WannaCry

WannaCry which is sometimes also called WCry or WanaCryptor is a ransomware malware, meaning that it encrypts files of its victims and demands a payment to restore the stolen information, usually in bitcoin with ransom amounts ranging from $300 to $600 equivalents.

  • Type
    Ransomware
  • Origin
    Likely North Korea
  • First seen
    12 May, 2017
  • Last seen
    21 November, 2019
Also known as
WCry
WanaCryptor
Global rank
19
Week rank
7
Month rank
16
IOCs
87

General description of WannaCry

The virus can be described as ransomware with worm functionality, since it is capable of spreading itself within infected networks using the EternalBlue exploit. Additionally, the virus uses DoublePulsar exploit to upload and execute a copy of itself to a new machine.

Once WannaCry makes its way into a target computer, it begins its malicious activity by checking for a hardcoded kill switch domain - either fferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com or iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. In an event, if one is found, the malware stops the execution. However, if a kill switch domain isn’t found, the ransomware encrypts files on the machine, following which an attempt to exploit the SMB vulnerability takes place. This is done in an effort to spread the virus over to other random PCs and all those connected in a local network. After encryption is completed, a ransom note is displayed to the user and the attackers demand $300 to be paid in a 3-day timespan. If the victim resists the ransom amount rises to $600 to be paid in 7 days. The payments are directed to multiple hardcoded bitcoin addresses. Typical for a cryptocurrency, anybody can check their balances and transaction history but the true owner of such a wallet can not be traced.

The first time WannaCry was seen in the wild was as a part of a devastating worldwide attack that took place in May 2017. The attack utilized an EternalBlue exploit, which was believed to have been developed by the American NSA and leaked by a cybergang known under the allies “The Shadow Brokers”.

The exploit leveraged a vulnerability in the Windows operating systems and while a patch fixing the issue was released quickly by the company, many individuals and organizations who didn’t promptly update their computers became victims of this attack.

By some broad estimations, over 200,000 computers worldwide were infected by WannaCry within those few days that the attack was ongoing. A fix of the EternalBlue exploit along with the discovery of the “kill switch” that allowed to stop the execution of the malware were the two main contributions that helped to slow down this malicious campaign. However, by the time the attack came to an end total damage amounted to billions of dollars and victims from over 150 countries were affected.

A campaign of such scale raised international investigation of the highest level aimed to find out who was behind the outbreak. Experts investigated the ransom notes to find out that they were most likely written by hand and the writers seemed to be fluent in Chinese and English, as was suggested by the linguistics analysis. Further investigation suggested that the native language of the writer was Chinese since two versions of ransom note were composed in this language - on in Simplified and one in Traditional Chinese. Furthermore, some typos in the notes lead researchers to believe that a Chinese input system was used for typing, as mistakes like those present could not have been easily made using any other form of input.

It should be noted, that in total the ransom note was written in 28 languages including both Chinese variations. However, for most of those languages, a machine translation was used.

The FBI then uncovered that Hangul fonts were installed on the machine that was used to compose the ransom notes. Hangul is an alphabet and a writing system used in the South as well as in North Korea. Further analysis of the language files metadata displayed that the computer was set to a Korean Timezone.

Upon further review of malware samples, security researchers from Google, Kaspersky Lab, and Symantec concluded that the code of WannaCry exhibited similarities to other malware used in the attacks against Sony Pictures and a Bangladesh bank. Those attacks were carried out by a so-called Lazarus Group, members of which were linked to North Korea.

Of course, this evidence was not conclusive as other groups could have simply reused some of the code produced by the Lazarus Group. What’s more, the use of such code could have been intentional in order to mislead the investigators and put the blame on other cybercriminals.

However, a liked memo from NSA as well as findings made by UK's National Cyber Security Centre also pointed at North Korea as the country from which the attack originated. The United States Government subsequently proceeded to formally declare North Korea to be the attack origin.

In foresight, despite the fact that the WannaCry attack had a truly unprecedented scale, its impact is considered relatively low, compared to other ransomware. The aftermath could have been much worse if it was not for the discovery of the kill switch. Furthermore, the virus could have been targeted at high-level infrastructures like the transport control systems and nuclear power plants. Had this been the case, some experts estimate possible losses in excess of hundreds of millions of dollars.

Talking about the actual malware - WannaCry comes in the form of a dropper which holds various components as a ZIP archive which is protected by a password. This archive is being unpacked during the execution using a hardcoded password and dropped into a directory from which it was executed.

WannaCry uses two encryption methods during its execution: RSA and AES-128-CBC. To confuse the researchers the encryption scenario that is contained in a t.wnry file is actually encrypted in exactly the same way that the malware uses to encrypt data on an infected machine. A custom loader is used to load the module into memory, so the un-encrypted version of the file never has to be recorded on the victim’s hard drive.

Upon the start of the execution process, the malware uses an RSA key to unpack the t.wnry file and decrypt it. Then a new RSA key will be generated and sent to a C&C server, while a duplicate of a public key is being saved on the infected machine.

This is where the encryption process begins and the virus searches the infected machine for files with supported extensions. Then, a 128 bit AES key is created per every single file that was selected for encryption and encrypted using the RSA key created earlier. RSA-encrypted AES key is placed in a header of an encrypted file. After this, the malware uses the AES key to encrypt data in the file.

The encryption is performed in such a way that it is virtually impossible to restore the lost data without access to the private key, that is stored in the control server. This means that for a victim the only way to regain access to their information is to fulfill the ransom demand, made by the attackers.

For persistence, WannaCry writes itself in the autorun keys in the registry and creates a couple of services.

Interactive analysis of WannaCry

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of WannaCry.

wannacry execution process graph

Figure 1: Process graph generated by ANY.RUN allows us to see the main processes of Dridex execution.

text report of the wannacry analysis

Figure 2: Displays the customizable text report generated by ANY.RUN.

How does WannaCry spread?

Besides being distributed by malicious spam campaigns, WannaCry uses a more interesting way to infect devices - it utilizes an operating system vulnerability as the initial attack vector. Once the malware successfully leverages an exploit and makes its way into a machine, it will scan the IP addresses in an attempt to infect connected devices through the SMB vulnerability on port 445/TCP. This vulnerability has CVE ID 2017-0144 and also known as MS17-010 EternalBlue.

All devices in a local network exhibiting potential vulnerability will also be infected.

WannaCry execution process

First of all, after running, WannaCry sends an HTTP GET request to hardcoded domains and stops execution if the request is successful. Although WannaCry execution process is pretty straightforward, it's pursuing not just the goal of encrypting files on the infected machine, but it's also trying to infect as many nearby machines as it can. To do so, the ransomware scans all machines with port 445 being open and if the connection is made, tries to exploit the SMBv1 vulnerability (EternalBlue). On the local system, WannaCry executable file extracts and installs binary and configuration files from its resource section. It also hides extract directory, modifies security descriptors, creates an encryption key, deletes shadow copies and so on. After all these steps, WannaCry encrypts the user's data and sets the wallpaper to a ransom note. In addition, a @[email protected] executable file is being started to provide information about countdown and payment method to a victim.

workstation desktop after wannacry infection

Figure 3: A Desktop of a system infected by WannaCry

Prevention of WannaCry attacks

In order to prevent potential WannaCry attacks, users should install security patches created by Microsoft in response to the original incident. Today, early versions of WannaCry won't work because their killswitch is still active.

The patch code for this security update is MS-17-010 and the update is available even for Windows XP; it was the first update to this operating system issued by Microsoft in 3 years.

How to get more info from the analysis of WannyCry ransomware using ANY.RUN?

Since crooks behind WannyCry offer decryption of three images for free you can use the interactivity of ANY.RUN to take additional steps in your analysis. Open the website specified in a ransom note in the browser and follow all steps to decrypt images to get a bigger picture of a ransomware infection process.

wannacry ransom note Figure 4: Wannacry ransom note

Conclusion

WannaCry is undoubtedly one of the most destructive malware ever used by cyberattacks. The first malicious campaign utilizing this dangerous virus had a truly unprecedented scale.

Thankfully, due to outstanding work done by cybersecurity professionals, the attack was contained in just a few days by finding an effective kill switch and patching the vulnerability in the Microsoft operating systems that the ransomware was targeting. However, even despite such quick reaction times made by cybersecurity professionals all around the world, billions of dollars were lost by victims all across the world.

To prevent devastating cyber attacks such as the one performed using the WannaCry virus, researchers should learn as much as possible about the existing malware samples and analyze their code. This task is greatly simplified with the use of interactive sandboxes like ANY.RUN, which allows users to influence the simulation in real-time in order to get the best results.

IOCs

IP addresses
192.168.100.62
104.17.244.81
104.16.173.80
192.168.100.147
50.63.202.51
50.63.202.62
192.168.100.63
Hashes
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
79d8e622960e141efe1d9399707a3a68c64c528dc7b0f7c129c4b0a0e4ea6676
b895ca15792b7d00aa2f06953f7bc2e2d0adaa823b6b71698b6f3080a64d1a1a
55bc52ead4c668b4dad978bebd80821a68eccd36b3927072a5d113cd5d79a27a
74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0
aea79945c0f2f60de43193e1973fd30485b81d06f3397d397cb02986b31e30d9
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
0bd4260a5bcad45db29c528b2eeb1dbb0ec08d37992d8083f717f9117d817761
8d314996331ada9ce978f449b512b37da6a8054c419b3f9cc6f04136b43e42b5
1fcb61cbacfad112e09275818fded90f33f1969b86c0f51cd43a25d6d8017933
7e2b4a64defa8bc739f8f08f8d7d6075ec5d3cec17b19687f169354a018400dc
11d9598e1365818e4eacc3986a7f104e7dfb1757345053fb456304ea93434e35
cedeed79c2110086c306e0834a2775d8a2b9fa4fa0b8b8007c88996dfe122094
d15b68c019393ce25cb9d7400619258b004fcf8c6a48f933fc46062f48d36cf7
53e3bf572a907444f3c56e847d356a3c9c2231a49d5d2e25946873150e797039
b0184cd7b0b8a42bc0046caa09b51bba9592eab3317769d8035954827a003c47
e4aa8cfc4cd8b791eaa38dbe6fd7e11bcaaafab680bd2ed7c87e38063623e941
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
6c358af832aa9f4910d39f6bd0ad1dc378e748064975e55b472f41f9c7b4249a
Domains
elx01.knas.systems
herbalifeworkonline.com
www.groovestay.com
chaibuckz.com
nvisionsigns.com
www.oil-ed.online
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ayc0zsm69431gfebd.xyz
www.bootcamp.tools
www.christophernadhir.info
mswebpro.com
www.pablorojasphotography.com
www.netto.life
www.onlineapplicationservices.com
novafatura.digital
www.mcconnellpouredwalls.info
vectornz.co
www.bang.money
www.guitarvrar.info

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More