Contributors to this in-depth research analysis include Erika Noerenberg, Andrew Costis, and Nathanial Quist—all members of the LogRhythm Labs research group.
Summary
Ransomware that has been publicly named “WannaCry,” “WCry” or “WanaCrypt0r” (based on strings in the binary and encrypted files) has spread to at least 74 countries as of Friday 12 May 2017, reportedly targeting Russia initially, and spreading to telecommunications, shipping, car manufacturers, universities and health care industries, among others. The malware encrypts user files, demanding a fee of either $300 or $600 worth of bitcoins to an address specified in the instructions displayed after infection.
The WannaCry ransomware is composed of multiple components. An initial dropper contains the encrypter as an embedded resource; the encrypter component contains a decryption application (“Wana Decrypt0r 2.0”), a password-protected zip containing a copy of Tor, and several individual files with configuration information and encryption keys. It is not conclusively known as of this report what vector was used for the initial infection. There was speculation that a weaponized PDF was circulated in a phishing campaign, but analysts have not confirmed this conjecture, and the supposed PDF sample obtained by LogRhythm analysts was not functional.
WannaCry Analysis
Multiple samples of the WannaCry dropper have been identified by researchers; although they share similar functionality, the samples differ slightly. The dropper sample, encrypter, and decrypter analyzed in this report have the following SHA256 hash values:
Dropper | 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c |
Encrypter | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
Decrypter | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
The authors did not appear to be concerned with thwarting analysis, as the samples analyzed have contained little if any obfuscation, anti-debugging, or VM-aware code. However, the malware makes use of an exploit developed by NSA analysts which was patched by Microsoft 14 March 2017 (MS17-010, see https://technet.microsoft.com/en-us/library/security/ms17-010.aspx for details), although there are many unpatched systems still vulnerable. Applying this patch will mitigate the spread of WannaCry, but will not prevent infection.
The exploit used, named EternalBlue, exploits a vulnerability in the Server Message Block (SMB) protocol which allows the malware to spread to all unpatched Windows systems from XP to 2016 on a network that have this protocol enabled. This vulnerability allows remote code execution over SMB v1. WannaCry utilizes this exploit by crafting a custom SMB session request with hard-coded values based on the target system. Notably, after the first SMB packet sent to the victim’s IP address, the malware sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5. A LogRhythm Network Monitoring (NetMon) query rule to detect this traffic is included at the end of this report.
Click images to expand
Figure 1: Sample SMB Packet
When the dropper is executed, it first attempts to make a connection to the domain http://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com and exits if the connection is successful. This domain was previously unregistered, causing this connection to fail. On the afternoon of May 12; however, this domain was registered and sinkholed by researcher MalwareTech, effectively acting as a “killswitch” for many systems, and thereby slowing the rate of infection. However, the method by which the malware opens the connection does not affect systems connecting through a proxy server, leaving those systems still vulnerable.
If the connection fails, the dropper attempts to create a service named “mssecsvc2.0” with the DisplayName “Microsoft Security Center (2.0) Service”. This can be observed in the System event log as event ID 7036, indicating that the service has started.
The System event log will also display event ID 7036 indicating that the service has started.
Figure 2: Event ID 7036
The dropper then extracts the encrypter binary from its resource R/1831, writes it to the hardcoded filename %WinDir%\tasksche.exe, and then executes it.
When executed, the encrypter checks to see if the mutex “MsWinZonesCacheCounterMutexA0” exists, and will not proceed if present. Notably, the malware does not then create this mutex, suggesting that it is checking for the presence of other software on the system, as seen in the figure below:
Figure 3: Encrypter Checks to See if the Mutex Exists
The encrypter binary also contains a password-protected zip file (password: WNcry@2ol7) containing the following files:
- A directory named “msg” containing Rich Text Format files with the extension .wnry. These files are the “Readme” file used by the @[email protected] decrypter program in each of the following languages:
bulgarian | english | italian | romanian |
chinese (simplified) | filipino | japanese | russian |
chinese (traditional) | finnish | korean | slovak |
croatian | french | latvian | spanish |
czech | german | norwegian | swedish |
danish | greek | polish | turkish |
dutch | indonesian | portuguese | vietnamese |
The English and Spanish translations (at least) of the decryption message appear to be machine-translated, as there are grammatical mistakes that would not be expected from native speakers.
- b.wnry, a bitmap file displaying instructions for decryption
- c.wnry, containing the following addresses:
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52maqm7.onion
- https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
- r.wnry, additional decryption instructions used by the decrypter tool, in English
- s.wnry, a zip file containing the Tor software executable
- t.wnry, encrypted using the WANACRY! encryption format, where “WANACRY!” is the file header
- taskdl.exe, (hash 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79), file deletion tool
- taskse.exe, (hash 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d), enumerates Remote Desktop Protocol (RDP) sessions and executes the malware on each session
- u.wnry (hash b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25), “@[email protected]” decrypter file
After dropping these files to its working directory, the malware attempts to change the attributes of all the files to “hidden” and grant full access to all files in the current directory and any directories below. It does this by executing “attrib +h .”, followed by “icacls . /grant Everyone:F /T /C /Q”.
Figure 4: Execution of “attrib +h .” Followed by “icacls_GrantEv”
WannaCry then proceeds to encrypt files on the system, searching for the following file extensions, which are hard-coded in the binary:
.docx | .ppam | .sti | .vcd | .3gp | .sch | .myd | .wb2 |
.docb | .potx | .sldx | .jpeg | .mp4 | .dch | .frm | .slk |
.docm | .potm | .sldm | .jpg | .mov | .dip | .odb | .dif |
.dot | .pst | .sldm | .bmp | .avi | .pl | .dbf | .stc |
.dotm | .ost | .vdi | .png | .asf | .vb | .db | .sxc |
.dotx | .msg | .vmdk | .gif | .mpeg | .vbs | .mdb | .ots |
.xls | .eml | .vmx | .raw | .vob | .ps1 | .accdb | .ods |
.xlsm | .vsd | .aes | .tif | .wmv | .cmd | .sqlitedb | .max |
.xlsb | .vsdx | .ARC | .tiff | .fla | .js | .sqlite3 | .3ds |
.xlw | .txt | .PAQ | .nef | .swf | .asm | .asc | .uot |
.xlt | .csv | .bz2 | .psd | .wav | .h | .lay6 | .stw |
.xlm | .rtf | .tbk | .ai | .mp3 | .pas | .lay | .sxw |
.xlc | .123 | .bak | .svg | .sh | .cpp | .mml | .ott |
.xltx | .wks | .tar | .djvu | .class | .c | .sxm | .odt |
.xltm | .wk1 | .tgz | .m4u | .jar | .cs | .otg | .pem |
.ppt | .gz | .m3u | .java | .suo | .odg | .p12 | |
.pptx | .dwg | .7z | .mid | .rb | .sln | .uop | .csr |
.pptm | .onetoc2 | .rar | .wma | .asp | .ldf | .std | .crt |
.pot | .snt | .zip | .flv | .php | .mdf | .sxd | .key |
.pps | .hwp | .backup | .3g2 | .jsp | .ibd | .otp | .pfx |
.ppsm | .602 | .iso | .mkv | .brd | .myi | .odp | .der |
.ppsx | .sxi |
In addition, a registry key is written to “HKLM\SOFTWARE\Wow6432Node\WanaCrypt0r\wd” that adds a key to reference the location from which WannaCry was originally executed.
The WannaCry encrypter launches the embedded decrypter binary “@[email protected],” which displays two timers and instructions for sending the ransom in the configured language of the infected system. The instructions demand a payment of $300 worth of bitcoins to a specified address. The following addresses are hardcoded in the binary, although only the first was observed to be used by the analyzed sample:
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Figure 5: Addresses Hardcoded in Binary
The following is a screenshot of the “Wana Decrypt0r 2.0” program:
Figure 6: Screenshot of Wana Decrypt0r 2.0 Program
The malware also displays the following bitmap image contained in “b.wnry” on the desktop, in case the “Wana Decrypt0r” program failed to execute:
Figure 7: Bitmap Image Contained in “b.wnry” Displayed on Desktop
If the ransom is not paid before the first timer expires, the ransom price doubles. After the second timer expires, the malware readme states that the files will be unrecoverable. Once the files are encrypted, they are unrecoverable without the decryption key. The malware uses the Microsoft Enhanced RSA and AES Cryptographic Provider libraries to perform the encryption.
After the files are encrypted, the decrypter program attempts to delete any Windows Shadow Copies via this command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet
WannaCry Mitigation
If a system becomes infected with the WannaCry ransomware, it is best to try to restore files from backup rather than paying the ransom, as there is no guarantee that payment will lead to successful decryption.
In order to prevent infection and the spread of this malware across the network, all Windows systems should be up to date on current patches and antivirus signatures. Additionally, blocking inbound connections to SMB ports (139 and 445) will prevent the spread of the malware to systems still vulnerable to the patched exploit.
For further guidance, refer to the following Microsoft blog article which references an emergency patch that was issued for customers who are running unsupported operating systems: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
LogRhythm Signatures
WannaCry_Command Arguments
Figure 8: WannaCry_Command Arguments
WannaCry_Initial Callout
Figure 9: WannaCry_Initial Callout
WannaCry_RegistryKeyCreation
Figure 10: WannaCry_RegistryKeyCreation
WannaCry_Tor-EncryptorFile
Figure 11: WannaCry_Tor-EncryptorFile
NetMon Query Rules
The following signatures can identify the initial WannaCry dropper SMB exploit. These signatures may generate false positives in some network environments.
Indicators of Compromise
SHA256 Hash Values
AI Engine Rules (For LogRhythm Customers)
In our ongoing effort to analyze and respond to the WannaCry malware outbreak, we’ve created a set of exported rules for our customers. Following are step-by-step instructions for importing the rules into your LogRhythm environment.
AI Engine Rule Import Procedure
Open the LogRhythm Console.
Navigate to the AI Engine Tab via Deployment Manager > AI Engine Tab.
Figure 12: AI Engine Tab
Select the pull-down menu “Actions,” and then select “Import.”
Figure 13: Pull-Down Menu > Actions > Import
Select the .airx (AI Rules File Format) files you wish to import, and select “Open.”
Figure 14: Import .airx Files
Upon a successful import, you will be presented with the following pop-up window:
Figure 15: Confirmation
It is possible that an error will appear stating that the KB version is out of date with the AI Engine Rules selected for import. If this occurs, upgrade your KB to the latest version, and perform this procedure again.