WannaCry Ransomware: All you need to know (updated)

What is WannaCry?

On 12 May 2017, over 200,000 attacks in at least 99 countries around the world have been reported in a large-scale ransomware campaign known as “WannaCry”.
The highest number of the infections have been recorded in Russia, however, the attack has significantly impacted organizations in other countries, particularly the UK where the National Health Service (NHS) has declared the event as a “major incident” due to the rendering of patient records, schedules, internal phone lines and emails inaccessible; In parallel, a European public transport system, a Saudi based telecom operator, a major European Automobile giant have all taken the hit. WannaCry exploits the NSA EternalBlue exploits to infect other connected Windows systems on the same network
This ransomware demands approximately 0.2-0.5 in Bitcoins per infected device to recover the files. Similar to it’s predecessors it features a countdown and threatens to double the ransom after three days and delete the files after seven days.  A realtime map of the infection can be found here- https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all

Technical Analysis

WannaCry ransomware has been spreading as a worm over LAN and WAN networks by exploiting an SMBv2 remote code execution (RCE) vulnerability in Microsoft Windows (MS17-010). Microsoft patched the vulnerability on 14 March. The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Below the complete infection process described in the analysis published by the experts at the Cisco Talos team:

“An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated and data is transferred. We believe this network traffic is an exploit payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletinMS17-010. We currently don’t have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method.” states the analysis.

“The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.”

In layman’s terms (credit)

• WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside.
• Once the document is opened, it downloads a second stage which is an unsigned executable. This executable contains the delivery method for infection, worm replication, and exploitation.
• The malicious software beacons out to a domain hxxp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to check if the website is up, if it is, it will not execute. This has since been sinkholed and if the website is up, will not actually execute. This means you can either use DNS to redirect to a legitimate site to ensure it stays up, or keep it as is since it’s been sinkholed and is currently up and running now. The malicious software should exit now upon checking as the kill switch is now active.

File Extensions used:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Protection: How to?

• Ensure that all systems including clients and servers running Microsoft Windows have applied the official patch (MS17-010), which closes the affected SMB server vulnerability.
• Disable SMB v1.0 for good.
• Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
• Review network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity and consider blocking the IOCs listed on this blog along with blocking the CnCs.
• Consider restricting connections on the following ports 445/139/3389 as applicable.

Known & confirmed CnC’s (C2 onion/tor domains)

• gx7ekbenv2riucmf.onion
• 57g7spgrzlojinas.onion
• xxlvbrloxvriy2c5.onion
• 76jdd2ir2embyv47.onion
• cwwnhwhlz52ma.onion
• sqjolphimrr7jqw6.onion

Other known C2 domains:

• 43bwabxrduicndiocpo.net
• dyc5m6xx36kxj.net
• gurj5i6cvyi.net
• bcbnprjwry2.net
• Bqmvdaew.net
• sxdcmua5ae7saa2.net
• rbacrbyq2czpwnl5.net
• ow24dxhmuhwx6uj.net
• fa3e7yyp7slwb2.com
• wwld4ztvwurz4.com
• bqkv73uv72t.com
• xanznp2kq.com
• chy4j2eqieccuk.com
• lkry2vwbd.com
• ju2ymymh4zlsk.com
• Graficagbin.com.br
• sdhjjekfp4k.com

Other known CnCs:

• 81.30.158.223:9001
• 79.172.193.32:443
• 163.172.149.155
• 167.114.35.28
• 176.9.39.218
• 192.42.113.102
• 193.11.114.43
• 199.254.238.52
• 89.40.71.149
• 197.231.221.211:9001
• 128.31.0.39:9191
• 149.202.160.69:9001
• 46.101.166.19:9090
• 91.121.65.179:9001
• 212.47.232.237:9001
• 188.166.23.127
• 193.23.244.244
• 2.3.69.209
• 146.0.32.144
• 50.7.161.218
• 83.169.6.121
• 58.69.92.127
• 86.59.21.38
• 62.138.7.171
• 51.255.203.235
• 51.15.36.164
• 217.79.179.177:9001
• 128.31.0.39:9101
• 213.61.66.116:9003

Email senders source IP:

205.186.153.200
96.127.190.2
184.154.48.172
108.163.228.172
200.58.103.166
216.145.112.183
162.220.58.39
192.237.153.208
75.126.5.21

Hashes

4fef5e34143e646dbf9907c4374276f5
5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240
638f9235d038a0a001d5ea7f5c5dc4ae
31dab68b11824153b4c975399df0354f
b675498639429b85af9d70be1e8a8782
509c41ec97bb81b0567b059aa2f50fe8
3175e4ba26e1e75e52935009a526002c
Malicious Email sender address:

• alertatnb@serviciobancomer.com

Registry key:

• HKEY_LOCAL_MACHINE\Software\WanaCrypt0r

Executables:

• C:\Windows\mssecsvc.exe
• C:\Windows\tasksche.exe

Processes:

• Csscript.exe //nologo m.vbs

Files created:

• %TEMPT%\m.vbs
• %TEMP%\b.wrny
• %TEMP%\c.wrny
• taskse.exe
• taskdl.exe
• @Please_Read_Me@.txt
• @WanaDecryptor@.exe

YARA signatures

rule Wanna_Cry_Ransomware_Generic { meta: description = “Detects WannaCry Ransomware on disk and in virtual page” author = “US-CERT Code Analysis Team” reference = “not set” date = “2017/05/12” hash0 = “4DA1F312A214C07143ABEEAFB695D904”   strings: $s0 = {410044004D0049004E0024} $s1 = “WannaDecryptor” $s2 = “WANNACRY” $s3 = “Microsoft Enhanced RSA and AES Cryptographic” $s4 = “PKS” $s5 = “StartTask” $s6 = “wcry@123” $s7 = {2F6600002F72} $s8 = “unzip 0.15 Copyrigh” condition: $s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8 } /*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. rule MS17_010_WanaCry_worm { meta: description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware” author = “Felipe Molina (@felmoltor)” reference = “https://www.exploit-db.com/exploits/41987/” date = “2017/05/12″ strings: $ms17010_str1=”PC NETWORK PROGRAM 1.0″ $ms17010_str2=”LANMAN1.0″ $ms17010_str3=”Windows for Workgroups 3.1a” $ms17010_str4=”__TREEID__PLACEHOLDER__” $ms17010_str5=”__USERID__PLACEHOLDER__” $wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j” $wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM” $wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP” condition: all of them }

Malware Samples (credit)

• hxxps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
• hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
• hxxps://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE (main dll)

Latest Update: WannaCry 2.0 with no killswitch discovered

The hackers have released an updated variant with no killswitch functionality.

The killswitch has been readied. The domains are:

• iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
• ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Buckle up because its not over yet!
The worrying factor is we could end up seeing other malwares piggybacking off this campaign. Also, the malware can be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download.

Two words for you: “Patch” your systems and “disable” SMB v1.