May 16, 2017 by

The Rapid Spread of WannaCry Ransomware

On Friday May 12, 2017, several countries reported that their critical infrastructure had been hit – and in certain case badly affected – by a new strain of Ransomware. As of May 16, 2017, there are still about 50 newly infected entities (unique IP) per minute, with a total around 370,000 unique IP worldwide [1].

This malware, called WannaCry, WannaCrypt or Wcy 2.0, was novel: not only did it embed its ransomware payload to hold the victims’ files hostage, but it also has a worm component to it so it can spread from system to system at an alarming rate by exploiting CVE-2017-0144, a Windows SMB Remote Code Execution Vulnerability.

[Wana Decrypt0r screenshot]

The unusual number of languages – more than 25 different languages – in which the malware displayed its message indicates that the hackers planned to reach as many machines as possible. 

Buried in the code is a kill-switch: it seems like the attackers have assumed that this could get so out of hand, so they decided to have a way to stop the propagation of the malware. This is done by attempting to resolve an improbable name; in the event of a successful resolution, the malware does not attempt to replicated to other systems; however, the ransomware function remains active and the user’s files are encrypted.

Technical analysis 

Like many other ransomwares, the initial attack of the WannaCry ransomware is delivered through a zip file attached to an email [2]. The unsuspecting user opens the archive, and accesses the file within. This executes the initial stage of the infection.

This initial dropper [H1] establishes a connection to the TOR network to retrieve a few files, including a second executable [H2], which is the real malware. Along this executable is a password protected zip file (password: WNcry@2ol7) and an encrypted DLL.

The very first step is to attempt to resolve [D1] ([D2] has been observed too). If a response is received, the malware does not attempt to spread and jumps directly to the encryption part.

To spread to other systems, it gets the IP address associated with each interface and attempts to make a connection to neighbors. Upon success, it uses an exploit, called either ETERNAL BLUE or DOUBLE PULSAR, against vulnerability CVE-2017-0144 to replicate to a vulnerable system.

To avoid infecting an already infected system, a mutex (Global\\MsWinZonesCacheCounterMutexW) is created. If this mutex is present, the malware will immediately exit. Otherwise, it installs some TOR components from [D3] to get its additional pieces, and the process restarts.

After the propagation phase, the malware starts the encryption process of all “document” types files. After a file is encrypted, the original file is overwritten with random content to prevent any direct recovery.

Finally, the splash screen “inviting” the user to pay the ransom is displayed. The malware is also installed in the startup items.

Detection

Monitoring for outbound DNS requests for [D1] or [D2] provides a way to detect when a system is in the early stages of the compromise. Additionally, there are a number of “.onion” names resolved by the malware to get its files that could also tip to the presence of an infected host within the network.

Lastly, upon propagation, [D3] is accessed to download the TOR tools, which can also help identify compromised systems by either looking at the DNS requests or at the certificates returned by the servers.

Prevention

The main prevention step is to patch CVE-2017-0144 by applying the relevant update as mentioned in [3]. This will close the vulnerability and prevent the malware from spreading from a compromised host to accessible servers.

Given the extent of the issue, Microsoft also released the patches for the (theoretically) deprecated Windows XP, as that OS is still seen in various industries, such as healthcare.

The systems that can’t be patched should be confined to their own network segment and conservative network filtering applied to limit the network sources to only what is needed by the business operations.

Remediation

Currently, except for some cases with Windows XP SP1 and SP2, it is not possible to decrypt the files held hostage.

We recommend against paying the ransom, as A) there is no guarantee that the files will be decrypted after you pay the ransom, and B) this may result in monetary transfers to countries under financial embargo. There is also the possibility that these funds are used to sponsor terrorism.

Kill switch

This was meant to prevent this from getting out of hand, but it was too obvious: as soon as the domain was registered by Malware Tech, the spread slowed. It is likely that future version will either check that the resolution points to a predetermined record, or that the content downloaded from the site matches a certain value.

It is also to bet that at some point, the authors will include a delay between propagation and encryption to lower the chance of being discovered.

 

Hashes

[H1] SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
[H2] SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Domains

[D1] www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
[D2] www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
[D3] dist.torproject[.]org

 

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

APT10 Operation Cloud Hopper Targets MSPs

APT10, a cyber espionage group operating out of China, has been targeting Managed Service Providers...

Read more arrow_forward

Ransomware Woes Sees India Force Microsoft for Cut-Price Upgrade Deal

Following last month’s unprecedented cyberattack led by the WannaCry ransomware, India has...

Read more arrow_forward

Petya Ransomware Outbreak is Wrecking Havoc Across the World

A new ransomware strain similar to WannaCry has been spreading across Europe today, hitting a number...

Read more arrow_forward

If you have any further questions, please don't hesitate to contact us.