Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the theft of US$81 million from the Bangladesh Central Bank. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. Our analysis only allows us to attribute these attacks to the Lazarus group. The technical details do not enable us to attribute the motivations of the attacks to a specific nation state or individuals.

Prior to the global outbreak on May 12, an earlier version of WannaCry (Ransom.Wannacry) was used in a small number of targeted attacks in February, March, and April. This earlier version was almost identical to the version used in May 2017, with the only difference the method of propagation. Analysis of these early WannaCry attacks by Symantec’s Security Response team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked Eternal Blue exploit that caused WannaCry to spread quickly across the globe starting on May 12.

Summary of links

Following the first WannaCry attack in February, three pieces of malware linked to Lazarus were discovered on the victim’s network: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks.

Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.

Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.

Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude (which has been linked to Lazarus).

There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.

February attack

The first evidence Symantec has seen of WannaCry being used in the wild was February 10, 2017, when a single organization was compromised. Within two minutes of the initial infection, more than 100 computers in the organization were infected.

The attackers left behind several tools on the victim’s network that provided substantial evidence into how WannaCry spread. Two files, mks.exe and hptasks.exe (see Appendix C: Indicators of Compromise), were found on one affected computer. The file mks.exe is a variant of Mimikatz (Hacktool.Mimikatz), a password-dumping tool that is widely used in targeted attacks. The latter file, hptasks.exe, was used to then copy and execute WannaCry on other network computers using the passwords stolen by mks.exe.

The spread of WannaCry by hptasks.exe was a two-stage process. In stage one, when run, hptasks can be passed a target list of IP addresses as an argument. When given this command, hptasks reads previously stolen credentials from a file called cg.wry and uses them to connect to every computer in the set of IP address ranges. All connection attempts are logged into the log.dat file. If a successful connection is made to a remote computer, and there is no file with a .res extension in either the Admin$, or C$\Windows folders, then hptasks.exe will copy the files listed in Table 2 onto the remote computer.

File name Remote locations Type cg.wry \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system Configuration details r2.wry \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system Message to the user with instructions on how to pay t1.wry \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system Message to the user, for example "Most of your files are encrypted..." taskmsgr.exe \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system Application for displaying the messages in t1.wry and t2.wry taskschs.exe \\%s\Admin$\, \\%s\C$\Windows\ where %s the remote system WannaCry encryption application

Table 1. Files copied by hptasks.exe onto target computers

After hptasks.exe executes WannaCry on the remote computer, the second stage begins. hptasks can pass several arguments to the WannaCry installation on the remote computer, including a new set of IP addresses. If WannaCry is run with these IP addresses as arguments, it does not encrypt the files on the local computer. Instead, it connects to the IP addresses passed, accesses the Admin$ and C$ share on those computers using the credentials embedded in the resource section in a file called c.wry, and then remotely encrypts those files.

In addition to hptasks.exe and mks.exe, five other pieces of malware were discovered on a second computer on the victim’s network. Three of these tools are linked to Lazarus. Two were variants of Destover (Backdoor.Destover) a tool used in the Sony Pictures attacks. The third was Trojan.Volgmer, malware that has previously been used by Lazarus in attacks against South Korean targets.

March and April attacks

Beginning on March 27, at least five organizations were infected with a new sample of WannaCry. There does not appear to have been a pattern to those targeted, with the organizations spanning a range of sectors and geographies. These attacks revealed further evidence of links between those behind WannaCry and the Lazarus Group.

Two different backdoors were used to deploy WannaCry in these attacks: Trojan.Alphanc and Trojan.Bravonc. Alphanc was used to drop WannaCry onto computers belonging to at least two of the known victims, with a slightly modified version of the malware deployed to each victim.

Alphanc shares a significant amount of code with Backdoor.Duuzer, a sub-family of the Destover wiping tool used in the Sony attacks (see Appendix B: Shared Code). In fact, Symantec investigators believe Alphanc is an evolution of Duuzer. Duuzer has also previously been linked to the activity of Backdoor.Joanap and Trojan.Volgmer, which have both been previously linked to Lazarus.

Symantec researchers were able to establish a detailed timeline of the activity of Alphanc on one of the victim’s systems, from the time it got on the system to when WannaCry was deployed.

Timeline of Alphanc activity

Alphanc was deployed on the target computer as armsvc.exe and minutes later copied itself to a new name, javaupdate.exe. The sample executed from this location:

cmd.exe /c "copy c:\Users\Administrator\AppData\armsvc.exe c:\windows\system32\javaupdate.exe > C:\Users\REDACTED\AppData\Local\Temp\NK15DA.tmp" 2>&1

Minutes later, mks.exe, the same credential dumper used in the February WannaCry attacks, was created and executed. There was no activity for three days, until the attackers returned and deployed a version of RAR and created a password-protected archive. Moments later a network scanner called g.exe ran. This performed a DNS lookup for all IP addresses in the IP address range selected by the attackers, probably to determine computers of interest. A two-day gap in activity followed before the attackers returned to profile the local network. Examples of commands used include:

cmd.exe /c "net view > C:\Users\REDACTED\AppData\Local\Temp\NK2301.tmp" 2>&1

cmd.exe /c "net view /domain > C:\Users\REDACTED\AppData\Local\Temp\NK6C42.tmp" 2>&1

cmd.exe /c "time /t > C:\Users\REDACTED\AppData\Local\Temp\NKC74F.tmp" 2>&1

Then, the file taskhcst.exec was created by javaupdate.exe. This was the WannaCry ransomware. The .exec extension is renamed to .exe, as illustrated blow. This was likely a safety check so that the attacker would not mistakenly execute the file prematurely.

cmd.exe /c "ren C:\Windows\taskhcst.exec taskhcst.exe > C:\Users\REDACTED\AppData\Local\Temp\NK833D.tmp" 2>&1

Approximately 45 minutes later, the attacker copied the javaupdate.exe backdoor to a remote computer. A file called bcremote.exe was then also copied to this computer; this was the same tool that was called hptasks.exe in the February attack, and was used to spread WannaCry across the network. The configuration file for this file was then copied, and finally WannaCry itself was copied over:

cmd.exe /c "net use \\REDACTED\ipc$ REDACTED /u:REDACTED > C:\Users\REDACTED\AppData\Local\Temp\NK2E.tmp" 2>&1

cmd.exe /c "copy c:\windows\system32\javaupdate.exe \\REDACTED\c$\windows\javaupdate.exe > C:\Users\REDACTEDAppData\Local\Temp\NK3E49.tmp" 2>&1

cmd.exe /c "copy c:\windows\beremote.exe \\REDACTED\c$\windows\ > C:\Users\REDACTED\AppData\Local\Temp\NK4DD5.tmp" 2>&1

cmd.exe /c "copy c:\windows\c.wry \\REDACTED\c$\windows\ > C:\Users\REDACTED\AppData\Local\Temp\NK7228.tmp" 2>&1

cmd.exe /c "copy c:\windows\taskh*.exe \\REDACTED\c$\windows\ > C:\Users\REDACTED\AppData\Local\Temp\NK7DCF.tmp" 2>&1

The same process took place on a second server on the network, and when the bcremote.exe command was executed, WannaCry was spread across the network.

Trojan.Bravonc

Fewer details are available about the operation of Trojan.Bravonc, but it was used to drop WannaCry onto the computers of at least two other victims, and displays some fairly definitive links to the Lazarus group.

It connects to a command and control (C&C) server at the IP address 87.101.243.252, which is the same IP address used by a sample of Destover, a known Lazarus tool. This IP address was also referenced in Blue Coat’s From Seoul To Sony report.

Duuzer has also been observed using this IP address as a C&C server. Bravonc and a variant of Destover also share cryptographic related code (See Appendix B: Shared Code). In addition, Bravonc’s method of spreading (over SMB using hardcoded credentials), was the same technique used by Joanap, another Lazarus-linked tool.

May attacks: WannaCry goes global

On May 12, a new version of WannaCry was released which incorporated the leaked “EternalBlue” exploit that used two known vulnerabilities in Windows (CVE-2017-0144 and CVE-2017-0145) to spread the ransomware to unpatched computers on the victim’s network and also to other vulnerable computers connected to the internet.

The incorporation of EternalBlue transformed WannaCry from a dangerous threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years. It caused widespread disruption, both to organizations infected and to organizations forced to take computers offline for software updates. The discovery and triggering of a kill switch by security blog MalwareTech halted its spread and limited the damage.

The earlier versions of WannaCry and the one used in the May 12 attacks are largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit. The passwords used to encrypt the Zip files embedded in the WannaCry dropper are similar across both versions ("wcry@123", "wcry@2016", and "WNcry@2ol7") indicating that the author of both versions is likely the same group.

The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.

WannaCry links to Lazarus

Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus. One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300).

In addition, WannaCry uses similar code obfuscation to Infostealer.Fakepude, malware that has previously been linked to Lazarus; and Trojan.Alphanc, malware that was used to spread WannaCry in the March and April attacks and which has been linked to Lazarus (see above).

Fortuitous leak turned WannaCry into global threat

The discovery of a small number of earlier WannaCry attacks has provided compelling evidence of a link to the Lazarus group. These earlier attacks involved significant use of tools, code, and infrastructures previously associated with the Lazarus group, while the means of propagation through backdoors and stolen credentials is consistent with earlier Lazarus attacks. The leak of the EternalBlue exploit was what allowed the attackers to turn WannaCry into a far more potent threat than it would have been had they still been relying on their own tools, since it bypassed many of the steps the attackers previously had to take, removing both the need to steal credentials and copy it from computer to computer.

Thanks to Symantec’s Network Protection Research Labs for their contribution to this research.

Appendix A: WannaCry and Lazarus shared network infrastructure

There are a number of crossovers seen in the C&C servers used in the WannaCry campaigns and by other known Lazarus tools. For example, during the attacks against Sony, a malware family called Backdoor.Destover was deployed. Later variants of Backdoor.Destover were seen to use the IP address 87.101.243.252 for command and control. The Trojan.Bravonc sample discovered dropping WannaCry also connects to this IP address. Other shared network infrastructure is listed below:

C&C Used by Comments 87.101.243.252 Trojan.Bravonc, Backdoor.Duuzer Backdoor.Destover 84.92.36.96 Trojan.Alphanc Also used by a backdoor program which shares an additional C&C with Lazarus-linked Backdoor.Cuprox 184.74.243.67 Trojan.Alphanc Also seen used by entaskloader.exe which drops a network scanning tool used in March attacks 203.69.210.247 Trojan.Alphanc 196.45.177.52 Backdoor.Cuprox Also seen used by a backdoor program dropped by a document called “discussion_QuadrigaCX.doc”

Table 2. Infrastructure shared by WannaCry and other Lazarus tools

Appendix B: Shared Code

Shared network code between Trojan.Alphanc and Backdoor.Duuzer

Trojan.Alphanc and Backdoor.Duuzer use similar code to generate the buffer being sent out after connection to the C&C server is established. This code is part of what could be referred to as a "Fake SSL" handshake. This is similar in concept to the code identified by Google, but different in implementation. Both samples generate a random number, and use that number to lookup a table for additional data to send. That table is identical across both samples. In addition, both samples will prepend the same value, 0x16030100, to the start of the buffer sent to the C&C server.

Figure 1. Backdoor.Duuzer sample with the hash fa6ee9e969df5ca4524daa77c172a1a7

Figure 2. Backdoor Alphanc sample with the hash E8C6ACC1EB7256DB728C0F3FED5D23D7

Common strings between Trojan.Alphanc and Backdoor.Duuzer

The following table demonstrates the common strings between Trojan.Alphanc and Backdoor.Duuzer.



Figure 3. Common strings between Trojan.Alphanc and Backdoor.Duuzer

Cryptographic number related routines between Backdoor.Bravonc and Backdoor.Destover



Figure 4. Trojan.Bravonc sample with the hash 55dd9b0af2a263d215cb4fd48f16231a

Figure 5. Destover variant with the hash 0f246a13178841f8b324ca54696f592b

Shared function identified by Neel Mehta

On May 15, Google researcher Neel Mehta tweeted the following:

The first hash, 9c7c7149387a1c79679a87dd1ba755bc, is a Ransom.WannaCry variant and ac21c8ad899727137c4b94458d7aa8d8 is a variant of Backdoor.Contopee, a backdoor used in attacks against several banks. The samples referenced in the tweet contain shared code. This shared code is part of a custom SSL implementation, using an identical cipher suite. It could be described as "fake ssl". Each cipher specifies an option for key exchange, authentication, bulk encryption, MAC. The Contopee sample and WannaCry sample have almost identical pieces of code that reference an identical cipher suite. The cipher suite in both samples has the same 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300).

Appendix C: Indicators of Compromise

MD5 SHA256 File name 21307227ECE129B1E12797ECC2C9B6D9 8A4D2BAA8CF519C7A9B91F414A0A9D8BA2B9E96D21D9E77DA7B34ED849830A36 mks.exe 6F0338AF379659A5155B3D2A4F1A1E92 CA8DC152DC93EC526E505CF2A173A635562FFBF55507E3980F7DC6D508F0F258 hptasks.exe 0489978ffa3b864ede646d0470500336 2A99BCB5D21588E0A43F56AADA4E2F386791E0F757126B2773D943D7CBF47195 ENTASKLOADER.EXE. Creates forti.exe a1ffca7ba257b4eca7fe7d1e78bac623 3C86FC0A93299A0D0843C7D7FF1A137A9E799F8F2858D3D30F964E3C12C28C9E forti.exe f27cf59b00dacdd266ad7894a1df0894 92b0f4517fb22535d262a7f17d19f7c21820a011bfe1f72a2ec9fbffbdc7e3e0 javaupdate.exe, creates g.exe a1ffca7ba257b4eca7fe7d1e78bac623 3C86FC0A93299A0D0843C7D7FF1A137A9E799F8F2858D3D30F964E3C12C28C9E g.exe 511778c279b76cac40d5d695c56db4f5 91146EE63782A2061701DB3229320C161352EE2BC4059CCC3123A33114774D66 svchost.exe, Creates lsasvs.exe f774c0588da59a944abc78d5910be407 A7EA1852D7E73EF91EFB5EC9E26B4C482CA642D7BC2BDB6F36AB72B2691BA05A lsasvs.exe, Creates 50793105.exe 8386379a88a7c9893a62a67ea3073742 7F8166589023CD62AE55A59F5FCA60705090D17562B7F526359A3753EB74EA2F 50793105.exe, Creates taskhcst.exe 3bc855bfadfea71a445080ba72b26c1c 043E0D0D8B8CDA56851F5B853F244F677BD1FD50F869075EF7BA1110771F70C2 taskhcst.exe, WannaCry F27CF59B00DACDD266AD7894A1DF0894 92B0F4517FB22535D262A7F17D19F7C21820A011BFE1F72A2EC9FBFFBDC7E3E0 armsvc.exe, javaupdate.exe E8C6ACC1EB7256DB728C0F3FED5D23D7 524F8F0F8C31A89DF46A77C7A30AF5D2A1DC7525B08BFAFBED98748C3D8A3F1C jusched.exe 1D4EC831292B611F1FF8983EBD1DB5D4 41E9D6C3374FD0E78853E945B567F9309446084E05FD013805C70A6A8205CD70 msinj32.exe D0CE651A344979C8CD11B8019F8E4D7E 436195BD6786BAAE8980BDFED1D7D7DBCCCB7D5085E79EBDCC43E22D8BAE08A8 goyqsvc.dll 9A5FA5C5F3915B2297A1C379BE9979F0 9F177A6FB4EA5AF876EF8A0BF954E37544917D9AABA04680A29303F24CA5C72C exldcmgmt.dll 86759CE27D0FE0B203AAA19D4390A416 AE8E9FF2DC0EC82B6BAE7C4D978E3FEAC93353CB3CD903E15873D31E30749150 oledbg32.dll FCF3702E52AE32C995A36F7516C662B7 FC079CEFA19378A0F186E3E3BF90BDEA19AB717B61A88BF20A70D357BF1DB6B8 bitssvcs.dll e117406e3c14ab8e98b27c3697aea0b6 2BA20E39FF90E36086044D02329D43A8F7AE6A7663EB1198B91A95EA556CF563 00bebc12.exe

For additional information from Symantec regarding the WannaCry virus, visit our dedicated WannaCry Ransomware page.