WannaCry Ransomware Explained
Summary:
WannaCry is a ransomware worm that exploits SMB V1 vulnerability (CVE-2017-0144) and caused a worldwide cyberattack by encrypting data and demanding ransom payments in Bitcoins from computers running Microsoft Windows. In May 2017, WannaCry made headlines when it infected the National Health Service (NHS) and other organizations across the globe, including government institutions in China, Russia, the United States, and most of Europe. The WannaCry worm has been referred to as a “study in preventable catastrophes” because Microsoft issued a patch two months before it became known worldwide in 2017. Many of these systems remain vulnerable today as hundreds of thousands of systems were not updated in time.
WannaCry is effective against computers with Microsoft Windows that do not have a security patch (patch “MS17-010“). As a result of the NSA’s discovery of EternalBlue, WannaCry exploits the vulnerability in Microsoft Windows. The NSA developed it as a means of enabling surveillance. The unpatched vulnerability in Microsoft Windows allows WannaCry code to spread quickly on computers that have not applied the security update. Once the vulnerability has been exploited, the ransomware installs encryption software remotely on the affected computers. By identifying and using file-sharing arrangements on a computer, WannaCry can infect additional computers within the same network. Upon encrypting files, WannaCry demands a ransom in the form of Bitcoin ($300-$600 per computer affected). During April 2017, a group called The Shadow Brokers allegedly leaked the EternalBlue and DoublePulsar exploits for WannaCry which enables hackers to later gain further access to infected systems through a “backdoor.”
How it works?
There are several components to WannaCry. The primary delivery program contains other programs, including encryption and decryption DLLs. The WannaCry infection searches for dozens of specific file types, including Microsoft Office files, pictures, videos, and sounds. Afterward, it encrypts the files with a digital key that needs to be delivered externally to decrypt them.
Port 445 of the SMB v1 protocol is used to connect two networks. Through Wireshark, the REMnux machine can intercept all network communications and act as a DNS and HTTP server. With the help of Fake DNS and HTTP Daemon utilities, REMnux enabled DNS and HTTP services. WannaCry performed system-level actions on the infected Windows 7 SP1 machine with the IP address 192.168.180.130. Using the SysAnalyzer tool, we observed and reported the steps that WannaCry took while running the system. Using SysAnalyzer, users can inspect system attributes such as running processes, open ports, loaded DLLs, registry key changes, runtime file modifications, scheduled tasks, mutual exclusion objects, and network connections before and during, and after malware execution. Additionally, SysAnalyzer is capable of scanning memory dumps for specific regular expressions. SysAnalyzer was configured to apply a 120 s delay between system snapshots before executing the WannaCry sample on the infected machine, allowing inspection of all system attribute changes.
WannaCry Ransomware IOCs
WannaCry IOCs
|
WannaCry |
|
|
|
Worm component |
|
MD5 |
db349b97c37d22f5ea1d1841e3c89eb4 |
|
SHA1 |
e889544aff85ffaf8b0d0da705105dee7c97fe26 |
|
SHA256 |
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c |
|
File type |
PE32 executable |
|
|
Encryption |
|
MD5 |
84c82835a5d21bbcf75a61706d8ab549 |
|
SHA1 |
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 |
|
SHA256 |
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
|
File type |
PE32 executable |
|
Worm |
||
|
Library |
Imports |
Description |
|
ws2 32.dll |
13 |
Windows Socket |
|
iphlpapi.dll |
2 |
IP Helper API |
|
wininet.dll |
3 |
Internet |
|
kernel32.dll |
32 |
Windows NT Base |
|
advapi32.dll |
11 |
Advanced Windows |
|
msvcp60.dll |
2 |
Windows NT C++ |
|
msvcrt.dll |
28 |
Windows NT CRT |
|
Encryption |
||
|
Library |
Imports |
Description |
|
kernel32.dll |
54 |
Windows NT Base |
|
advapi32.dll |
10 |
Advanced Windows |
|
user32.dll |
1 |
Multi-User |
|
msvcrt.dll |
49 |
Windows NT CRT |
The worm component invokes iphlpapi.dll to retrieve the infected computer’s network configuration settings. Encryption components typically invoke kernel32.dll and msvcrt.dll. These two malicious libraries may have implemented the main encryption functionality. To confirm this, it was necessary to examine the imported functions of the libraries. The most suspicious functions identified among them are shown in below table:
|
Encryption |
||||
|
Function |
Location |
Function |
Location |
|
|
GetCurrentThread |
0xa53a |
GetComputerNameW |
0xd8b2 |
|
|
GetStartupInfoA |
0xa97a |
CreateServiceA |
0xdc2a |
|
|
StartServiceCtrDispatcherA |
0xa6f6 |
OpenServiceA |
0xdc62 |
|
|
RegisterServiceCtrDispatcherA |
0xa6d8 |
StartServiceA |
0xdc52 |
|
|
CreateServiceA |
0xa688 |
CryptReleaseContext |
0xdc14 |
|
|
StartServiceA |
0xa662 |
RegCreateKeyW |
0xdc04 |
|
|
CryptGenRandom |
0xa650 |
fopen |
0xdcd4 |
|
|
CryptAcquireContextA |
0xa638 |
fread |
0xdccc |
|
|
OpenServiceA |
0xa714 |
fwrite |
0xdcc2 |
|
|
GetAdaptersInfo |
0xa792 |
fclose |
0xdcb8 |
|
|
InternetOpenUrlA |
0xa7c8 |
CreateFileA |
0xd922 |
|
|
OpenMutexA |
0xda84 |
|
ReadFile |
0xd964 |
The WannaCry malware uses Microsoft’s cryptographic, file management, and runtime file APIs. Random symmetric and asymmetric cryptographic keys are generated and managed by the crypto API library.
Initial Interaction: Using the Internet Open Url function, the worm component attempts to connect to the following domain upon start up.
A kill-switch domain is the one referred to above. Consequently, the worm component will not run if the domain is active. When developing a defense system, the kill-switch domain may be utilized as a detection technique.
Persistence Mechanism: If the worm component fails to establish a connection with the kill-switch domain, the worm component attempts to create a mssecsvs2.0 process with the Display Name “Microsoft Security Center (2.0) Service”. Process Hacker displays a 4016 PID, indicating that the service has been launched. The WannaCry worm extracts the hardcoded R resource binary and copies it to the “C:/Windows/taskche.exe” directory path. A resource called R contains the WannaCry encryption component’s binary. The executable is then run with the following parameters in the command line: “C:/Windows/taskche.exe/i.” As a next step, the worm attempts to replace the original “C:/Windows/taskche.exe” file with “C:/Windows/qeriuwjhrf.” This procedure is followed to ensure multiple infections and avoid any issues with the tasksche.exe process.
Lastly, WannaCry creates an entry in the Windows registry to ensure it runs every time the computer is restarted. The new entry contains a string (for example, “midtxzggq900”), a unique identifier generated by using the computer name. Infected machines copy themselves to a folder with a randomly generated name once thetasksche.exe runs. A memory persistence attempt is made by adding itself to the AutoRun feature.
Impact
WannaCry was a four-day attack, but the damage caused was significant. There were infected systems in over 150 countries, resulting in a $100,000 payout for the attackers – however, the lost productivity and deleted files are estimated to have cost billions. According to an op-ed in The Washington Post by then-Homeland Security Advisor Tom Bossert in May 2017, the United States, Japan, New Zealand, and Canada have all claimed that North Korea and its government were responsible for the attack known as the Lazarus Group.
While WannaCry has not resurfaced in the years, there have been waves of resurgence. In 2018, Boeing experienced a high-profile incident. The incident ultimately resulted in more panic than damage, but the aircraft manufacturer’s productivity was affected.
There has been a recent resurgence of WannaCry infections. Several reports indicate that WannaCry ransomware was the top family used in the Americas in January, with 1,240 detections. In addition, the latest variants of the exploits being used by hackers no longer feature a kill-switch URL.
Mitigation
- Install the latest version of Windows OS and antivirus software.
- Make regular backups of your files on an external hard drive.
- Make sure that file history is enabled or that system protection is enabled. File history must be enabled on your Windows 10 or Windows 8.1 device, and a driver must be configured for file history.
- OneDrive can be used by consumers or businesses.
- Do not click on malicious attachments, spam emails, or phishing emails.
- SmartScreen protection can be obtained by using Microsoft Edge. As a result, you will be protected from websites that are known to host exploits and socially-engineered attacks such as phishing and malware downloads.
- Ensure that your Office programs do not load macros.
- Remote Desktop should be disabled whenever possible.
- Password-protected, two-step authentication is recommended.
How to Defend Your Network from Ransomware Attacks?
Cyber security threats and Zero-day vulnerabilities are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).
