MyCERT Advisories, Alerts and Summaries for the year 2017
MA-663.052017: MyCERT Advisory – Technical Detail: WannaCry Ransomware
Date first published: 23/5/2017
First Revision: 6/6/2017
MyCERT has received report of the outbreak of a ransomware called as WannaCry. This ransomware is also referenced online under various names such as WCry, WanaCryptor, WannaCrypt or Wana Decryptor. Ransomware is type of malware that infects computing platform and restricts users’ access until an amount of ransom is paid in order to unlock it.
It exploits a vulnerability found in Windows, known as EternalBlue, that Microsoft had released a patch in 14 March 2017 (MS17-010). The exploit, “Eternal Blue”, was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.
The vulnerability is in the Windows Server Message Block (SMB) service with detail information as below:
• Files on infected computer will be encrypted and the owner is unable to access the files until a ransom of $300 worth of Bitcoin is paid.
• The original file will be deleted after they are encrypted by the ransomware.
• The worm component contains in the WannaCry ransomware causes the worm the to self-propagate and infect other vulnerable computers within the same network.
• Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.
3.0 Affected Product
Unpatched Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, Windows 2016.
4.0 Technical Description
Once user machine has been infected, it will show a popup message as its ransom note and instruction to pay and decrypt. The ransomware notes also support multi language and user has 7 days to pay before the encrypted file is lost. This ransomware demand for USD $300 to decrypt the files and paid using Bitcoin. The ransom doubles to USD $600 until the encrypted file is deleted if the ransom is not paid within 7 days.
Figure 1: Show a main ransom note screen dialog.
Figure 2: A text file dropped by the ransomware (Source: http://www.cyberswachhtakendra.gov.in)
There are several known binaries of WannaCry has been spread around the world. Most of it came with same behavior. The following list is known MD5 hash:
The following information is basic data about the binary of the specific WannaCry ransomware binary:
These are known to be Bitcoin address for the author of WannaCry ransomware:
File System Indicators
The following are some of the known file extension will be searches and encrypted by WannaCry ransomware:
Figure 3: WannaCry store all main files in random name folder on %ALLUSERSPROFILE% directory.
Some of the files dropped are not malicious, but the it still has been used part of its campaign. Below is the full list of the files (and its MD5 hash) once its infecting user machine:
The following registry keys are known to be registered as part of its persistent:
Temporary registry later on will delete by the malware itself:
The following list is known to be domain name over TOR network uses by the malware during the infection and scanning for IP range for getting vulnerable machine:
The WannaCry ransomware has use AES 128-bit with CBC mode to encrypt victim files while the AES key itself has been encrypted using RSA-2048 encryption. The following diagram is the workflow of WannaCry cryptography:
Figure 4: Show the encryption process and cryptography perspective.
Every generated key is stored as 00000000.pky. Every user file is encrypted using random AES 128-bit key. Those key are encrypted with RSA 2048-bit public key generated earlier paired with its RSA 2048-bit Private key.
Those generated RSA 2048-bit private key are encrypted using RSA Master public key. In other hand, to decrypt the RSA Master key, only malware author has its RSA Master Private key.
Once all the encryption file done, the encrypted file will have “.WNRY” file extension. The original file will be deleted.
Figure 5: Show example of encrypted file with “.wnry” file extension.
There are no general tools for easy decrypting the files that already been encrypted. However, several researchers have come out with the tools to provide solution to decrypt the file. The tools are wanakey, wanakiwi, wanafork and several others. This tool will try to get the prime number from computer memory. This tool may not perfect enough, as you need the following condition in order to successfully decrypt the files:
1. User must not restart or shutdown the machine after the infection.
2. User must act fast as the prime number might be overwritten in the computer memory. It is a matter of how fast you can use the tool to decrypt the encrypted file as delays may cause the prime number to be overwritten on memory.
3. The decryption tool only works on 32 bits Windows only and does not work on 64 bits Windows.
4. Not all variant can successfully decrypt the file.
Figure 6: wanakiwi.exe decrypting files with prime number found in memory.
5.0 Recovery of Deleted Files from Infected Machines
Users may now recover the original files from infected machines after WannaCry encrypts them, using file recovery softwares. The softwares are not decryptors.This is made possible as WannaCry has serious programming flaw that leads user to file recovery without the need of a private key to decrypt the files.
Our analysis and test had confirmed that the following folders can be used to recover the files:
|1.||C:\Windows\TEMP\||Located at system drive|
|2.||X:\$RECYCLE\||Located at non-system drive; Hidden attribute|
Those two directories will act as temporary folders before encryption process take place. Although the file extension inside those folder end with .WNCRYPT, the content is still intact as in original files. Only the filename cannot be recovered at this point, even though the file is recovered. Users may later rename the files once they are recovered.
All files can be recovered using free tools available on the internet such as Recuva and Undelete which had been tested by MyCERT and proven to be able to recover the files on infected machines.
Users need to download the tool and scan the above folders to recover the files.
Users may download the tools which is available for free at:
Figure 7: Show an example of recovered files located at F:\$RECYCLE\.
Figure 8: Using Piriform Recuva to recover files located at C:\Windows\Temp\ folder.
The tools are unable to recover files on removable drives, such as on thumbdrives.
For End Users:
• Users of this product are advised to review and patch the vulnerability described in MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
• Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 can be referred here:
• Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
• Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline;
• Maintain up-to-date anti-virus software;
• Keep operating system and software up-to-date regularly with the latest patches.
• Keep operating system and software up-to-date regularly with the latest patches;
• Do not follow unsolicited web links in email;
• Be extra careful when opening email attachments;
• Follow best and safe practices when browsing the web.
For System Administrators:
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Block all SMB (445/tcp) traffic.
• A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978, 42329-42332, 42340.
• Emerging threats has an IDS rule that catches the ransomware activity (ID: 2024218).
• As preventive measure, Yara signature can be useful to prevent future infection on enterprise as well protecting its customer from spreading the malware at first place. The following rule can be applied on IDS/IPS:
Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT