Anthony-Lecorchick-photo
Security Research Engineer at Ixia
Blog

WannaCry Ransomware 101

May 17, 2017 by Anthony Lecorchick

** Before reading any further please ensure MS17-010 patch has been applied to all your Windows Systems**

History

Our story begins in August 2016, when a hacker group called The Shadow Brokers made their first appearance, offering files claimed stolen from The Equation Group, a threat actor with suspected NSA ties. Back then, we covered the firewall exploits that were released. Currently, the Shadow Brokers have made five leaks, each containing more information or files from The Equation Group.

On April 14, 2017, The Shadow Brokers posted a leak titled “Lost in Translation.” It contained several exploits and tools, including the SMB exploit EternalBlue.

Server message block (SMB) is a protocol typically used for shared access, usually among Microsoft Windows machines. Typically, this is set up to work only between machines on the same local network, so using an exploit such as EternalBlue for a remote attack would not yield a large attack surface.

WannaCry

1

On May 12th, 2017, a large-scale ransomware attack began. WannaCry (also known as WannaCrypt, WanaCrypt0r, and Wana Decrypt0r) infected over 200,000 computers in at least 150 countries according to Europol. The initial infection vector is unknown, but may have been EternalBlue, some other exploit, or a phishing attack. Once a computer is infected, it attempts to leverage EternalBlue to further spread itself, both on the local network and on the Internet at large. Because SMB is often used to share within a network, once one machine on the network is infected, WannaCry may spread quickly and thoroughly within the network. Malwarebytes reports WannaCry also installs DoublePulsar, a kernel-level backdoor.

Encrypted files have the extension changed to WNCRY and two additional files are dropped in every directory titled @Please_Read_Me@.txt and @WanaDecryptor@.exe. @WanaDecryptor@.exe instructs the user on how they can recover their files, and presents a countdown for both the time the ransom will increase and when the user will lose any chance of decrypting their files. The malware will select one of three bitcoin addresses embedded in its encryptor and display it when demanding ransom. You can currently extract the bitcoin addresses from the initial infecting binary using simple shell scripts.

2

This screenshot is from the sample with the SHA256 hash ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, and as of today (May 17th) it has currently netted the malware author about 44 Bitcoins ($74,000). As you can see the, expiration on decrypting files is set a week from initial infection. This implies that May 19th could see a large swing in Bitcoin payments to these addresses if someone hasn't figured out a different way of recovering files.

At the time of writing, the spread of WannaCry has been temporarily slowed thanks to a killswitch found by MalwareTech. Before encrypting, WannaCry attempts to contact a hard-coded URL, and if connection is successful, it will not continue execution. While this stops this particular version of the malware, a new strain could be released, and it does not fix the vulnerability itself. Please make sure your systems have installed KB4013389 for MS17-010, which fixes the vulnerability exploited by EternalBlue.

Hashes analyzed:

01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

77c65bfebfdc7c510bd811d58ed8ce1a1ab883cee95750bfa697dfe0fea092a5

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

d79c43b36e36b3fcc1030bd93eac1d258b28ecb8d59c08af03ca5dcec2d8aff8

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

f470fbf340e5ad8be24b29712f565eaff0c67564a4872e0cedb05a1876a838d0

Bitcoin Addresses Seen:

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

15nzzRpAsbgd1mmoqQRtiXxN49f4LcmTh4

18ucAGbkgCkU61F6yPMD19dZRUBBHyDGRV

1M9sgF4zhpusQA82rtTbrcZGKD5oBrSW5t

We will be releasing WannaCry variants, along with other popular new malware strains in our next ATI monthly malware package. This will enable you to test your inline network AV with the most current threats on the Internet and confirm that you are safe from this threat.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.