WannaCry Ransomware: What we know so far

A press review constantly updated (last update: 20170515 10:00)

How it works?

Once WannaCry infects a PC behind the firewall, it can move laterally within networks and self-propagate to other systems, scanning and identifying systems with ports 139 and 445 open, listening to inbound connections, and heavily scanning over TCP port 445 (Server Message Block/SMB), which allows the malware to spread on its own in a manner similar to a worm.

The worm then loops through every RDP session on a system to execute the ransomware as that user targeting admin accounts. It also installs the DOUBLEPULSAR backdoor and corrupts shadow volumes to make recovery more difficult.

WannaCry is able to do this where the PC is open to listening and has not been updated with the critical MS-17–010 security patch from Microsoft that was issued on the 14th of March and addresses vulnerabilities in SMBv1. Windows 10 machines were not subject to the vulnerability addressed by this patch and are, therefore, not at risk of the malware propagating via this vector.

Additionally, Talos has observed WannaCry exploiting DOUBLEPULSAR, a persistent backdoor that is generally used to access and execute code on previously compromised systems and that documented the offensive exploitation framework released as part of the Shadow Brokers cache.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Malware samples

(from https://www.gigamon.com/blog/2017/05/13/wannacry-know-far/)


The variants

As expected, some variants are spreading, some with the “Kill Switch” disabled:

Name          : 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
LastWriteTime : 5/14/2017 5:56:00 PM
MD5           : D724D8CC6420F06E8A48752F0DA11C66
SHA2          : 07C44729E2C570B37DB695323249474831F5861D45318BF49CCF5D2F5C8EA1CD
Length        : 3723264
Name          : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
LastWriteTime : 5/13/2017 7:26:44 AM
MD5           : DB349B97C37D22F5EA1D1841E3C89EB4
SHA2          : 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C
Length        : 3723264
Name          : 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
LastWriteTime : 5/14/2017 4:11:45 PM
MD5           : D5DCD28612F4D6FFCA0CFEAEFD606BCF
SHA2          : 32F24601153BE0885F11D62E0A8A2F0280A2034FC981D8184180C5D3B1B9E8CF
Length        : 3723264

An updated list is available on

https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e


Some cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

Encrypted file format

<64-bit SIGNATURE>        - WANACRY!
<length of encrypted key> - 256 for 2048-bit keys, cannot exceed 4096-bits
<encrypted key>           - 256 bytes if keys are 2048-bits
<32-bit value>            - unknown
<64 bit file size>        - return by GetFileSizeEx
<encrypted data>          - with custom AES-128 in CBC mode

(from https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168)


The ransom

3 bitcoin addresses hard coded into the malware.


The Kill switch

If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host.
This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied:

Quickpost: WannaCry Killswitch Check Is Not Proxy Aware
It looks like #WannaCry’s killswitch check (www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is not proxy aware…blog.didierstevens.com


Affected organizations

(from https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations)


Some Informative Tweets and Links

(from https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168)


The defense

Patching

The best defense is prevention, so install security patches:

YARA Rules

Florian Roth has developed some YARA rules useful to identify the malware:

https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

 

The Mutex and WCRYSLAP

HackerFantastic has developed a tool that registers a Mutex which prevents the Ransomware running.

Tha sourcecode and the binaries can be downloaded from GitHub:

https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip

Comments