Wannacry

BTC 50.77421


Wannacry

USD 128,605.50


Wannacry

BRL 417,274.24


Global WannaCry ransomware outbreak uses known NSA exploit Ilmaiskierrokset and Other Projects

Following the emergence of the Jaff ransomware attack campaign earlier this week, another, even bigger outbreak is making headlines. The culprit? A new ransomware family called WannaCry or WCry.

Spotted earlier today, WCry caught the attention of the team due to it being spread via the recently exposed NSA shadow broker exploits. WCry took many businesses and public institutions by surprise, including telco giant Telefonica in Spain and the National Health Service in the United Kingdom, and has already infected tens of thousands of systems across the globe.

Security researcher MalwareTech created a map of overall infections and a real-time map of infections to visualize the number of WCry infections, which has surpassed the 70,000 infection mark.

Ilmaiskierrokset

Ilmaiskierrokset Project Attacked

There are multiple projects that the latest ransomware has now affected. Ilmaiskierrokset, for instance, is a Finnish online project that is related to online casinos and gambling industry. The site owners noticed quite quickly that the ransomware had infected their system.

“It was a shock to us, since we have always been very careful about our firewalls and other types of protection methods. We first spotted the ransomware in the beginning of February 2017, and we did make reports about it once we spotted it. For some reason people started to be aware of the problem later”, says the project manager and continues. “We were very lucky, since our backup strategy was up-to-date. This meant for us that the lost data was quickly restored. After the incident we chose not to use Microsoft in our projects. Nowadays we are relying on other tools and providers.”

Uudet kasinot project

Uudet Kasinot Under Attack

Uudet kasinot, another Finnish online project is the latest project getting attacked. The attack happened very recently, confirming our view that Wcry Ransomware is much more persistent and dangerous than we thought. Despite numerous security measures, the site, run by Finns, took a hit. However, as the site’s creators already knew about this ransomware and had channels open to various communities, the problems were eventually fixed quite quickly.

What our team finds particularly noteworthy in this example is that the site owners had indeed already taken important precautions. However, these did not seem to be enough, which raises many questions for further action. It is also worth pausing to consider why we have so far seen such large numbers of these attacks on the Finnish and Nordic markets?

Meet WCry Ransomware

The WCry ransomware, also referred to as WNCry, WannaCry, WanaCrypt0r, or Wana Decrypt0r, was originally spotted in campaigns in early February 2017, with more campaigns following in March. But it wasn’t until now that a global attack had been registered.

It has been written in C++ and no attempts have been made to hide the majority of the code. Like most ransomware families, WCry renames files it encrypts, adding the.WNCRY extension.

When infecting a system, it presents a ransom screen asking to pay $300 worth of bitcoins:

Unlike most ransomware campaigns, which usually target specific regions, WCry is targeting systems around the globe. So it comes as no surprise that the ransomware authors provide localized ransomware message for more than 20 languages:

Bulgarian, Chinese (simplified), Chinese (Traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

How do you get infected with WCry ransomware?

At the moment, WCry is primarily spreading via the leaked NSA exploits that the Shadow Brokers group released recently. More specifically, French researcher Kaffine was the first to suspect that WCry was being spread via the ETERNALBLUE exploit.

ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol, allowing an attacker to take control over systems which:

  • have the SMBv1 protocol enabled
  • are accessible from the internet and
  • are have not been patched by the MS17-010 fix released back in March 2017

In addition, it appears that the malware authors are also taking advantage of DOUBLE SPEAR, a backdoor that is usually installed via the ETERNALBLUE exploit and persisting on the system. So if your system was compromised by ETERNALBLUE previously, chances are your system is still vulnerable, even if the initial SMBv1 vulnerability was patched.

The ransomware executable itself can be best described as a dropper that contains all the different ransomware components in form of a password-protected ZIP archive within its file. When run, it will start unpacking its components to the directory it was executed using the hardcoded password. Closer inspection of the ZIP archive reveals the following files:

  • b.wnry – Ransom desktop wallpaper
  • c.wnry – Configuration file containing C2 server addresses, BitCoin Wallet etc.
  • r.wnry – Ransom note
  • s.wnry – ZIP archive containing the TOR client
  • t.wnry – The encryption part of the ransomware encrypted using a WanaCry specific format; can be decrypted using the private key embedded inside the ransomware executable.
  • u.wnry – Decrypter executable
  • Taskdl.exe – Deletes all temporary files created during encryption (.WNCRYT)
  • Taskse.exe – Runs given program in all user sessions
  • msg\* – Language files (currently 28 different languages)

In addition the ransomware creates a couple of additional files during its execution:

  • 00000000.eky – Encryption key for the t.wnry file which stores the actual file encryption component used by the ransomware. It is encrypted using the public key that belongs to a private key embedded inside the ransomware.
  • 00000000.pky – Public key used by the ransomware to encrypt the generated AES keys that are used to encrypt the user’s files
  • 00000000.res – C2 communication results

A list of all changes made by the ransomware to an infected system can be found in the “Indicators of Compromise” section below.

WCry key generation and encryption

WCry ransomware uses a combination of RSA and AES-128-CBC to encrypt the victim’s data. To facilitate this process is uses the Windows CryptoAPI for RSA, but a custom implementation for the AES encryption.

Interestingly, the encryption routine is stored in a separate component within the t.wnry file and is itself encrypted using the same method used by the ransomware to encrypt user files. This was likely done to make the malware analysis more difficult. The module is loaded into memory using a custom loader and executed from there, without ever being written to the victim’s disk unencrypted.

When WCry arrives on a system, it will first import a hardcoded private RSA key that is used to decrypt the file encryption component stored within “t.wnry”. Once done, the ransomware will generate a new private RSA key. That RSA key is then submitted to the malware’s command and control server and a copy of the generated public key is stored on the system.

The ransomware then searches all available drives and network shares for files with one of the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .db, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cs, .cpp, .pas, .asm, .js, .cmd, .bat, .ps1, .vbs, .vb, .pl, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .rb, .java, .jar, .class, .sh, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .ai, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .7z, .gz, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc, .c, .h

Once done, the malware will generate a new 128 bit AES key for every file it found, which is encrypted using the public RSA key generated earlier and the RSA-encrypted AES key is stored within the header of the encrypted file, together with the file marker “WANACRY!”. The AES key is then used to encrypt the file’s content.

Unfortunately, after evaluating the way WCry performs its encryption, there is no way to restore encrypted files without access to the private key generated by the ransomware. So it’s not likely a free WCry ransomware decrypter will be available for victims.

How can I protect myself from WCry?

As explained in our ransomware article, the best protection still remains a reliable and proven backup strategy, especially since the encryption used by WCry ransomware is secure. The only way to get the data back is through the help of the ransomware author or via restoring from backups. Making sure to install critical windows updates is also a very important step in protecting a system, as WCry only seems to be spreading via the SMBv1 exploit currently, which has been patched for 2 months already.

Apart from regular backups, you will be glad to hear that the Behavior Blocker technology used by Emsisoft Anti-Malware and Emsisoft Internet Security has proven to be the next best defense, as it has caught the ransomware before the file could execute and thus once again keeping our users protected from this and hundreds of other ransomware families without the need for signatures.

We consider ransomware one of the biggest threats of the past year and plan to do our best to continue our excellent track record in the next year, to keep our users as protected as possible.

It seems to be an impossible puzzle yet it’s easy to solve the Rubik’ Cube using algorithms.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.

Can I recover the encrypted files?

Decryption is not available at this time but Symantec is investigating. Symantec does not recommend paying the ransom. Encrypted files should be restored from backups where possible.

What are the best practices for protecting against ransomware?

New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.

Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.

Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.

Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.

Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However, organizations should ensure that backups are appropriately protected or stored off-line so that attackers can’t delete them.

Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

Additional indicators and technical information about Ransom.Wannacry

When the Trojan is executed, it drops the following files:

  • [PATH_TO_TROJAN]\!WannaDecryptor!.exe
  • [PATH_TO_TROJAN]\c.wry
  • [PATH_TO_TROJAN]\f.wry
  • [PATH_TO_TROJAN]\m.wry
  • [PATH_TO_TROJAN]\r.wry
  • [PATH_TO_TROJAN]\t.wry
  • [PATH_TO_TROJAN]\u.wry
  • [PATH_TO_TROJAN]\TaskHost
  • [PATH_TO_TROJAN]\00000000.eky
  • [PATH_TO_TROJAN]\00000000.pky
  • [PATH_TO_TROJAN]\00000000.res
  • %Temp%\0.WCRYT
  • %Temp%\1.WCRYT
  • %Temp%\2.WCRYT
  • %Temp%\3.WCRYT
  • %Temp%\4.WCRYT
  • %Temp%\5.WCRYT
  • %Temp%\hibsys.WCRYT

Note: [PATH_TO_TROJAN] is the path where the Trojan was originally executed.

The Trojan then creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Microsoft Update Task Scheduler” = “”[PATH_TO_TROJAN]\[TROJAN_EXE_NAME]” /r”
  • HKEY_LOCAL_MACHINE\SOFTWARE\WannaCryptor\”wd” = “[PATH_TO_TROJAN]”

The Trojan also sets the following registry entry:

  • HKEY_CURRENT_USER\Control Panel\Desktop\”Wallpaper” = “%UserProfile%\Desktop\!WannaCryptor!.bmp”

The Trojan creates the following mutexes:

  • Global\WINDOWS_TASKOSHT_MUTEX0
  • Global\WINDOWS_TASKCST_MUTEX

The Trojan then terminates the following processes using taskkil /f /iml:

  • sqlwriter.exe
  • sqlserver.exe
  • Microsoft.Exchange.*
  • MSExchange*

It then searches for and encrypts files with the following extensions:

  • .123
  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .602
  • .7z
  • .ARC
  • .PAQ
  • .accdb
  • .aes
  • .ai
  • .asc
  • .asf
  • .asm
  • .asp
  • .avi
  • .backup
  • .bak
  • .bat
  • .bmp
  • .brd
  • .bz2
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .csv
  • .db
  • .dbf
  • .dch
  • .der
  • .dif
  • .dip
  • .djvu
  • .doc
  • .docb
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dwg
  • .edb
  • .eml
  • .fla
  • .flv
  • .frm
  • .gif
  • .gpg
  • .gz
  • .hwp
  • .ibd
  • .iso
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .jsp
  • .key
  • .lay
  • .lay6
  • .ldf
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .msg
  • .myd
  • .myi
  • .nef
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .onetoc2
  • .ost
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .pas
  • .pdf
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps1
  • .psd
  • .pst
  • .rar
  • .raw
  • .rb
  • .rtf
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sln
  • .snt
  • .sql
  • .sqlite3
  • .sqlitedb
  • .stc
  • .std
  • .sti
  • .stw
  • .suo
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .vb
  • .vbs
  • .vcd
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .vsd
  • .vsdx
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .zip

Encrypted files will have .WCRY appended to the end of the file names. The Trojan then deletes the shadow copies of the encrypted files.

The Trojan drops the following files in every folder where files are encrypted:

  • !WannaDecryptor!.exe.lnk
  • !Please Read Me!.txt

The contents of the !Please Read Me!.txt is a text version of the ransom note with details of how to pay the ransom. The Trojan downloads Tor and uses it to connect to a server using the Tor network. It then displays a ransom note explaining to the user what has happened and how to pay the ransom.