WannaCry/WannaCrypt Ransomware Summary

Published: 2017-05-15
Last Updated: 2017-05-15 22:30:53 UTC
by Johannes Ullrich (Version: 4)
4 comment(s)

Update New Kill Switch Confirmed:

kill switch: ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com

 

Sources:

https://virustotal.com/en/file/b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06/analysis/

https://www.hybrid-analysis.com/sample/b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06?environmentId=100


Update: 

After a consensus among the handlers we are moving infocon back to green. We will continue to monitor and update this situation as as it evolves. Please keep the reports and observations flowing in! We will leave the diaries on WannaCry up for another few hours then move back to regular posts.

If you have not seen, Dr J put together an excellent presentation (https://isc.sans.edu/presentations/WannaCry.ppt) summarizing this situation, and we have a Slack Dshield channel (Slack) that you can join the real-time chatter.

@packetalien "Handler on Duty"


 

The ransomware was first noticed on Friday and spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 “ETERNALBLUE” exploit to spread. “ETERNALBLUE” became public about a month ago when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow].

A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released for Windows Vista, Windows Server 2008 and later versions of Windows as part of MS17-010 in March [MS17-010]. In response to the rapid spread of WannaCry, on Friday Microsoft released a patch for older versions of Windows, going back to Windows XP and Windows Server 2003 [msft].

At the time of the initial WannaCry outbreak, we also noticed a significant increase in scanning for port 445 [port445]. The increase was likely caused by infected systems scanning for more victims. It is not clear how the infection started. There are some reports of e-mails that include the malware as attachment seeding infected networks. But at this point, no actual samples have been made public. It is possible that the worm entered a corporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself does have no e-mail component.

The malware will first check if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

It will also check if a registry key is present. It will not run if either the registry key is present or the website is reachable. The domain has been registered and a web server has been set up by a security researcher. This significantly reduced the impact of WannaCry. A tool was released that will assist in setting the registry keys, which will also reduce the risk of infection. Over the weekends, reports indicated that new versions of the worm were spreading that used slightly different “kill switches”. But all current versions check a website and check for registry keys. Rendition Infosec released a "Tearst0pper" tool that can be used to set the registry entries. [tearst0pper]

The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the user’s private key needs to be decrypted, which requires the malware author's private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password “WNcry@2ol7” is not used to encrypt files. It is only used by the malware to decrypt some of its components. [endgame]

Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week.

In addition to encrypting files, the malware also installs a DOUBLEPULSAR back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author.

New variants have been reported over the weekend with slight changes to the kill switch domain and registry keys.

We expect to reduce the Infocon back to green on Monday.

What Can You do to prevent Infection?

  • Apply MS17010 to Windows Vista and later (Windows Server 2008 and later)
  • Apply Friday’s patch to Windows XP or Window Server 2003.
  • Verify correct patch application
  • Make sure the “kill switch” domain and website is reachable from your network without proxy. If not, setup an internal DNS sinkhole and redirect to an internal website. Do not block access to the website.
  • Deploy the registry key inoculation [tearst0pper]
  • Disable SMBv1 [msftsmbv1]
  • Make sure systems are running up to date anti-malware

Indicators of Compromise:

https://www.us-cert.gov/ncas/alerts/TA17-132A

PowerPoint for Presentations to Management

https://isc.sans.edu/presentations/WannaCry.ppt

Friday SANS Webcast with technical details

https://www.sans.org/webcasts/special-webcast-wannacry-ransomeware-threat-105160

References:

[verge] https://www.theverge.com/2017/5/14/15637888/authorities-wannacry-ransomware-attack-spread-150-countries

[shadow] https://github.com/misterch0c/shadowbroker

[ms17-010] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[msft] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

[port445] https://isc.sans.edu/port.html?port=445

[pastebin] https://pastebin.com/aaW2Rfb6

[tearst0pper] https://www.renditioninfosec.com/2017/05/wanacry-because-your-organization-is-slow-to-patch-stop-the-tears-with-tearst0pper/

[msftsmbv1] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

[sans] https://www.sans.org/webcasts/special-webcast-wannacry-ransomeware-threat-105160

[endgame] https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

Keywords:
4 comment(s)

Comments

What is the user agent for the GET to the kill switch domain ?
There is no User-Agent header.
The only headers I saw were Host and Cache-Control.
Thank you for this clear summary Johannes, much appreciated.

For the networks that use a proxy, it’s important to ensure that the internal IP behind the kill switch domain sends back an actual answer to the malware as mentioned here: https://blog.nviso.be/2017/05/15/wcry-ransomware-additional-analysis/
Important: if you, or your ISP, implements a DNS sinkhole without redirecting to a http server, or your antivirus blocks http access to such a domain, then the kill switch will be rendered useless and WannaCry will NOT abort!

Personally I was cut off by my ISP (xs4all.nl) last weekend, simply because I visited a webpage (using Firefox on Android) that contained a clickable link to the kill switch domain (I didn't click it), and Firefox decided to prefetch DNS and probably download content because of the following default Firefox settings (in about:config):
1) network.dns.disablePrefetch = false
2) network.prefetch-next = true
This was not a big problem for me because I had other means to connect to the Internet, and the connection was restored pretty quickly.

However, my ISP confirmed that I was disconnected simply because of the DNS request to www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. This means that any PC that has starting WannaCry malware would not have been able to contact the kill switch domain, and hence the malware would not have aborted!

So it may be wise have your DNS server resolve the currently known and any new kill switch domains to an internal http server you set up specifically for this purpose. By examining the logs on the http server you can see what client visited that server (combined with the originating IP-address). In that way you will probably be able to distinguish between actual infections and false positives, and take appropriate actions if necessary.

Erik van Straten

Diary Archives