On Friday, May 12, 2017, a global ransomware campaign began targeting computers around the world with a ransomware variant called WannaCrypt malware (alternatively known as WCry, WannaCry or WanaCrypt0r), hitting dozens of organizations across the globe.
Download a Copy Now
On Friday, May 12, 2017, a global ransomware campaign began targeting computers around the world with a ransomware variant called WannaCrypt malware (alternatively known as WCry, WannaCry or WanaCrypt0r), hitting dozens of organizations across the globe. Among the victims are universities in China, Russia’s Ministry of Internal Affairs, National Health Service in the UK, and enterprises including Federal Express, the Spanish telecommunication company Telefonica, French car manufacturer Renault, and more.
Radware’s ERT research team is conducting ongoing research of this evolving malware pandemic and this report outlines how it works and presents Radware’s analysis.
How Does WannaCry Operate?
This attack spread by leveraging recently disclosed vulnerabilities in Microsoft’s network file sharing SMB protocol. CVE-2017-0144 – MS17-010i, a Microsoft security update issued on March 14th 2017, addressed these issues and patched these remote code execution vulnerabilities. The current ransomware campaign targets computers that were not updated.
What are FuzzBunch, DoublePulsar and EternalBlue?
In April of 2017, a group named Shadow Brokersii leaked several exploitation tools, including FuzzBunch. Inside of the FuzzBunch framework there were remote exploits for Windows like EternalBlue and DoublePulsar.
The DoublePulsar SMB plant from the Shadow Brokers dump is a backdoor exploit that can be used to distribute malware, send spam, or launch attacks. EternalBlue is a remote code exploit affecting Microsoft’s Server Message Block (SMB) protocol. Attackers are also using the EternalBlue vulnerability to gain unauthorized access and propagate WannaCrypt to other computers on the network.
It appears the attackers are using Fuzzbunch or Metasploit (similar tool) modulesiii to launch these attacks. The exploits, payloads and scanners needed to launch an attack against computers with exposed SMB services are all available on a Github page.
Figure 1: MS17-010 ports to Metasploit.
What Does the Malware Do?
WannaCry features several stages of execution: propagation, encryption and TOR communication. WannaCry is innovative in that it only needs to gain access to a network once and automatically spreads to additional endpoints, versus other ransomware campaigns that target as many machines as possible.
WannaCry scans for computers for port 445 and leverages EternalBlue to gain access and deploy the WannaCrypt malware onto the machine (using a malware loader called DOUBLEPULSAR). From that moment, the worm scans nearby machines it can target in the same way and begins to move laterally within the network, transferring the malicious payload to more and more endpoints.
Like other known ransomwares (Locky, Cryptowall, etc.), the encryption phase is executed at the first stage, before any outbound communication.
The TOR communication is not necessarily done over http and is not preliminary prerequisite stage for any of the other stages. The TOR client is embedded within the ransomware, so no need to execute outbound communication for downloading. It is only used to share the encryption keys with the C2 server.
Figure 2: WannaCrypt ransom note.
After dropping the first executable and checking the domain for the kill switch, WannaCrypt will drop another executable to scan the IP addresses and attempt to connect to those devices via the SMB vulnerability on port 445/TCP. If there is another vulnerable device on the network, WannaCrypt will make the connection and transfer the malicious payload to that device as well.
Command and Control Servers
The remediation cost (the ransom) was $300 per infected machine to be paid in Bitcoin. Three days after the infection, the ransom increases to $600. When the clock expires after seven days, the victim loses the ability to pay the ransom and decrypt their files. The files on the infected computers are encrypted using a custom AES-128 in CBC mode. At the moment there are no confirmed reports of victims receiving a key for decryption after making a payment. Normally ransomware campaigns have personalized Bitcoin wallets to help identify who has paid the ransom. In the case of WannaCrypt, it is believed the only way to identify the author that you have made a payment is by sending the extortionist your transaction ID through their “Contact Us” section.
Figure 3: Filetypes that WannaCrypt targets for encryption.
Upon infection, WannaCrypt executes a file that sends an HTTP GET request to a hardcoded domain. This is a killswitch. If the request for the domain is successful, WannaCrypt will exit and not deploy. If the request fails, it continues to infect devices on the network. When the campaign began on Friday, a security researcher, @MalwareTechBlog, noticed the killswitch domain was unregistered. He promptly registered the domain and directed the request to a sinkhole, thereby effectively preventing this variant from spreading further.
- ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@msuiche)
- iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (@MalwareTechBlog)
What’s Expected Next?
Extortion is not new to humanity, and the cyber space is fertile grounds for it to prosper. The frequency of ransom attacks doubled the past year, but 2016 was the year where it became the primary motivation of cyber-attacks, particularly in Europe. In 2016, 49% of organizations reported having suffered either a ransomware infection or a DDoS threat for ransom.
It is very likely that as the malware spreads, hackers will be able to customize it and more permutations will appear, like the case of the Mirai Botnet whose source code went public in the autumn of 2016. WannaCry variations at Virus Total (four until now):
7 Steps for Prevention
- Install Microsoft MS-17-010 security updates:
Segment networks / vlans with IPS between them that can generate signatures in real time.
Make sure to makes patches
Direct SMB and Terminal Services external communications should be forbidden or securely configured and monitored.
Consider blocking port 445 for external communication.
Disable Tor communications to and from your organization.
Consider zero-day protection / sandboxing solutions.
Installing Microsoft MS-17-010 Security Updates
Users should immediately patch their computers with Microsoft’s MS-17-010 security update that includes the patch for this vulnerability. This vulnerability is so severe that Microsoft has even pushed an update for Windows XP for the first time since 2014. Users who cannot make the update should disable SMBv1 from allowing direct connections. Open Windows features and uncheck SMB 1.0/CIFS File Sharing Support (see Figure 4).
Under Attack and in Need of Expert Emergency Assistance? Radware Can Help.
Radware offers a service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under DDoS attack or malware outbreak and in need of emergency assistance, Contact us with the code "Red Button".