WannaCry — The largest ransom-ware infection in History



More than 70 countries are reported to be infected.

Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter)

UPDATE** Links to Lazarus Group: Latest development (15May):

UPDATE2: — Decrypting files

IMPORTANT NOTE: Microsoft released an emergency patch (KB4012598)for unsupported version of Windows (Windows XP, 2003, Vista, 2008). APPLY NOW!

NOTE2: On Sunday 14 May, We just stopped the second wave of attack by registering a second killswitch but this is temporary. Read more.

On Friday 12th May 2017, a ransom-ware called WannaCry infecting and spreading machines in 70+ countries — using nation state grade offensive capabilities released last month by the ShadowBrowkers — including telco companies like Telefonica in Spain, or healthcare authority like the NHS in England — and the number of infected machines keeps growing.

This ransom-ware supports 28 different languages, encrypts 179 different type of files and requires victims to wire money ($300-$600) over bitcoins in order to get the control back of their machines.

Main dropper/encrypter: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Infection

It is believed the ransom-ware used an SMB vulnerability patched by Microsoft (MS17–010) in March. A public exploit for this vulnerability had been released in April by a group subbed as ShadowBrokers (which emerged for the first time in August 2016) while leaking files containing offensive tools belonging to the NSA including a remote SMB exploit called ETERNALBLUEwhich affects the above vulnerability.

This vulnerability is believed to have been used by the NSA to take over their targets including the backbone of financial institutions in the Middle East.

Last month, I covered the latest Shadow Brokers leak — which I strongly recommend to read to learn more about what ETERNALBLUE and DOUBLEPULSAR are.

Thanks to Darien Huss for highlighting the binary that infects the system, Zammis Clark wrote a good write-up on the infection part and the domain name www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` that was register as part of a kill switch for the malware.

Below is the most interesting discovery form Darien Huss, which enabled @MalwareTechBlog to register the domain name to prevent further infection — for now. Although, it is important to note that:

  • If for some reason your intranet does not have access to internet, which is fairly common (remember the infection is done over the SMB network) — the infector won’t be able to access this domain name and then will proceed with the infection.
  • Although, this blocks the current version — the malware authors probably already wrote and dropped variants with a different killswitch mechanism.
  • This is only temporary relief, most of systems are still vulnerable due to dependence to legacy operating system such as Windows XP — and won’t be able to be safe until they apply MS17–010 patch which requires for them to upgrade their O.S. as legacy O.S. are out of support from Microsoft.

image

Simple and straight-forward.

I was curious on the DOUBLEPULSAR part, so I decided to look in details at the routine — WannaCry not only check if DOUBLEPULSAR is present but also has a (unused) flag to potentially uninstall the backdoor and kick any parasite out.

  • If DOUBLEPULSAR is present, it will leverage it to install its payload.
  • If DOUBLEPULSAR is not present, it will attempt to exploit the target machine using the SMB vulnerabilities (MS17–010 / KB4012598).

SMB honeypot based in France connected to internet infected within 3 minutes.

image

image

Checking for DoublePulsar

Without any surprised, the packets and checks are very similar to the DOUBLEPULSAR detection tool written by countercept.

You can find out more about the references to DOUBLEPULSAR within WannaCry here.

WannaCry?

Extraction

The dropper extracts a password protected (“WNcry@2ol7”) archive containing the ransom-ware from its resources (XIA/2058).

image

Payment

The ransom-ware uses 3 different addresses to receive payments:

image

Files

  • \msg — This folder contains the RTF describing the different instructions for the ransom-ware. Totaling 28 languages.
  • b.wnry — BMP image used as a background image replacement by the malware.
  • c.wnry— configuration file containing the target address, but also the tor communication endpoints information.
  • s.wnry — Tor client to communication with the above endpoints.
  • u.wnry — UI interface of the ransom-ware, containing the communications routines and password validation (currently being analyzed)
  • t.wnry— “WANACRY!” file — contains default keys

image

t.wnry including file format definition for 010 Template.

  • r.wnry— Q&A file used by the application containing payment instructions
  • taskdl.exe / taskse.exe —

image

taskdl.exe

image

u.wnry — Yes I broke it so it has no data.

Command & Control

Tor Endpoint Addresses recovered from the configuration file :

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

The malware also downloads the version 0.2.9.10 of tor browser: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

Encryption

Here is the list of the 179 different type of files encrypted by the ransom-ware.

- .doc  
- .docx  
- .docb  
- .docm  
- .dot  
- .dotm  
- .dotx  
- .xls  
- .xlsx  
- .xlsm  
- .xlsb  
- .xlw  
- .xlt  
- .xlm  
- .xlc  
- .xltx  
- .xltm  
- .ppt  
- .pptx  
- .pptm  
- .pot  
- .pps  
- .ppsm  
- .ppsx  
- .ppam  
- .potx  
- .potm  
- .pst  
- .ost  
- .msg  
- .eml  
- .edb  
- .vsd  
- .vsdx  
- .txt  
- .csv  
- .rtf  
- .123  
- .wks  
- .wk1  
- .pdf  
- .dwg  
- .onetoc2  
- .snt  
- .hwp  
- .602  
- .sxi  
- .sti  
- .sldx  
- .sldm  
- .sldm  
- .vdi  
- .vmdk  
- .vmx  
- .gpg  
- .aes  
- .ARC  
- .PAQ  
- .bz2  
- .tbk  
- .bak  
- .tar  
- .tgz  
- .gz  
- .7z  
- .rar  
- .zip  
- .backup  
- .iso  
- .vcd  
- .jpeg  
- .jpg  
- .bmp  
- .png  
- .gif  
- .raw  
- .cgm  
- .tif  
- .tiff  
- .nef  
- .psd  
- .ai  
- .svg  
- .djvu  
- .m4u  
- .m3u  
- .mid  
- .wma  
- .flv  
- .3g2  
- .mkv  
- .3gp  
- .mp4  
- .mov  
- .avi  
- .asf  
- .mpeg  
- .vob  
- .mpg  
- .wmv  
- .fla  
- .swf  
- .wav  
- .mp3  
- .sh  
- .class  
- .jar  
- .java  
- .rb  
- .asp  
- .php  
- .jsp  
- .brd  
- .sch  
- .dch  
- .dip  
- .pl  
- .vb  
- .vbs  
- .ps1  
- .bat  
- .cmd  
- .js  
- .asm  
- .h  
- .pas  
- .cpp  
- .c  
- .cs  
- .suo  
- .sln  
- .ldf  
- .mdf  
- .ibd  
- .myi  
- .myd  
- .frm  
- .odb  
- .dbf  
- .db  
- .mdb  
- .accdb  
- .sql  
- .sqlitedb  
- .sqlite3  
- .asc  
- .lay6  
- .lay  
- .mml  
- .sxm  
- .otg  
- .odg  
- .uop  
- .std  
- .sxd  
- .otp  
- .odp  
- .wb2  
- .slk  
- .dif  
- .stc  
- .sxc  
- .ots  
- .ods  
- .3dm  
- .max  
- .3ds  
- .uot  
- .stw  
- .sxw  
- .ott  
- .odt  
- .pem  
- .p12  
- .csr  
- .crt  
- .key  
- .pfx  
- .der

What to do to avoid to be the next victim ?

APPLY MS17–010 NOW if you didn’t !

If you are using unsupported versions of Windows such as XP and Vista, you are in big trouble and should do a crisis meeting now. This is going to be a very long week-end for a lot of companies around the World.

It had been reported/rumored that the initial attack vector (pre-SMB) comes from file attachments over emails, make sure to tell your employees to not open suspicious documents.

Appendix A — Files

PS D:\Analysis\Wannacry\toto> dir
Directory: D:\Analysis\Wannacry\toto
Mode                LastWriteTime         Length Name  
----                -------------         ------ ----  
d-----        5/12/2017  11:45 PM                msg  
-a----        5/11/2017   8:13 PM        1440054 b.wnry  
-a----        5/11/2017   8:11 PM            780 c.wnry  
-a----        5/11/2017   3:59 PM            864 r.wnry  
-a----         5/9/2017   4:58 PM        3038286 s.wnry  
------        5/12/2017   2:22 AM          65816 t.wnry  
-a----        5/12/2017   2:22 AM          20480 taskdl.exe  
-a----        5/12/2017   2:22 AM          20480 taskse.exe  
-a----        5/12/2017   2:22 AM         245760 u.wnry
PS D:\Analysis\Wannacry\toto> dir msg
Directory: D:\Analysis\Wannacry\toto\msg
Mode                LastWriteTime         Length Name  
----                -------------         ------ ----  
-a----       11/20/2010   4:16 AM          47879 m_bulgarian.wnry  
-a----       11/20/2010   4:16 AM          54359 m_chinese (simplified).wnry  
-a----       11/20/2010   4:16 AM          79346 m_chinese (traditional).wnry  
-a----       11/20/2010   4:16 AM          39070 m_croatian.wnry  
-a----       11/20/2010   4:16 AM          40512 m_czech.wnry  
-a----       11/20/2010   4:16 AM          37045 m_danish.wnry  
-a----       11/20/2010   4:16 AM          36987 m_dutch.wnry  
-a----       11/20/2010   4:16 AM          36973 m_english.wnry  
-a----       11/20/2010   4:16 AM          37580 m_filipino.wnry  
-a----       11/20/2010   4:16 AM          38377 m_finnish.wnry  
-a----       11/20/2010   4:16 AM          38437 m_french.wnry  
-a----       11/20/2010   4:16 AM          37181 m_german.wnry  
-a----       11/20/2010   4:16 AM          49044 m_greek.wnry  
-a----       11/20/2010   4:16 AM          37196 m_indonesian.wnry  
-a----       11/20/2010   4:16 AM          36883 m_italian.wnry  
-a----       11/20/2010   4:16 AM          81844 m_japanese.wnry  
-a----       11/20/2010   4:16 AM          91501 m_korean.wnry  
-a----       11/20/2010   4:16 AM          41169 m_latvian.wnry  
-a----       11/20/2010   4:16 AM          37577 m_norwegian.wnry  
-a----       11/20/2010   4:16 AM          39896 m_polish.wnry  
-a----       11/20/2010   4:16 AM          37917 m_portuguese.wnry  
-a----       11/20/2010   4:16 AM          52161 m_romanian.wnry  
-a----       11/20/2010   4:16 AM          47108 m_russian.wnry  
-a----       11/20/2010   4:16 AM          41391 m_slovak.wnry  
-a----       11/20/2010   4:16 AM          37381 m_spanish.wnry  
-a----       11/20/2010   4:16 AM          38483 m_swedish.wnry  
-a----       11/20/2010   4:16 AM          42582 m_turkish.wnry  
-a----       11/20/2010   4:16 AM          93778 m_vietnamese.wnry

Appendix B — Detailed files extracted

VersionInfo   : File:             D:\Analysis\Wannacry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa  
                InternalName:     diskpart.exe  
                OriginalFilename: diskpart.exe  
                FileVersion:      6.1.7601.17514 (win7sp1_rtm.101119-1850)  
                FileDescription:  DiskPart  
                Product:          Microsoft® Windows® Operating System  
                ProductVersion:   6.1.7601.17514  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:         English (United States)
                Name          : ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa  
LastWriteTime : 5/12/2017 10:06:10 PM  
Length        : 3514368  
Algorithm     : SHA256  
MD5           : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
VersionInfo   :  
Name          : msg  
LastWriteTime : 5/12/2017 11:45:24 PM  
Length        : 1  
Algorithm     :  
MD5           :
VersionInfo   : File:           D:\Analysis\Wannacry\toto\b.wnry  
                InternalName:  
                OriginalFilename:  
                FileVersion:  
                FileDescription:  
                Product:  
                ProductVersion:  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:
                Name          : b.wnry  
LastWriteTime : 5/11/2017 8:13:20 PM  
Length        : 1440054  
Algorithm     : SHA256  
MD5           : D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
VersionInfo   : File:             D:\Analysis\Wannacry\toto\c.wnry  
                InternalName:  
                OriginalFilename:  
                FileVersion:  
                FileDescription:  
                Product:  
                ProductVersion:  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:
                Name          : c.wnry  
LastWriteTime : 5/11/2017 8:11:58 PM  
Length        : 780  
Algorithm     : SHA256  
MD5           : 055C7760512C98C8D51E4427227FE2A7EA3B34EE63178FE78631FA8AA6D15622
VersionInfo   : File:             D:\Analysis\Wannacry\toto\r.wnry  
                InternalName:  
                OriginalFilename:  
                FileVersion:  
                FileDescription:  
                Product:  
                ProductVersion:  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:
                Name          : r.wnry  
LastWriteTime : 5/11/2017 3:59:14 PM  
Length        : 864  
Algorithm     : SHA256  
MD5           : 402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
VersionInfo   : File:             D:\Analysis\Wannacry\toto\s.wnry  
                InternalName:  
                OriginalFilename:  
                FileVersion:  
                FileDescription:  
                Product:  
                ProductVersion:  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:
                Name          : s.wnry  
LastWriteTime : 5/9/2017 4:58:44 PM  
Length        : 3038286  
Algorithm     : SHA256  
MD5           : E18FDD912DFE5B45776E68D578C3AF3547886CF1353D7086C8BEE037436DFF4B
VersionInfo   : File:             D:\Analysis\Wannacry\toto\t.wnry  
                InternalName:  
                OriginalFilename:  
                FileVersion:  
                FileDescription:  
                Product:  
                ProductVersion:  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:
                Name          : t.wnry  
LastWriteTime : 5/12/2017 2:22:56 AM  
Length        : 65816  
Algorithm     : SHA256  
MD5           : 97EBCE49B14C46BEBC9EC2448D00E1E397123B256E2BE9EBA5140688E7BC0AE6
VersionInfo   : File:             D:\Analysis\Wannacry\toto\taskdl.exe  
                InternalName:     cliconfg.exe  
                OriginalFilename: cliconfg.exe  
                FileVersion:      6.1.7600.16385 (win7_rtm.090713-1255)  
                FileDescription:  SQL Client Configuration Utility EXE  
                Product:          Microsoft® Windows® Operating System  
                ProductVersion:   6.1.7600.16385  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:         English (United States)
                Name          : taskdl.exe  
LastWriteTime : 5/12/2017 2:22:56 AM  
Length        : 20480  
Algorithm     : SHA256  
MD5           : 4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
VersionInfo   : File:             D:\Analysis\Wannacry\toto\taskse.exe  
                InternalName:     waitfor.exe  
                OriginalFilename: waitfor.exe  
                FileVersion:      6.1.7600.16385 (win7_rtm.090713-1255)  
                FileDescription:  waitfor - wait/send a signal over a network  
                Product:          Microsoft® Windows® Operating System  
                ProductVersion:   6.1.7600.16385  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:         English (United States)
                Name          : taskse.exe  
LastWriteTime : 5/12/2017 2:22:56 AM  
Length        : 20480  
Algorithm     : SHA256  
MD5           : 2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
VersionInfo   : File:             D:\Analysis\Wannacry\toto\u.wnry  
                InternalName:     LODCTR.EXE  
                OriginalFilename: LODCTR.EXE  
                FileVersion:      6.1.7600.16385 (win7_rtm.090713-1255)  
                FileDescription:  Load PerfMon Counters  
                Product:          Microsoft® Windows® Operating System  
                ProductVersion:   6.1.7600.16385  
                Debug:            False  
                Patched:          False  
                PreRelease:       False  
                PrivateBuild:     False  
                SpecialBuild:     False  
                Language:         English (United States)
                Name          : u.wnry  
LastWriteTime : 5/12/2017 2:22:56 AM  
Length        : 245760  
Algorithm     : SHA256  
MD5           : B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25