Malware analysis

A4 Black Friday: Massive Ransomware Attack Leveraging on Wannacry Hit Systems Worldwide

Pierluigi Paganini
May 15, 2017 by
Pierluigi Paganini

WannaCry ransomware hit Windows computers worldwide

A massive malicious ransomware-based attack made the headlines on Friday, first targeting UK hospitals and Spanish banks before rapidly spreading worldwide. The news was promptly confirmed by the Spanish Telco companies Telefónica, one of the numerous victims of the ransomware attack. The newspaper El Pais also reported the massive attack, while experts at Telefónica confirmed the systems in its intranet had been infected, adding that the situation was under control. The fixed and mobile telephone services provided by Telefónica were not been affected by the ransomware-based attack.

The Spanish CERT issued an alert warning the organizations and confirmed that the malware was rapidly spreading.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

The ransomware, dubbed WannaCry (aka Wcry, WanaCrypt, WannaCrypt), targeted many other companies in Spain and across the world, including Vodafone, FedEx, and other critical infrastructure.

El Reg reported that 6 NHS health trusts in the UK were taken out by the malware. According to Prime Minister Theresa May, the ransomware "has crippled" UK hospitals, the Government representative also confirmed that the situation was monitored by the intelligence agency GCHQ.

The NHS faced serious problems due to the antiquated nature of its IT infrastructure that still includes a large number of systems running Windows XP systems.

"Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget Hospital in Norfolk, Lanarkshire, and Leicester." Reported El Reg.

Figure 1 - A computer infected by the WannaCry ransomware

Experts from the security firm Avast detected more than 75,000 attacks in 99 countries, most of the infections were observed in Russia, Ukraine, and Taiwan.

A real-time map of the infections is available at the following address:

https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

Figure 2 - Real Time Infections Map

Source Arstechnica

A Ransomware that leverages the NSA EternalBlue and DoublePulsar exploits

The WannaCry ransomware exploits the two NSA exploits EternalBlue and DoublePulsar to infect computers and propagate the threat to any another connected Windows systems on the same network.

Researchers from Kaspersky Lab have confirmed that the WannaCry" attack is initiated through an SMBv2 remote code execution in Microsoft Windows.

"It is important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the "EternalBlue" exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn't really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak," reported the analysis from Kaspersky

Experts highlighted the network warm capabilities that allow the malicious code to spread rapidly.

"The special criticality of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 using EternalBlue DoublePulsar, which can infect other connected Windows systems on the same network that are not properly updated. Infection of a single computer can end up compromising the entire corporate network." states the security alert issued by the Spanish CERT.

"The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability mentioned in the previous paragraph that allows the execution of remote commands through Samba (SMB) and is distributed to other Windows machines in That same network."

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system; it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

The WannaCry ransomware spreads via SMB, it encrypts the files on the infected machines and charges $300 or $600 in Bitcoin to restore them.

The ransomware can encrypt a wide variety of documents on the infected machines, it also attacks documents stored on any attached storage, and snatches any keys for remote desktop access. The malware deletes volume snapshots and disables system repair tools to make impossible recovery files.

Experts observed the malware determine the victim's language to display a ransom demand in the correct language

Security experts at CISCO Talos team have published a detailed analysis on the WannaCry ransomware.

Below the complete infection process described in the analysis published by the experts at the Talos team:

"An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated, and data is transferred. We believe this network traffic is an exploit payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletinMS17-010. We currently don't have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method." states the analysis.

"The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory 'Tor/' into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe."

Experts that want to analyze the WannaCry ransomware can find samples on the following GitHub repository:

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

the page includes useful information such as the addresses of Bitcoin wallets for the malware.

The ransomware directs victims to a page with displaying a QR code at btcfrog, which links to attacker main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.

Figure 3 - Payment Page displays QR code

Below Key findings of the threat:

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: Malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: Malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

A decrypted sample of the WannaCry ransomware is available here:

https://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE

The Kill Switch

A few hours after the massive attacks security experts started their analysis of the malicious code after a reverse engineering of the samples of the malware available in the wild. The good news emerged from the first investigation is that malware researchers have discovered a kill switch in the ransomware code, a condition that could halt the execution of the code when matched.

Figure 4 - Kevin Beaumont Tweet about the kill switch

The UK experts at MalwareTechBlog have registered the domain after they made a reverse engineering of the code.

The Kill Switch domain is iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com; the domain was sinkholed by law enforcement. To a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we are told. "IP addresses from our sinkhole have been sent to FBI.

Figure 5 - Kill Switch domain

Below the messages displayed when a machine tries to connect it:

"IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon," said the researcher. The InfoSec body admitted they registered the domain first, then realized it was a kill switch. Still, job done."

Experts from CISCO Talos group made an interesting analysis of the WannaCry ransomware.

"WannaCry does not appear to only be leveraging the ETERNALBLUE modules associated with this attack framework; it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry." reads the analysis from Talos. " In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet."

Microsoft has published a security advisory for the threat and an emergency patch for Windows XP.

The IT giant released emergency security patches for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.

Conclusions

The following aspects of the massive ransomware attack must be carefully considered:

  • This attack demonstrates the risks related to the militarization of the cyberspace. Malware, exploits code and hacking tools developed by intelligence agencies and governments could be very dangerous when out of control.
  • The success of the malware is due to the wrong security posture of the victims that have no awareness of the threat, and that did not apply security patches released by Microsoft.
  • Modern critical infrastructure is not resilient to cyber-attacks.

References

http://securityaffairs.co/wordpress/59072/cyber-crime/wannacry-ransomware-kill-switch.html

http://securityaffairs.co/wordpress/59057/cyber-crime/massive-attack-wannacry-ransomware.html

http://tecnologia.elpais.com/tecnologia/2017/05/12/actualidad/1494585889_857386.html

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/Wannacrypt.A!rsm

https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today?ref=cj&utm_medium=affiliate&utm_source=commissionjunction

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.