WannaCry Overview 2018-06-20T12:54:45+00:00

WanaCrypt0r 2.0

WanaCrypt0r 2.0 is a new variant of the WannaCry/WCry ransomware which encrypts files with the extension of .WNCRY or .WCRY. .


On Friday 12th May 2017, reports began to emerge of extensive ransomware infections across a number of organisations including at Telefonica, the NHS, Chinese Universities, the Russian Interior Ministry, Deutsche Bahn and other organisations all over the world. Early analysis identified the ransomware as the WanaCrypt0r 2.0 variant. This variant was first detected in the wild several weeks earlier, but there were limited number of infections. Early analysis showed that the ransomware spreads through an exploit called ETERNALBLUE, which is an alleged NSA exploit that was leaked in April 2017 by a group called The Shadow Brokers.

Request a free quote

 Protect Your Business From Ransomware

What Is Ransomware
Wannacry Recovery
9 steps take to take if hacked

The exploit works by accessing a remote machine via the SMBv1 protocol. Microsoft patched this vulnerability in March 2017 in MS17-010 but it appears that the patch has not been widely installed.  It is also believed to leverage open RDP connections to propagate across a network.

A scan on Shodan for both port 445 and port 3389 has returned shocking results: over 1,500,000 machines have port 445 exposed and over 1,790,000 machines have port 3389 open.

WanaCrypt0r 2.0

WanaCrypt0r 2.0 is a new variant of the WannaCry/WCry ransomware which encrypts files with the extension of .WNCRY or .WCRY. .


The ransomware caused major ransomware outbreaks at Telefonica, the NHS, Chinese Universities, the Russian Interior Ministry, Deutsche Bahn and other organisations all over the world. The ransomware was first detected a few weeks ago but it was hardly distributed. Early analysis showed that the ransomware spreads through an exploit called ETERNALBLUE, which is an alleged NSA exploit that was leaked in April 2017 by a group called The Shadow Brokers.
The exploit works by accessing a remote machine via the SMBv1 protocol. Microsoft have already patched this vulnerability in March 2017 in MS17-010 but it appears that the patch has not been widely installed. It is also known to leverage open RDP connections to propagate across a network.

How does WanaCrypt0r work?

After a computer has been infected with the ransomware installer, it extracts an embedded, password protected zip folder file into the same folder. The tool extracts localised versions of the ransom notes into the msg folder. Currently the following languages are supported:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese,

WanaDecrypt0r moves on to download a TOR client and extracts the contents into the TaskData folder. The TOR client is necessary to communicate to the known Command and Control servers:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

The tool changes file permissions to allow everyone full permissions to the files located in the folders and subfolders. Database and mail servers are stopped to encrypt the databases and mail as well. WanaDecrypt0r starts to encrypt the files on the system with the following extensions:

.der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

After a file has been successfully encrypted, it appends the extension .WNCRY or .WCRY. The tool will clear the shadow volume copies, disable windows startup recovery and clear Windows server backup history

The following lockscreen is displayed. It contains information how to pay the ransom in any of the languages listed above.

Figure 6 - WanaCrypt0r Lock Screen

Figure 6 – WanaCrypt0r Lock Screen

The ransomware connects to the C2 server to check whether a payment has been made. The Bitcoin addresses however, are hardcoded. How the attackers distinguish between who has paid and who has not is unknown. The ransomware also changes the Desktop background wallpaper to the following:

Figure 7 - WanaCrypt0r Desktop Background

Figure 7 – WanaCrypt0r Desktop Background

How to prevent WanaCrypt0r ransomware?

It is imperative to ensure that the latest Windows security updates are installed. At the very minimum, install the security update for Microsoft Windows SMB Server as described as part of Microsoft’s Security Bulletin MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. Microsoft has also released a patch for Windows Server 2003 SP2, Windows XP SP2, Windows XP Embedded and Windows 8: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

It is also advised to disable SMBv1 as it is not needed in modern Windows versions. Also ensure that ports TCP 139, 445 and 3389 are not exposed to the Internet.

Ransomware “Kill Switch”

The security researcher with the nickname “MalwareTech” has discovered that the self-spreading ransomware was making a pre-infection check to a domain located at iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If the domain was unregistered, the ransomware would start encrypting files but if the domain was registered, the encryption would fail. The researcher registered this domain to track infections.  Subsequently it was discovered the domains registration triggered a worldwide kill-switch for the ransomware’s self-spreading feature. Please note that this domain should not be blocked as it will negate the kill switch.

However, it is expected that in the near future, the ransomware will deploy a new self-spreading version with a different domain or a different kill switch mechanism.

Indicators of Compromise

Hashes:

SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Associated files:

[Installed_Folder]\00000000.eky

[Installed_Folder]\00000000.pky

[Installed_Folder]\00000000.res

[Installed_Folder]\@WanaDecryptor@.exe

[Installed_Folder]\@WanaDecryptor@.exe.lnk

[Installed_Folder]\b.wnry

[Installed_Folder]\c.wnry

[Installed_Folder]\f.wnry

[Installed_Folder]\msg\

[Installed_Folder]\msg\m_bulgarian.wnry

[Installed_Folder]\msg\m_chinese (simplified).wnry

[Installed_Folder]\msg\m_chinese (traditional).wnry

[Installed_Folder]\msg\m_croatian.wnry

[Installed_Folder]\msg\m_czech.wnry

[Installed_Folder]\msg\m_danish.wnry

[Installed_Folder]\msg\m_dutch.wnry

[Installed_Folder]\msg\m_english.wnry

[Installed_Folder]\msg\m_filipino.wnry

[Installed_Folder]\msg\m_finnish.wnry

[Installed_Folder]\msg\m_french.wnry

[Installed_Folder]\msg\m_german.wnry

[Installed_Folder]\msg\m_greek.wnry

[Installed_Folder]\msg\m_indonesian.wnry

[Installed_Folder]\msg\m_italian.wnry

[Installed_Folder]\msg\m_japanese.wnry

[Installed_Folder]\msg\m_korean.wnry

[Installed_Folder]\msg\m_latvian.wnry

[Installed_Folder]\msg\m_norwegian.wnry

[Installed_Folder]\msg\m_polish.wnry

Associated files:

[Installed_Folder]\msg\m_portuguese.wnry

[Installed_Folder]\msg\m_romanian.wnry

[Installed_Folder]\msg\m_russian.wnry

[Installed_Folder]\msg\m_slovak.wnry

[Installed_Folder]\msg\m_spanish.wnry

[Installed_Folder]\msg\m_swedish.wnry

[Installed_Folder]\msg\m_turkish.wnry

[Installed_Folder]\msg\m_vietnamese.wnry

[Installed_Folder]\r.wnry

[Installed_Folder]\s.wnry

[Installed_Folder]\t.wnry

[Installed_Folder]\TaskData\

[Installed_Folder]\TaskData\Data\

[Installed_Folder]\TaskData\Data\Tor\

[Installed_Folder]\TaskData\Tor\

[Installed_Folder]\TaskData\Tor\libeay32.dll

[Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll

[Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll

[Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll

[Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll

[Installed_Folder]\TaskData\Tor\libssp-0.dll

[Installed_Folder]\TaskData\Tor\ssleay32.dll

[Installed_Folder]\TaskData\Tor\taskhsvc.exe

[Installed_Folder]\TaskData\Tor\tor.exe

[Installed_Folder]\TaskData\Tor\zlib1.dll

[Installed_Folder]\taskdl.exe

[Installed_Folder]\taskse.exe

[Installed_Folder]\u.wnry

[Installed_Folder]\wcry.exe

Registry Entries

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random]  “[Installed_Folder]\tasksche.exe”

HKCU\Software\WanaCrypt0r\

HKCU\Software\WanaCrypt0r\wd       [Installed_Folder]

HKCU\Control Panel\Desktop\Wallpaper        “[Installed_Folder]\Desktop\@WanaDecryptor@.bmp”

Network Communication

gx7ekbenv2riucmf.onion

57g7spgrzlojinas.onion

xxlvbrloxvriy2c5.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

Encrypted File Extensions

.WCRY

.WNCRY

Frequently Asked Questions

How might WannaCry get into my organisation?

The most common and easiest way for WannaCry to get in is through an email that entices people into clicking on links. These will take people to compromised sites that push malware onto their machines. Users should be reminded not to click on links from unknown sources.

What makes WannaCry so dangerous?

WannaCry is a particularly pervasive and prevalent form of ransomware. As well as encrypting files in the systems of the user who clicked on the email, it spreads by taking advantage of unpatched operating system vulnerabilities and moving from computer to computer. This worm like nature means it can propagate quickly and easily to many other systems.

What should I do to stop my organisation from being affected?

Ensure that all your systems are patched and the latest security updates are installed. Additionally, disable SMBv1 and ensure that ports TCP 139, 445 and 3389 are not exposed to the Internet.

What should I do if I have been hit by WannaCry ransomware?

If you have been hit by the WannaCry Ransomware attack, we recommend that you read our guidance on responding to infection incidents and recovering from such attacks. Steps to take if your business gets hacked And WannaCry-recovery

Contact Nettitude’s 24×7 Incident Response helpline (option 3)to get hands-on support in recovering from WannaCry and prevent future variants of Ransomware from hitting your environment.

 Contact Nettitude’s 24×7 Incident Response helpline to get hands-on support in recovering from WannaCry and prevent future variants of Ransomware from hitting your environment.

 Call us on 212-335-2285.