WannaCry Ransomware: All you need to know (updated)

What is WannaCry?

On 12 May 2017, over 200,000 attacks in at least 99 countries around the world have been reported in a large-scale ransomware campaign known as “WannaCry”.
The highest number of the infections have been recorded in Russia, however, the attack has significantly impacted organizations in other countries, particularly the UK where the National Health Service (NHS) has declared the event as a “major incident” due to the rendering of patient records, schedules, internal phone lines and emails inaccessible; In parallel, a European public transport system, a Saudi based telecom operator, a major European Automobile giant have all taken the hit. WannaCry exploits the NSA EternalBlue exploits to infect other connected Windows systems on the same network
This ransomware demands approximately 0.2-0.5 in Bitcoins per infected device to recover the files. Similar to it’s predecessors it features a countdown and threatens to double the ransom after three days and delete the files after seven days.  A realtime map of the infection can be found here- https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

Technical Analysis

WannaCry ransomware has been spreading as a worm over LAN and WAN networks by exploiting an SMBv2 remote code execution (RCE) vulnerability in Microsoft Windows (MS17-010). Microsoft patched the vulnerability on 14 March. The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Below the complete infection process described in the analysis published by the experts at the Cisco Talos team:

“An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated and data is transferred. We believe this network traffic is an exploit payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletinMS17-010. We currently don’t have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method.” states the analysis.

“The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.”

In layman’s terms (credit)

  • WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside.
  • Once the document is opened, it downloads a second stage which is an unsigned executable. This executable contains the delivery method for infection, worm replication, and exploitation.
  • The malicious software beacons out to a domain hxxp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to check if the website is up, if it is, it will not execute. This has since been sinkholed and if the website is up, will not actually execute. This means you can either use DNS to redirect to a legitimate site to ensure it stays up, or keep it as is since it’s been sinkholed and is currently up and running now. The malicious software should exit now upon checking as the kill switch is now active.

File Extensions used:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Protection: How to?

  • Ensure that all systems including clients and servers running Microsoft Windows have applied the official patch (MS17-010), which closes the affected SMB server vulnerability.
  • Disable SMB v1.0 for good.
  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
  • Review network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity and consider blocking the IOCs listed on this blog along with blocking the CnCs.
  • Consider restricting connections on the following ports 445/139/3389 as applicable.

Known & confirmed CnC’s (C2 onion/tor domains)

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52ma.onion
  • sqjolphimrr7jqw6.onion

Other known C2 domains:

  • 43bwabxrduicndiocpo.net
  • dyc5m6xx36kxj.net
  • gurj5i6cvyi.net
  • bcbnprjwry2.net
  • Bqmvdaew.net
  • sxdcmua5ae7saa2.net
  • rbacrbyq2czpwnl5.net
  • ow24dxhmuhwx6uj.net
  • fa3e7yyp7slwb2.com
  • wwld4ztvwurz4.com
  • bqkv73uv72t.com
  • xanznp2kq.com
  • chy4j2eqieccuk.com
  • lkry2vwbd.com
  • ju2ymymh4zlsk.com
  • Graficagbin.com.br
  • sdhjjekfp4k.com

Other known CnCs:


Email senders source IP:


Malicious Email sender address:

  • alertatnb@serviciobancomer.com

Registry key:

  • HKEY_LOCAL_MACHINE\Software\WanaCrypt0r


  • C:\Windows\mssecsvc.exe
  • C:\Windows\tasksche.exe


  • Csscript.exe //nologo m.vbs

Files created:

  • %TEMPT%\m.vbs
  • %TEMP%\b.wrny
  • %TEMP%\c.wrny
  • taskse.exe
  • taskdl.exe
  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe

YARA signatures

rule Wanna_Cry_Ransomware_Generic {


description = “Detects WannaCry Ransomware on disk and in virtual page”

author = “US-CERT Code Analysis Team”

reference = “not set”

date = “2017/05/12”

hash0 = “4DA1F312A214C07143ABEEAFB695D904”



$s0 = {410044004D0049004E0024}

$s1 = “WannaDecryptor”

$s2 = “WANNACRY”

$s3 = “Microsoft Enhanced RSA and AES Cryptographic”

$s4 = “PKS”

$s5 = “StartTask”

$s6 = “wcry@123”

$s7 = {2F6600002F72}

$s8 = “unzip 0.15 Copyrigh”


$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8


/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

rule MS17_010_WanaCry_worm {


description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware”

author = “Felipe Molina (@felmoltor)”

reference = “https://www.exploit-db.com/exploits/41987/

date = “2017/05/12″


$ms17010_str1=”PC NETWORK PROGRAM 1.0″


$ms17010_str3=”Windows for Workgroups 3.1a”



$wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j”

$wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM”

$wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP”


all of them


Malware Samples (credit)

Latest Update: WannaCry 2.0 with no killswitch discovered

The hackers have released an updated variant with no killswitch functionality.

The killswitch has been readied. The domains are:

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Buckle up because its not over yet!
The worrying factor is we could end up seeing other malwares piggybacking off this campaign. Also, the malware can be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download.

Two words for you: “Patch” your systems and “disable” SMB v1.


One thought on “WannaCry Ransomware: All you need to know (updated)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s