On Friday, 12 May 2017 the world woke up to a massive Cyber Attack targeting their Windows Operating Systems. Globally on that morning, around 100,000 computers in countries in 100 different countries had been compromised by a ransomware that took their machines hostage.
This malware referred to as WannaCry, Wcry and WannaCrypt0r, was the culprit behind the attacks.
Europol described the attack as unprecedented as multiple organizations in the UK and globally confessed to being compromised. Telefonica, Britain’s National Health Service (NHS), FedEx, Deusche Bahn and LATAM Airlines were among those hardly hit.
Shortly after the attack was discovered, a security researcher found a kill-switch which prevented new infections. It was later reported that new versions that lack the kill-switch were detected.
Figure 1: MalwareTech reveals discovery
Source of Exploit
The malware exploits the MS17-010 exploit to propagate on the network. This exploit is known as the Equation Group’s EternalBlue exploit, part of the FuzzBunch toolkit released by the hacking team Shadow Brokers weeks ago.
The Shadow Brokers hacking team is attributed to the Russian Intelligence and leaked a large cache of weaponized exploits used by the “Equation Group” (attributed to the NSA). One interesting leak was an exploit going by the name EternalBlue which attacks Microsoft’s Windows Operating Systems.
Microsoft went ahead to release a patch to fix this vulnerability, most likely being advised by the NSA to do so after the leak. This patch number was MS17-010 and was released back in March.
This vulnerability would have otherwise allowed remote attackers to gain remote code execution on systems and fully compromise the computer with full administrative level rights (SYSTEM permissions).
WannaCry does not use a sophisticated method for its attack delivery. It initially uses a password protected .zip file containing a document inside. This while opened, downloads a second stage which is an unsigned executable file which contains the delivery method for infection, worm replication and exploitation.
The malicious software beacons out to the following domain to check its online state: hxxp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
If it is up, it will not execute (this is the kill-switch). This means you can use DNS to redirect to a legitimate site to ensure it stays up. This malicious domain has since been sink holed and is now up and active.
On compromising a victim and after all files are encrypted, victims are presented with a ransom note with the ransom demand and deletion threat as shown below:
Figure 2: Ransom note
In general, the malware arrives through an exploit as depicted in step 1 of the image that follows. The second step involves querying a domain to check whether it is up or not.
This is the kill-switch of the ransomware. If the domain queried is up, the malware does not trigger. At step 3, the malware begins the encryption of files. The ransom note is dropped at stage 4 once all the files are encrypted. Once this is done, the malware then encrypts the shared files.
Figure 3: WannaCrypt0r infection diagram
To spread to other systems, the malware uses the file that was dropped and run as a service. The service name that is used at this point is “Microsoft Security Center (2.0)”.
This service scans for other SMB shares on the network, and uses the EternalBlue vulnerability to spread to other systems.
According to McAfee, a vulnerable machine with Server Message Block (SMB) enabled receives SMB packets containing the shellcode exploit with encrypted payload.
On the vulnerable machine kernel mode, the srv2.sys SMB 2.0 driver is exploited, while at user mode, the Isass.exe process is injected the compromised launcher.dll which contains the ransomware binary at the resource level.
The ransomware process is then launched by the compromised Isass.exe process. The malware behavior between the kernel mode and user mode is shown in the image below:
Figure 4: WannaCrypt0r ransomware behavior
On the same network the malware would scan for all enumerated addresses within its LAN with an open port 445 (the SMB port). On the internet, it would scan for random IP addresses to see if it has an open port 445. If it finds one with an open port, it scans the same /24 IP range. This would allow WannaCry to spread with great effectiveness within an organization once it had compromised a single machine.
The malware targets 176 file extensions and on encrypting, resultant files bear the .WNCRY file extension. The following are the targeted file extensions:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
As of Sunday 14 May 2017, a different variant of the ransomware with a different kill-switch was discovered, redirecting to a different domain which has since been sink holed.
The malware communicates to the following command and control centers
Prevention from Infection
Microsoft has since patched the vulnerability by releasing updates for Windows XP systems, Windows Vista, Windows Server 2008 and Windows Server 2003 that can be downloaded here. Organizations and individuals should however ensure that the following measures are taken into account as a precaution to protect from Ransomware infections:
Note: For computers that cannot be patched, they need to be moved to a separate network where they will least be likely to be infected by the malware.
- Take regular backups of important data: Important data should be stored on offline storage media to safeguard against network attacks such as ransomware attacks. This ensures that important data can be restored without having to worry about paying ransom demands.
- Install and Update Security Solutions: Ensure you are running an up-to-date security solution such as antivirus software and end point security solutions.
- Keep Windows Up-to-Date: Ensure that updates are installed regularly to protect against malware infections. Some updates include critical security updates that are vital for protecting an online presence.
- Creating Awareness: Awareness can be created at the organization by carrying out training to educate employees on the importance of safe Cyber practices, and these have proven to greatly reduce chances of infection.
- Disable Macros: Macros are a common attack vector into a target system and disabling them reduces the scope of infection.
- Penetration Testing: Conducting regular security assessments provide an understanding of an organization’s security posture.
- Contact Enovise: Lets us in to help you keep the bad guys out and protect your critical assets!!!
WannaCrypt0r is just among the first cases of cyber-attacks that are expected to plague the year 2017. For instance, although not ransomwares, WikiLeaks has released information detailing two of CIA’s malware frameworks targeting the Windows Operating System, namely “Assassin” and “AfterMidnight”.
Enovise shall be on the alert to keep you up to date concerning new threats and how to protect yourself from them.
2. Endgame: https://www.endgame.com/blog/dont-wcry-youve-got-endgame
3. NCSC: https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0
4. Engadget: https://www.engadget.com/2017/04/14/shadow-brokers-dump-windows-zero-day/
5. Microsoft: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
6. Binary Defense: https://www.binarydefense.com/wannacry-mass-ransomware-worm-campaign/
7. Inc: https://www.inc.com/melissa-thompson/cyber-crime-will-be-worse-in-2017-than-ever-before-says-one-survey.html
Article Credit By : Lester Obbayi, Security Consultant Enovise