Analysing WannaCry Ransomware

Submitted by Jonah Bellemans on Mon, 05/15/2017 - 18:45

The past few days have taken the world of cyber security by surprise: a piece of malware known as "WannaCry" has broken out in an epidemic throughout various companies in the world.

In the US, parcel service FedEx got hit, while in Europe large companies like Telefonica in Spain, Renault in France and even the NHS in England have reported a breach in their security. However, the biggest number of victims fell in the Russian Federation. Security company F-Secure's CRO, Mikko Hypponen called it 'the biggest ransomware outbreak in history'. Blackholetec elaborates on what WannaCry is, what it does and why it got as far as it did.

Leaked exploits

On April 14. 2017, a hacking collective named 'The Shadow Brokers' leaked a large file archive on the internet containing stolen exploits and hacking tools belonging to another collective called the 'Equation Group', who are generally believed to be a division within the National Security Agency of the US. This archive has since been posted on code sharing website GitHub, along with a README file containing guesses to what each tool or exploit is used for. Many of the leaked exploits were years old and already patched by the respective software maintainers. However, along the old exploits was one that had been codenamed Eternalblue. This exploit enabled remote code execution on computers in the same network if they were connected with an older version of Windows' SMB (Server Message Block) protocol. This Eternalblue exploit is what eventually got used by a ransomware named Win32/WCry ('WannaCry') to spread itself through networks.

Ransomware

To fully understand what WannaCry does, we need to know what ransomware is. Ransomware is a piece of malware that, when run on a target system, encrypts all files (images, documents, music, video, databases,..) it can find, and then asks for a certain amount of money in order to decrypt the files again. This way, it takes the system hostage until a 'ransom' is paid. Paying this sum has proven to be somewhat succesful in the past with different pieces of ransomware, even up to the point where the creators of the malware provided tech support to help people through the elaborate payment process. One could say ransomware writers see their malware as an actual business, optimising their profit by making sure everyone is able to pay the money, and then actually returning the files to the victim, in order to make sure other people will also pay up for their files. A very known example of these is the Cryptolocker virus, which made its rounds in the past, albeit on a smaller scale than WannaCry did it now.

Win32/WCry

What makes WannaCry (codenamed Win32/WCry by antivirus experts) different from other ransomware, is its elaborate spreading mechanism. WannaCry is spread to targets through spam emails, and once it is inside a network, it spreads through the system to other targets by using the Eternalblue vulnerability. The spreading mechanism was this succesful because Microsoft only had a limited amount of time to patch the vulnerability, known as MS17-010, since it had only been informed of it at the time of the breach at NSA. The fact that the patch for the exploit arrived this late meant that a large amount of systems, especially critical systems like MRI Scanners or other hospital equipment that don't allow software updates on a frequent basis, got infected. This lead to an attack of a scale that comes close to the Conficker worm in 2008.

WannaCry asks for a payment worth 300 USD in the form of Bitcoin, doubling the price if there hasn't been a payment within three days. After 7 days without payment, the malware permanently deletes the decryption key and the files are irretrievably lost. The virus encrypts files with the following extensions (Source: Kaspersky Labs):

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

As far as technical support goes, WannaCry definitely falls in the category of ransomware that encourages the user to pay, and makes this process as easy as possible: the malware drops user manuals in the following languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese (Source: Kaspersky Labs).

Aside from that, the malware contains a short FAQ in the main screen and a link to a help page about buying Bitcoin.

We strongly advise anyone who got infected with the malware NOT to pay the bitcoin ransom for the following reasons:

  1. Endulging in what the extortionists want will only encourage them to continue their criminal activities.
  2. WannaCry has only used 3 different bitcoin wallets as a destination for the ransom money so far, which indicates they might not be able to track where the incoming money came from. This is a strong indicator that paying the requested amount might not even result in returning the files. It is uncertain if the creators of the virus are even capable of decrypting infected files.

Instead, we recommend wiping all affected files from your computer and restoring your most recent backups. Sadly, files that were not backed up are irreparably lost.

Kill Switch

On Friday May 12. 2017, a security researcher using the Twitter handle @MalwareTechBlog was analysing the code of the virus. During the reverse engineering process, they found a codeblock that would only execute if a certain domain (http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/) would not respond to a network request. After 'sinkholing' (buying the domain and redirecting it to a server that gulps up all incoming traffic) the discovered domain, at the time unaware of the importance of the action, they managed to disable the entire spreading routine of the malware, effectively activating a 'kill switch' in the software which shut down its spread significantly.

The creators of the malware presumably wrote this kill switch in the application to make sure they themselves could still stop it once it got out of hand, not counting on the fact that someone might find it. @MalwareTechBlog has been working closely together with authorities to mitigate as much damage of the malware as possible. We highly recommend reading more about it in their blogpost: 'How to Accidentally Stop a Global Cyber attacks' (sic.).

Ethical Issues

An outbreak at this scale is unseen in the history of ransomware attacks. As can be seen on this map published by Kaspersky Labs, the infection ran rampant in most big world forces.

Articles by Reuters and Politico state that this incident refuels the debate whether or not the NSA is obligated to responsibly disclose these unknown vulnerabilities, also known as 0-days, to the respective software maintainers. In this case, a disaster could have possibly been averted if Microsoft had been informed about the exploit much earlier on. One could argue that the security agencies hold the responsibility to report found software vulnerabilities immediately instead of keeping them for their own purposes, otherwise they could (or should) be held responsible when these 0-days get exploited by potentially malicious groups.

If anything, this incident is a very needed wake up call to instances around the world that software security is not something to be taken lightly, and a good reminder of the importance of responsible disclosure.

Future concerns

Concerning as this attack was, it may not even have been the last we've seen of it. Sources are already confirming a WCry v.2 circulating without a kill switch, and many other strains might still arise in the future. It is somewhat saddening that in a time like today, we are still being tormented by threats that could easily be avoided if the necessary precautions had been taken. We can never stress this enough: if you find a vulnerability, responsibly disclose it to the software maintainer; and last but not least, make sure your software is ALWAYS up-to-date with the latest security patches.

WannaCry and Lazarus: The Missing Link (UPDATE 16/05/2017, 09:50)

A recent blogpost at Kaspersky Labs indicates a possible connection between Win32/WCry and the Lazarus Group. This group is known to be responsible for the Bangladesh bank heist, the Sony Wiper attack and the DarkSeoul Operation. Although this link has no substantial evidence as of yet, it could prove useful for future investigations into who is responsible for the spread of the ransomware.

glqxz9283 sfy39587stf02 mnesdcuix8
sfy39587stf03
sfy39587stf04