Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

WannaCry

From Malware Wiki
Jump to: navigation, search
WannaCrypt
WannaCryMainWindow.png
TypeRansomware
CreatorLazarus Group
DateMay 12th, 2017
OriginPyongyang, North Korea
Programming LanguageVisual C++ 6.0
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Alias(es)Technical:
  • Ransom:Win32/WannaCrypt (Windows Defender)
  • Trj/RansomCryptK (Panda)
  • Win32/Filecoder.WannaCryptor (ESET)

General:

  • WanaCrypt
  • Wana Crypt0r
  • Wana Decrypt0r
  • WannaCry
  • SambaCry (Samba variant)
Impact230,000 computers in over 150 countries
SizeVaries
Damage costs$4 billion ($4,000,000,000)
CRC3202AC7126
MD55c7fb0927db37372da25f270708103a2
SHA-1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA-256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SSDEEP3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Authentihash7e9f8747fa2d7a35e87ddc8fa62d4d4b8da3b0cf3f3a62f1df0a59b50e913bb7
IMPhashe858a14f217810d78466806d95d7fceb
This box: view  talk  edit
Infection distribution throughout different regions.

WannaCry, originally named WanaCrypt, also known as Wana Crypt0r and Wana Decrypt0r, is a famous ransomware worm on Microsoft Windows. It uses two NSA-leaked exploits and has wreaked havoc in airports, banks, universities, hospitals and many other facilities. It has spread to some 150 countries worldwide, mainly Russia, Ukraine, the US, and India.

The encryption engine is not vulnerable to brute-force attacks or dictionary attacks as it uses RSA-2048 with random hexadecimal strings; thus, the only way to retrieve files is by backup or directly paying with Bitcoin equivalent to $300 USD (However, the authors forgot to wipe the RSA primes from memory). Required payment increases to the Bitcoin equivalent of $600 USD after 72 hours. 7 days after the victim's infection, the malware starts deleting the encrypted files.

In late June 2018, an email scam called WannaSpam emerged. Hundreds of computer users reported being sent an email from someone (or multiple people), claiming to be the developers of WannaCry. The email threatened to destroy the victims' data unless they sent 0.1 BTC to the Bitcoin address of the "hackers". This was a hoax, as emails cannot directly encrypt files, nor was there any report of anyone who received the email having their files encrypted.

In the report, it found that in August 2019 alone, the security company had detected more than 4.3 million attempts to spread a variant of WannaCry to customer machines.

Behavior

Infection

Infection occurs in various ways, including trojan-style and worm-style attack vectors. When a computer becomes infected with WannaCry, the executable will extract an embedded file into the same folder as said executable is in. This embedded resource is a password-protected zip folder that contains a variety of files that are used by WannaCry.

WannaCry will then download a TOR client from https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip and extract it into the TaskData folder. This TOR client is used to communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.

In order to prep the computer so that it can encrypt as many files as possible, WannaCry will run "icacls . /grant Everyone:F /T /C /Q" in order to give every user on the system full permissions to the files located in the folder and subfolders under where the ransomware was executed.  It then terminates processes associated with database servers and mail servers so it can encrypt databases and mail stores as well.

The commands that are executed to terminate the database and exchange server processes are:

taskkill.exe /f /im mysqld.exe
taskkill.exe /f /im sqlwriter.exe
taskkill.exe /f /im sqlserver.exe
taskkill.exe /f /im MSExchange*
taskkill.exe /f /im Microsoft.Exchange.*

When run, the ransomware will very quickly encrypt the files on the computer. It also has the ability to attack mounted network drives as well.

When encrypting files, WannaCry will scan all drives and mapped network drives for files that have one of the following extensions:

.der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

When encrypting a file it adds the WANACRY! magic string to the beginning of the encrypted file. It will then append the .WNCRY extension to the original filename to denote that the file has been encrypted. For example, a file called test.jpg would be encrypted and have a new name of test.jpg.WNCRY.

When encrypting files, it will also store a @Please_Read_Me@.txt ransom note and a copy of the @WanaDecryptor@.exe decryptor in every folder that has at least one encrypted file. Finally, WannaCry will issue some commands that delete all Shadow Volumes, disable Windows startup recovery, and clear Windows Server Backup history. The commands that are issued are:

C:\Windows\SysWOW64\cmd.exe /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

As these commands require Administrative privileges, victims may see a UAC prompt.

Finally, the installer executes a copy of the @WanaDecryptor@.exe program so that the "Wana Decryptor 2.0" lock screen is displayed. This screen contains further information as to how the ransom can be paid and allows the user to select one of the languages.

When the user clicks on the Check Payment button, the ransomware connects back to the TOR C2 servers to see if a payment has been made. If payment can be verified, the ransomware will automatically decrypt the user's files.

WannaCry will also configure the user's Desktop wallpaper to display another ransom note. A copy of this ransom note will be left on the desktop that contains more information and answers to frequently asked questions.

From version 2.0 and above of this ransomware, instead of using attachments to spam emails, spoofed links or hijacked advertisements as means of transfer, it behaves like a worm. With the help of remote malicious code, it actively attacks every vulnerable computer on the infected computer's network.

It scans for TCP and UDP ports 139 and 445 (SMB) from all computers on the local network. If a computer is found to be listening on these ports and the host is found to be vulnerable to this attack, it will download itself onto the host and execute the dropped file via PsExec.

Exploits

Exploit used by WannaCry

This ransomware uses the EternalBlue exploit kit leaked by The Shadow Brokers, which was patched by Microsoft on March 14. However, many companies and organizations have not installed this patch. Due to the damage that the ransomware caused, Microsoft launched a patch for Windows XP, Windows Server 2003, and Windows Vista, which all were no longer supported at the time.
Many antivirus vendors and computer security companies have also created programs to "immunize" computers against the EternalBlue exploit.

Kill Switch and Decryption

On May 14, a British network engineer named Darien Huss found that the ransomware checks if a then-unregistered domain consisting of random letters and numbers exists. If the website is registered, the ransomware kills its process immediately before beginning the first-run ransomware routine. Darien shared this find with a man nicknamed MalwareTech. They bought the domain to stop the ransomware. This ultimately significantly slowed the spread of WannaCry to a near-standstill. Eventually, hex edited variants appeared which had a disabled "kill switch."

Properties of malware files used by WannaCry

Decryption tool released

Adrien Guinet, a French security researcher from Quarkslab, found that the ransomware did not remove the prime numbers used to generate the encryption keys from memory after encrypting the files, meaning that the user can use these numbers to generate the decryption keys.

Before generating a pair of RSA encryption keys, the system will need to choose two prime numbers. After generation of these keys, the numbers should be kept secret to prevent other users (such as hackers) to use them to regenerate the private key.

The WanaKiwi decryptor tries to find the prime numbers left in memory by the ransomware and generate the private key, so that the user might not need to pay the ransom for decryption. However, there are some limits, and the decryption tool may not be able to help decrypt the files in the following cases:

  1. The infected machine cannot have been restarted.
  2. Since the memory location for these prime numbers are freed for use by other programs, the block of memory could be erased or in use by other processes, so the decryption tool should be started as soon as possible in order to find the numbers.

Other Languages

The ransom note in Chinese.

WannaCry has translations for these languages:

  • Bulgarian
  • Chinese (Simplified)
  • Chinese (Traditional)
  • Croatian
  • Czech
  • Danish
  • Dutch
  • English
  • Filipino
  • Finnish
  • French
  • German
  • Greek
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Latvian
  • Norwegian
  • Polish
  • Portuguese
  • Romanian
  • Russian
  • Slovak
  • Spanish
  • Swedish
  • Turkish
  • Vietnamese

Affected Organizations (according to Wikipedia)

  • São Paulo Court of Justice (Brazil)
  • Aristotle University of Thessaloniki (Greece)
  • Vivo (Telefônica Brasil) (Brazil)
  • Lakeridge Health (Canada)
  • PetroChina (China)
  • Public Security Bureaus (China)
  • Sun Yat-sen University (China)
  • Instituto Nacional de Salud (Colombia)
  • Renault (France)
  • Deutsche Bahn (Germany)
  • Telenor Hungary (Hungary)
  • Andhra Pradesh Police (India)
  • Dharmais Hospital (Indonesia)
  • Harapan Kita Hospital (Indonesia)
  • University of Milano-Bicocca (Italy)
  • Q-Park (Netherlands)
  • Portugal Telecom (Portugal)
  • Automobile Dacia (Romania)
  • Ministry of Foreign Affairs (Romania)
  • MegaFon (Russia)
  • Ministry of Internal Affairs (Russia)
  • Russian Railways (Russia)
  • Banco Bilbao Vizcaya Argentaria (Spain)
  • Telefónica (Spain)
  • Sandvik (Sweden)
  • Garena Blade and Soul (Thailand)
  • National Health Service (United Kingdom)
  • Nissan UK (United Kingdom)
  • FedEx (United States)
  • STC (Saudi Arabia)
  • Boeing (United States)
  • Cambrian College (Canada)
  • Chinese public security bureau (China)
  • CJ CGV (South Korea)
  • Dalian Maritime University (China)
  • Faculty Hospital (Slovakia)
  • Guilin University Of Aerospace Technology (China)
  • Guilin University Of Electronic Technology (China)
  • Hezhou University (China)
  • Hitachi (Japan)
  • Honda (Japan)
  • LATAM Airlines Group (Chile)
  • NHS Scotland (Scotland)
  • O2 (Germany)
  • Petrobrás (Brazil)
  • Pulse FM (Australia)
  • Sberbank (Russia)
  • Shandong University (China)
  • Government of Gujarat (India
  • Government of Kerala (India)
  • Government of Maharashtra (India)
  • Government of West Bengal (India)
  • Suzhou Vehicle Administration (China)
  • Telkom (South Africa)
  • Timrå Municipality (Sweden)
  • TSMC (Taiwan)
  • Universitas Jember (Indonesia)
  • University of Montreal (Canada)
Timeline of key events relating to the WannaCry ransomware, made by Symantec.

Variants

Including the very first version, there are 3 known versions:

  • BETA - Unknown
  • Version 1.0 - April 25, 2017
  • Version 2.0 - May 13, 2017

Patches

References