https://www.reddit.com/r/netsec/comments/6atfkl/wanacrypt0r_ransomware_hits_it_big_just_before/dhhdr3u/[/embed]
The defense
Patching
The best defense is prevention, so install security patches:
- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- https://technet.microsoft.com/en-us/library/security/ms17-012.aspx
- https://technet.microsoft.com/en-us/library/security/ms17-015.aspx
YARA Rules
Florian Roth has developed some YARA rules useful to identify the malware:
[embed]https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e[/embed]
[embed]https://twitter.com/cyb3rops/status/863304931423473665[/embed]
The Mutex and WCRYSLAP
HackerFantastic has developed a tool that registers a Mutex which prevents the Ransomware running.
[embed]https://twitter.com/hackerfantastic/status/863768249493839872[/embed]
Tha sourcecode and the binaries can be downloaded from GitHub:
https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip