On Friday May 12, 2017, several countries reported that their critical infrastructure had been hit – and in certain case badly affected – by a new strain of Ransomware. As of May 16, 2017, there are still about 50 newly infected entities (unique IP) per minute, with a total around 370,000 unique IP worldwide [1].

This malware, called WannaCry, WannaCrypt or Wcy 2.0, was novel: not only did it embed its ransomware payload to hold the victims’ files hostage, but it also has a worm component to it so it can spread from system to system at an alarming rate by exploiting CVE-2017-0144, a Windows SMB Remote Code Execution Vulnerability.

[Wana Decrypt0r screenshot]

The unusual number of languages – more than 25 different languages – in which the malware displayed its message indicates that the hackers planned to reach as many machines as possible.

Buried in the code is a kill-switch: it seems like the attackers have assumed that this could get so out of hand, so they decided to have a way to stop the propagation of the malware. This is done by attempting to resolve an improbable name; in the event of a successful resolution, the malware does not attempt to replicated to other systems; however, the ransomware function remains active and the user’s files are encrypted.

Technical analysis

Like many other ransomwares, the initial attack of the WannaCry ransomware is delivered through a zip file attached to an email [2]. The unsuspecting user opens the archive, and accesses the file within. This executes the initial stage of the infection.

This initial dropper [H1] establishes a connection to the TOR network to retrieve a few files, including a second executable [H2], which is the real malware. Along this executable is a password protected zip file (password: WNcry@2ol7) and an encrypted DLL.

The very first step is to attempt to resolve [D1] ([D2] has been observed too). If a response is received, the malware does not attempt to spread and jumps directly to the encryption part.

To spread to other systems, it gets the IP address associated with each interface and attempts to make a connection to neighbors. Upon success, it uses an exploit, called either ETERNAL BLUE or DOUBLE PULSAR, against vulnerability CVE-2017-0144 to replicate to a vulnerable system.

To avoid infecting an already infected system, a mutex (Global\\MsWinZonesCacheCounterMutexW) is created. If this mutex is present, the malware will immediately exit. Otherwise, it installs some TOR components from [D3] to get its additional pieces, and the process restarts.

After the propagation phase, the malware starts the encryption process of all “document” types files. After a file is encrypted, the original file is overwritten with random content to prevent any direct recovery.

Finally, the splash screen “inviting” the user to pay the ransom is displayed. The malware is also installed in the startup items.

Detection

Monitoring for outbound DNS requests for [D1] or [D2] provides a way to detect when a system is in the early stages of the compromise. Additionally, there are a number of “.onion” names resolved by the malware to get its files that could also tip to the presence of an infected host within the network.

Lastly, upon propagation, [D3] is accessed to download the TOR tools, which can also help identify compromised systems by either looking at the DNS requests or at the certificates returned by the servers.

Prevention

The main prevention step is to patch CVE-2017-0144 by applying the relevant update as mentioned in [3]. This will close the vulnerability and prevent the malware from spreading from a compromised host to accessible servers.

Given the extent of the issue, Microsoft also released the patches for the (theoretically) deprecated Windows XP, as that OS is still seen in various industries, such as healthcare.

The systems that can’t be patched should be confined to their own network segment and conservative network filtering applied to limit the network sources to only what is needed by the business operations.

Remediation

Currently, except for some cases with Windows XP SP1 and SP2, it is not possible to decrypt the files held hostage.

We recommend against paying the ransom, as A) there is no guarantee that the files will be decrypted after you pay the ransom, and B) this may result in monetary transfers to countries under financial embargo. There is also the possibility that these funds are used to sponsor terrorism.

Kill switch

This was meant to prevent this from getting out of hand, but it was too obvious: as soon as the domain was registered by Malware Tech, the spread slowed. It is likely that future version will either check that the resolution points to a predetermined record, or that the content downloaded from the site matches a certain value.

It is also to bet that at some point, the authors will include a delay between propagation and encryption to lower the chance of being discovered.

Hashes

[H1] SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

[H2] SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Domains

[D1] www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

[D2] www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

[D3] dist.torproject[.]org