WannaCry Ransomware Attack Analysis

WannaCry is a ransomeware which hit the whole world by surprise on Friday 12th May 2017. This ransomeware targeted victims from various domains such as Health Care, Law Enforcement Agency, Telecommunication Industry, Government Agency, Transport Services and etc. This attack is being categorised as one of the most effective ransomeware attack in recent history. In this article we will discuss about the detailed incident report till date along with the background mechanism which allowed it to spread and exploit multiple systems. We will also be looking at a possible origin of attack as well as the Prevention and Detection methods.

What is Ransomeware ?

A Ransomware is a type of malicious software which uses Cryptographic functionality to encrypt the victims files and blocks its access to the user data until a ransom is paid. It displays a message requesting payment to unlock it, this payment method is generally kept as a “Bitcoin” payment as it is considered to be traceless.

There are three types of ransomware in circulation:

  1. Encrypting ransomware: It incorporates advanced encryption algorithms. It’s designed to block system files and demand payment to provide the victim with the key that can decrypt the blocked content. Examples include CryptoLocker, Locky, CrytpoWall and more.
  2. Locker ransomware:It locks the victim out of the operating system, making it impossible to access the desktop and any apps or files. The files are not encrypted in this case, but the attackers still ask for a ransom to unlock the infected computer. Examples include the police-themed ransomware or Winlocker.
  3. Master Boot Record (MBR) ransomware: The MBR is the section of a PC’s hard drive which enables the operating system to boot up. When MBR ransomware strikes, the boot process can’t complete as usual, and prompts a ransom note to be displayed on the screen. Examples include Satana and Petya ransomware.

Impact Analysis :

One of the primary reports suggests that National Health Service (NHS) hospitals in England and Scotland were one of the first victims of the attack. It is said that up to 70,000 devices including computers, MRI scanners, blood-storage refrigerators and theatre equipment may have been affected. (as of 12th May 2017)

Nissan Motor Manufacturing UK in Tyne and Wear, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware. (as of 13th May 2017)

Shortly after that the ransomeware spread like a wildfire and affected multiple countries and industries .

List of affected Organisations :

As of 15th May 2017 following are the affected victims of WannaCre Ransomeware.

Selection_001

São Paulo Court of Justice (Brazil)

Ministry of Foreign Affairs (Romania)

Vivo (Telefônica Brasil) (Brazil)

MegaFon (Russia)

Lakeridge Health (Canada)

Ministry of Internal Affairs (Russia)

PetroChina (China)

Russian Railways (Russia)

Public Security Bureaus (China)

LATAM Airlines Group (Chile)

Sun Yat-sen University (China)

Banco Bilbao Vizcaya Argentaria (Spain)

Instituto Nacional de Salud (Colombia)

Telefónica (Spain)

Renault (France)

Sandvik (Sweden)

Deutsche Bahn (Germany)

Garena Blade and Soul (Thailand)

Telenor Hungary (Hungary)

National Health Service (England) (United Kingdom)

Andhra Pradesh Police (India)

NHS Scotland (United Kingdom)

Dharmais Hospital (Indonesia)

Nissan UK (United Kingdom)

Harapan Kita Hospital (Indonesia)

FedEx (United States)

University of Milano-Bicocca (Italy)

Massachusetts Institute of Technology (United States)

Portugal Telecom (Portugal)

Saudi Telecom Company (Saudi Arabia)

Automobile Dacia (Romania)

CJ CGV theatre chain (South Korea)

Ransomeware Attack Analysis:

The WannaCry Ransomeware encrypts the data with the extension “.WCRY” added to the filenames. This Ransomware attack is exploiting the Microsoft Server Message Block 1.0 (SMBv1) server critical vulnerability (MS17-010).

WannaCry is believed to use the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems. EternalBlue was released by the Shadow Brokers hacker group on April 14, 2017. Although a patch to remove the underlying vulnerability for supported systems (Windows Vista and later operating systems) had been issued on 14 March 2017, delays in applying security updates and lack of support by Microsoft of legacy versions of Windows left many users vulnerable. Due to the scale of the attack, to deal with the unsupported Windows systems and in an effort to contain the spread of the ransomware.

Due to the seriousness of the WannaCry attack, on May 13, 2017 Microsoft took the highly unusual step of also providing a security update for Windows XP, Windows 8, and Windows Server 2003, despite these versions being past their support cycles. Windows XP, Windows 8, and Windows Server 2003 users can download the patch from the Microsoft Update Catalogue. The extended support for Windows Server 2003 had ended on July 14, 2015, almost two years earlier, and the extended support for XP ended on April 8, 2014. Windows Vista, Windows 7 and Windows 8.1 were included in the normal security update in March,though extended support for Windows Vista ended on 11 April 2017.

The malware used in the attacks encrypts the files and also drops and executes a decryption tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands. The tool was designed to address users of multiple countries, with translated messages in different languages.

Kill Switch:

Shortly after the attack began a researcher found an effective kill switch, which prevented many new infections, and allowed time to patch systems. This greatly slowed the spread. It was later reported that new versions that lack the kill switch were detected. Computer security experts also warn of a second wave of the attack due to such variants and the beginning of the new work week.

The Kill Switch was a URL which was discovered in the ransomeware , So the DNS providers made it into a sinkhole so that any new requests made by using that URL will be redirected to the sinkhole and a successful Dropper Malware can be avoided. Shortly after this a second wave attacked with modified ransomeware where the URL is removed . Many of the researchers are saying that this newer ransomeware is corrupted and may not perform successfully.

wannacry_05-1024x774
Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set time-out. Not all ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryption tool dropped by the malware.

wannacry_07

For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.

In terms of targeted files, the ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The file extensions that the malware is targeting contain certain clusters of formats including:

Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).

Less common and nation-specific office formats (.sxw, .odt, .hwp).

Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)

Emails and email databases (.eml, .msg, .ost, .pst, .edb).

Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).

Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).

Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).

Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).

Virtual machine files (.vmx, .vmdk, .vdi).

The WannaCry dropper drops multiple “user manuals” on different languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

The example of a “user manual” in English:

wannacry1

Vulnerability Information and Detection:

Multiple Windows SMB Remote Code Execution Vulnerabilities :-

Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Selection_002

MS17-010 SMB RCE Detection Using “Metasploit” :

As of now it is advised that any Cyber Security Researcher / Pentester should scan for this Vulnerability using Metasploit while doing a client side network pentesting.

This module uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is “STATUS_INSUFF_SERVER_RESOURCES”, the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user “\” and connect to IPC$.

Module Name

auxiliary/scanner/smb/smb_ms17_010

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

Selection_003

If you want to ensure your patching efforts have been truly effective, or understand the impact of exploitation, you can test your exposure with several modules in Metasploit.

EternalBlue

MS17-010

auxiliary/scanner/smb/smb_ms17_010

EmeraldThread

MS10-061

exploit/windows/smb/psexec

EternalChampion

MS17-010

auxiliary/scanner/smb/smb_ms17_010

EskimoRoll

MS14-068 / CVE-2014-6324

auxiliary/admin/kerberos/ms14_068_kerberos_checksum

EternalRomance

MS17-010

auxiliary/scanner/smb/smb_ms17_010

EducatedScholar

MS09-050

auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh, auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff, exploits/windows/smb/ms09_050_smb2_negotiate_func_index

EternalSynergy

MS17-010

auxiliary/scanner/smb/smb_ms17_010

EclipsedWing

MS08-067

auxiliary/scanner/smb/ms08_067_check

exploits/windows/smb/ms08_067_netapi

For in-depth information about this module and reverse engineering please visit :

https://zerosum0x0.blogspot.in/2017/04/doublepulsar-initial-smb-backdoor-ring.html

Ransomeware Origin:

The underlying encryption used by the WannaCry ransomeware has been surfaced earlier. This speculation can be made because few of the antivirus engines have detected the hash of this ransomeware before. According to my analysis on Virustotal.com, Baidu and CrowdStrike Falcon (ML) have detected this ransomeware with their old hash databases.

Example:

SHA256:

4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982

Selection_004
Baidu has detected the ransomeware using hash database from 3rd May 2017.

CrowdStrike Falcon (ML) has detected ransomeware using hash database from 30th January 2017

This results can be conformed from other hashes as well. Few of them can be detected using these hash databases.

By looking at this data we can speculate that there was a trial run carried out by the attackers earlier. Most likely they were detected by Baidu as their database is the closest to the actual attack time frame. This can also be interpreted as there is very high possibility that attackers can be from china or a clearer sense can be taken only after looking at all the data from that initial test attack. Till then we have no idea the origin and intent of the attackers.

The malicious hashes for WannaCry ransomeware are as follows :

5bef35496fcbdbe841c82f4d1ab8b7c2

775a0631fb8229b2aa3d7621427085ad

7bf2b57f2a205768755c07f238fb32cc

7f7ccaa16fb15eb1c7399d422f8363e8

8495400f199ac77853c53b5a3f278f3e

84c82835a5d21bbcf75a61706d8ab549

86721e64ffbd69aa6944b9672bcabb6d

8dd63adb68ef053e044a5a2f46e0d2cd

b0ad5902366f860f85b892867e5b1e87

d6114ba5f10ad67a4131ab72531f02da

db349b97c37d22f5ea1d1841e3c89eb4

e372d07207b4da75b3434584cd9f3450

f529f4556a5126bba499c26d67892240

Prevention Methods:

  1. Apply Windows update MS17-010.
  2. Disable the outdated protocol SMBv1.
  3. Add a rule on your router or firewall to block incoming SMB traffic on port 445.
  4. Enable Windows Defender Antivirus to detect this ransomware. (It identifies the ransomware as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update)
  5. Use Office 365 Advanced Threat Protection, which can block dangerous email threats, such as the emails carrying ransomware using its machine-learning capability.
  6. Use free Anti viruses such as 360totalsecurity by Quihoo, Bitdefender, Avira etc.
  7. Monitor your network with Windows Defender Advanced Threat Protection.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s