Network Security & Cryptography (NSC) Lab

Department of Information Technology
Indian Institute of Information Technology, Allahabad.


WannaCry Ransomware Attack

The cyberworld is currently being taken by a bold and widespread form of ransomware attack the world has seen till now. This ransomware, known by various names like WannaCry or WannaCrypt, uses the EternalBlue exploit developed by National Security Agency of USA. Exploit code was stolen from NSA by a group known as ShadowBrokers in 2016 and who then posted it publicly on 14 April[1]. According to NY Times, this cyberattack has crippled more than 200,000 computers in more than 150 countries[2]. At the time of writing this article, new variants of this ransomware have already been reported[3].



WannaCry Ransomware: Tested on Isolated Machine at NSC Lab, IIITA

Sources:

1. https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html

2. http://https://www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html

3. https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

What is a ransomware?

Ransomware is malware that prevents you from accessing your computer system normally until you pay the ransom. Its working differs from one infection to another.

While a simple ransomware will lock your systems files that can be unlocked by a person with some technical knowledge, more advanced ransomware will encrypt your data and then decrypt it only after you pay the ransom.

How WannaCry ransomware spreads?

The initial vector reported for the infection is a link in an email or a similar link in pdf that retrieves .hta file which further retrieves a payload which finally retrieves a malware that gets installed on your system.

It spreads itself on LAN as well as Internet by exploiting a EternalBlue vulnerability in Server Message Block protocol (SMB) in Microsoft Windows[4]. Specifically, an attacker performs remote code execution by crafting a special message (exploit) and sends it to SMBv1 server. The remote code execution vulnerability in SMBv1 server further causes it to retrieve a WannaCry Ransomware and finally gets installed on the target system.

Once a system is infected, WannaCry creates multiple threads to map vulnerable machines on local network and internet by generating random IP addresses and then infection further spreads to the discovered vulnerable systems[5].

Observations while Testing WannaCry Ransomware in NSC Lab, IIITA

File size of the WannaCry ransomware is 3.4MB (3514368 bytes).

WannaCry writes itself into a random character folder in the ProgramData folder with the filename tasksche.exe or in the C:\Windows\ folder with the filename mssecsvc.exe and tasksche.exe.

Examples

C:\ProgramData\lygekvkj256\tasksche.exe
C:\ProgramData\pepauehfflzjjtl340\tasksche.exe
C:\ProgramData\utehtftufqpkr106\tasksche.exe
c:\programdata\yeznwdibwunjq522\tasksche.exe
C:\ProgramData\uvlozcijuhd698\tasksche.exe
C:\ProgramData\pjnkzipwuf715\tasksche.exe
C:\ProgramData\qjrtialad472\tasksche.exe
c:\programdata\cpmliyxlejnh908\tasksche.exe

IP Addresses WannaCry communicates with[5.1]

197.231.221.221:9001
128.31.0.39:9191 (observed in NSC Lab, IIITA)
149.202.160.69:9001
46.101.166.19:9090
91.121.65.179:9001
2.3.69.209:9001
146.0.32.144:9001
50.7.161.218:9001
217.79.179.177:9001
213.61.66.116:9003
212.47.232.237:9001
81.30.158.223:9001
79.172.193.32:443
38.229.72.16:443 (observed in NSC Lab, IIITA)

Files that were created by WannaCry

@Please_Read_Me@.txt
@WanaDecryptor@.exe
@WanaDecryptor@.exe.lnk
Please Read Me!.txt (Older variant)
C:\WINDOWS\tasksche.exe
C:\WINDOWS\qeriuwjhrf
131181494299235.bat
176641494574290.bat
217201494590800.bat
[0-9]{15}.bat #regex
!WannaDecryptor!.exe.lnk
00000000.pky
00000000.eky
00000000.res
C:\WINDOWS\system32\taskdl.exe

Sources:

4. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

5. https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

5.1. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/

Cure that stopped infection spread temporarily

An accidental 'kill switch' mechanism has been found that stops the ransomware from spreading further[6]:

An infected system tries to connect to a domain name (composed of non-sensical text) pre-embedded in the malware code. If there is a response, malware stops from spreading to other systems on LAN. If there is no response or if the domain does not exist, infection continues to spread.

This cure is temporary since the attacker can modify the 'kill switch' domain name or remove this mechanism completely in ransomware code, resulting in unending infection of vulnerable systems. WannaCry 2.0 is now without a kill switch has been released to infect the vulnerable system.

WannaCry ransomware is not proxy-aware i.e. it needs an open un-proxied connection to the internet for infection to not spread further. If the the network connects to internet using a proxy, kill switch won't be activated and it will spread and infect the other vulnerable systems in the network.[7].

At the time of writing this article, newer variants of WannaCry embedded with different domain names have already been reported[8].

Sources:

6. https://twitter.com/MalwareTechBlog/status/863187104716685312

7. https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware

8. https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

Operating Systems that are vulnerable

All operating systems other than Windows 10 are vulnerable (including Windows XP, Vista, 7, 8, 8.1, etc) to WannaCry ransomware attack.

Computers with Windows 10 installed are NOT vulnerable[9].

During testing at NSC Lab IIITA, we opened the WannaCry malware with Wine on Linux and it encryped all the user data on Linux as well.

Source:

9. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Measure to be taken

If your system is infected then your data will be encrypted and you may or may not recover it after you pay the ransom.

Otherwise following measures should be taken:

Patches to be installed

Microsoft has already released the patch for this vulnerability back in March this year.

It is important to note that a security patch has also been released for unsupported Windows XP as well.

To install these patches, you can either employ Windows Update feature in Microsoft Windows.

OR

You can download respective patches from below microsoft MS17-010 bulletin link and install them:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 [for XP]

Disabling SMBv1 Server

This is recommended only if you have vulnerable SMBv1 server installed on your system. Disabling SMB on your system has many negative side-effects. This should be a temporary measure to stop infection spread and if you need to access your system.

SMB can be disabled through Windows Powershell with administrator privileges or Windows Registry. The steps to be followed for disabling it and various services SMB offers/services that will be affected after disabling it are listed in the link below:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Alternatively, you can follow our guide to disable and enable SMB using PowerShell:

Search for the PowerShell in Window and on right-click, open it as administrator. Then to disable/enable SMB, follow the screenshots in the following document: Disable or Enable SMB PDF

Other Preventive measures

The most easy and the best way to protect your data is to take its backup onto some offline storage such as exernal hard drive or pendrive. Once the backup is taken, please disconnect the storage from your system.

If your system is infected, the first thing to do is to isolate it from the network. Report the incident to law enforcement authorities.

The most common way for a malware to get installed on a system is through compromised emails and websites with malicious redirecting adverts.

Further you should desist from visiting the websites who claim to provide free pirated content. Such websites are established sources of malware, hosted through adverts and other embedded mechanisms.

Additionally, you should not click on hyperlinks that are unrecognisable and suspicious.

Naive solution to protect your files from getting encrypted

At NSC Lab, IIITA we tested the WannaCry ransomware for the files it encrypts and found that unknown file extensions are not getting encrypted. The file extensions handled by WannaCrypt is available in "http://bgr.com/2017/05/15/wanna-cry-ransomware-virus-windows-wannacry-explainer"

Considering the above, zip all the files of the system and change the file extension.Backup of the system will be available on the same system storage and WannaCry will not affect/encrypt that backup if accidentally it is installed on your system.

To take the backup of your data, do the following:

  1. Make a .zip or .rar file of your data. For example, backup.rar.
  2. Now, open the command prompt and browse to the location of backup taken in step 1 using cd command.
  3. Using copy command, make a copy of your backup file to a new file with unknown extension. For example, in above case: copy backup.rar backup.clis

The copy of backup with unknown file extension will be created in the same folder as the original backup file.

You can still open the backup file with unknown extension by using 'open with' feature and browse to the application you use for opening .rar or .zip file.

However for availability reason it is suggested to have the backup in other machines

Technical Information about WannaCry Ransomware

SMB Exploit code variant: https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb

WannaCry DLL Operations(Cryptography Involved): https://pastebin.com/aaW2Rfb6

WannaCry Functionality: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

WannaCry Network Behaviour, Worm behavior, File decryption, Bitcoin Activity, etc: https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/

Malware Sample: hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE

Much more technical: https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Other Related Links:

CERT-In Alert: http://www.cyberswachhtakendra.gov.in/alerts/wannacry_ransomware.html

Prevention of WannaCry Ransomware Threat - Session by CERT-In: https://www.youtube.com/watch?v=cuS69fT6caA

US-CERT: https://www.us-cert.gov/ncas/alerts/TA17-132A


More images of WannaCry Ransonware Testing from NSC Lab, IIITA:

Check Payment Screen

Changed Desktop BG Screen

Encrypted File as WCRY



Analyzed and tested by MTech Students of Cyber Law and Information Security at NSC Lab, IIIT-Allahabad on 14/05/2017

This article is published by the team of MTech students of CLIS, IIITA