Weekly Executive Summary Week Ending May, 26 2017

By Joseph Lorenz on May 28, 2017

What is it? Crypto-Ransomware

What has it been dubbed? WannaCry | WannaCrypt | WCry | WanaCrypt0r

What does it do?

WannaCry began spreading on May 12 (according to experts at FireEye). The ransomware exploits a Windows SMB vulnerability. It has the ability to distribute the malware both within the compromised network and over the public internet.

The exploit has been patched in Microsoft MS17-010, a security update for Microsoft Windows SMB(Server Message Block) Server. It has been designed with two components, one to provide its ransomware functionality, and another to perform its propagation(and to spread to other systems).

WannaCrypt leverages an exploit tool codenamed “EternalBlue”, which was released by a threat actor known as Shadow Brokers on April 14, 2017. The malware uses encrypted Tor channels for C2(Command and Control) server communications.

The malware spawns two threads, the first enumerates the network adapters and determines which subnets the system is on. It then generates a thread for each IP on the subnet. Each of the threads attempts to connect to the IP address or TCP port 445 and if successful attempts to exploit the system.

WannaCry works like numerous other forms of ransomware by encrypting your files, then demanding a ransom in the form of bitcoins. Attacks don’t seem to be targeted, and it has been found to be spread through malicious emails and unpatched vulnerability exploitation.

The ransomware starts two countdown timers, one increases the ransom from $300 USD to $600 USD after three days of no payment. The second clock counts down and on the seventh day all encrypted files will be deleted if no payment has been made.

The exploited vulnerability is in the common SMB protocol, which is used in nearly every Windows network.

Who/What is affected?

Any organization that hasn’t applied Microsoft’s recommended mitigation mechanisms is at potential risk of attempted WannaCry propagation. The ransomware has affected organizations and end users in at least 150 countries so far, also shutting down hospitals in the UK and has taken major companies offline. For more information on affected industries, please see our WannaCry Global Report. ExternalBlue exploit tool allows malware to spread to all unpatched Windows systems from XP to server 2016 on a network that has the SMB protocol enabled.

How does it do it?

Note: Almost all the source code in this article has come from security researchers at Trustwave. The PE(Portable Executable) was unpacked using PeParser (a tool used to parse and extract data from Windows PE files). 

The first step in WannaCry’s execution is an attempt to contact ‘www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com’ or ‘ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com’. If the malware successfully connects to any of these address it would not perform encryption or self-propagation. This means none of these domains should be blocked, as these are kill switches for the ransomware.

Since the exploit takes advantage of SMB, disabling or blocking SMB at your perimeter firewall maybe a good proactive measure, to stop the spread of WannaCry to other vulnerable unpatched systems.

WannaCrypt creates two registry run keys to ensure further persistence:

  • Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>

Value: <Full_path>\tasksche.exe

  • Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>

Value: <Full_path>\tasksche.exe

Source: FireEye

If there is no reply from either of the kill switch domains, the malware checks for command line arguments, if the amount present is less than two the following service is created to ensure the persistence of mssecsvc.exe:

  • ServiceName: mssecsvc2.0
  • DisplayName: Microsoft Security Center (2.0) Service
  • BinaryPath: <path to mssecsvc> -m security

Source: FireEye

Next, the WannaCry ransomware is extracted from the resource section of the payload and then dropped into ‘C:\\Windows’ and a new process is spawned ‘tasksche.exe’ to ensure the persistence:

  • ServiceName: <8-15lower><3number>
  • DisplayName: <Same as Service Name>
  • BinaryPath <path to tashsche.exe>

Source: FireEye

The ransom note reads:

wannacry ransom note

Source: Trustware

If the command line arguments that are checked are two or more in length, it will proceed to open the malware service named ‘mssecsvc2.0’, change the service configuration to “SERVICE_CONFIG_FAILURE_ACTIONS”, and start the service running the propagation function using the SMB exploit.

code snippet for configuration change

Source:  Trustware

Next a single thread is created for scanning local IPs, and 128 threads are used for scanning public IPs.

code snippet of single thread is created for scanning

Source:  Trustware

GetAdaptersInfo() function  is used to gather IP addresses for local IP scanning. After they are collected these IP’s are scanned to see if they are vulnerable to CVE-2017-0143 and the payload is transferred to the vulnerable IP’s that are discovered.

code snippet of GetAdaptersInfo function

Source: Trustware

Target public IP addresses are generated using the CryptGenRandom() function(the function fills a buffer with cryptographically random bytes), if this function can’t be used by default the malware will use the rand() function. The first octet of the generated IP address cannot equal 127, but needs to be greater than or equal to 128 and less than 224. This means that the IP addresses need to be Class B or Class C addresses.

code snippet of CryptGenRandom function

Source: Trustware

WannaCry continues to check if port 445 is open (which is known as SMB over IP). If the port is found to be open the malware will scan the entire /24 IP range, it then continues to create a thread for each target IP and attempts to exploit CVE-2017-0143.

According to Trustware, a file titled “XIA-2058” is embedded in the Portable Executable(PE) of the malware. This is a password protected zip file (password: ‘WNcry@2ol7’), which contains a list of the ransom note, TOR sites used for command and control communications, and other files used by wannacry.

zip file with wannacry files

Source: Trustware

“b.wrny” is a BMP files that is used for the ransomware desktop wallpaper, if the “Wana Decrpt0r” program has failed to execute. Which a user will be prompted to find the executable in any folder to restore it from the antivirus quarantine.

black screen with ransom note

Source: Trustware

“c.wnry” contains a list of TOR sites. While “r.wnry” has a simple text file or a readme of the ransom note. This message folder holds a ransom note message in different languages.  

The final file ‘s.wnry’ is a ZIP file that contains TOR related binaries, which will be used for command and control communications.

When the malware moves to decrypting files it skips over files that have .exe, .dll, and .wncry extensions, as these are used by the malware to perform its nefarious tasks. A large list of file extensions are selected for encryption:

extensions that wannacry targets

Source: FireEye

Conclusion:

Despite a patch being available, this didn’t appear to slow down the spread of the malware. Many are blaming system admins for not patching their systems, but as there is a widespread amount of Windows XP and Windows Server 2003 systems (both which have past their ‘end-of-life’) and no longer issue patches. Microsoft made a decision to push out a patch to these older systems on May 12.

Companies that continue to use software that has reached it’s End of support time take a serious risk toward the protection of their information. For Microsoft, this is a date at which the company no longer provides automatic fixes, updates, or online technical assistance for the software or OS. Though WannaCry had a hardcoded url that provided a kill switch for the malware, if this ransomware is altered and re-released outdated systems may not be as fortunate in future attacks.

Like almost all forms of ransomware, having quality backups of systems can offer the highest amount of protection against these types of attacks. These backups should be isolated from production systems to protect their integrity.

Though we’ve seen many types of Ransomware attacks in the past, this maybe one of the first to spread so quickly and take advantage of other forms of delivery. Its worm-like behavior made it so dangerous, and experts may continue to see new hybrid forms of existing threats.

 

Sources:

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html (MalwareTech)

https://www.digitalshadows.com/blog-and-research/wannacry-an-analysis-of-competing-hypotheses/(Digital Shadows)

https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html (FireEye)

https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/ (LogRhythum)

https://www.trustwave.com/Resources/SpiderLabs-Blog/WannaCry–We-Want-to-Cry/ (Trustwave)

https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b (Medium)

https://success.trendmicro.com/solution/1117391 (Trend Micro)

https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/ (SANS ISC)

https://www.symantec.com/outbreak/?id=wannacry (Symantec)

https://threatpost.com/available-tools-making-dent-in-wannacry-encryption/125806/ (Threatpost)

Tags: , ,

Related Posts