MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2017

MA-663.052017: MyCERT Advisory – Technical Detail: WannaCry Ransomware

Date first published: 23/5/2017
First Revision: 6/6/2017


1.0 Introduction
MyCERT has received report of the outbreak of a ransomware called as WannaCry. This ransomware is also referenced online under various names such as WCry, WanaCryptor, WannaCrypt or Wana Decryptor. Ransomware is type of malware that infects computing platform and restricts users’ access until an amount of ransom is paid in order to unlock it.

It exploits a vulnerability found in Windows, known as EternalBlue, that Microsoft had released a patch in 14 March 2017 (MS17-010). The exploit, “Eternal Blue”, was released online in April in the latest of a series of leaks by a group known as the Shadow Brokers, who claimed that it had stolen the data from the Equation cyber espionage group.

The vulnerability is in the Windows Server Message Block (SMB) service with detail information as below:


2.0 Impact
 Files on infected computer will be encrypted and the owner is unable to access the files until a ransom of $300 worth of Bitcoin is paid.
 The original file will be deleted after they are encrypted by the ransomware.
 The worm component contains in the WannaCry ransomware causes the worm the to self-propagate and infect other vulnerable computers within the same network.
 Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.                                                              

3.0 Affected Product
Unpatched Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, Windows 2016.


4.0 Technical Description
Once user machine has been infected, it will show a popup message as its ransom note and instruction to pay and decrypt. The ransomware notes also support multi language and user has 7 days to pay before the encrypted file is lost. This ransomware demand for USD $300 to decrypt the files and paid using Bitcoin. The ransom doubles to USD $600 until the encrypted file is deleted if the ransom is not paid within 7 days.


 
Figure 1: Show a main ransom note screen dialog.
 



Figure 2: A text file dropped by the ransomware (Source: http://www.cyberswachhtakendra.gov.in)


There are several known binaries of WannaCry has been spread around the world. Most of it came with same behavior. The following list is known MD5 hash:

 4fef5e34143e646dbf9907c4374276f5
 5bef35496fcbdbe841c82f4d1ab8b7c2
 775a0631fb8229b2aa3d7621427085ad
 7bf2b57f2a205768755c07f238fb32cc
 7f7ccaa16fb15eb1c7399d422f8363e8
 8495400f199ac77853c53b5a3f278f3e
 84c82835a5d21bbcf75a61706d8ab549
 86721e64ffbd69aa6944b9672bcabb6d
 8dd63adb68ef053e044a5a2f46e0d2cd
 b0ad5902366f860f85b892867e5b1e87
 d6114ba5f10ad67a4131ab72531f02da
 db349b97c37d22f5ea1d1841e3c89eb4
 e372d07207b4da75b3434584cd9f3450
 f529f4556a5126bba499c26d67892240


General Information
The following information is basic data about the binary of the specific WannaCry ransomware binary:

MD584c82835a5d21bbcf75a61706d8ab549Main binary
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467Main binary
ssdeep98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gBMain binary
.text920e964050a1a5dd60dd00083fd541a2Section
.rdata2c42611802d585e6eed68595876d1a15Section
.data83506e37bd8b50cacabd480f8eb3849bSection
.rsrcf99ce7dc94308f0a149a19e022e4c316Section


Bitcoin Wallet
These are known to be Bitcoin address for the author of WannaCry ransomware:
 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

File System Indicators
The following are some of the known file extension will be searches and encrypted by WannaCry ransomware:






Figure 3: WannaCry store all main files in random name folder on %ALLUSERSPROFILE% directory.

Some of the files dropped are not malicious, but the it still has been used part of its campaign. Below is the full list of the files (and its MD5 hash) once its infecting user machine:
  • %AllUsersProfile%\taskdl.exe
  • %AllUsersProfile%\taskse.exe 
  • %AllUsersProfile%\b.wnry
  • %AllUsersProfile%\c.wnry 
  • %AllUsersProfile%\r.wnry 
  • %AllUsersProfile%\s.wnry 
  • %AllUsersProfile%\t.wnry 
  • %AllUsersProfile%\u.wnry 
  • %AllUsersProfile%\00000000.pky 
  • %AllUsersProfile%\00000000.eky 
  • %AllUsersProfile%\00000000.res 
  • %AllUsersProfile%\@WanaDecryptor@.exe
  • %AllUsersProfile%\msg\m_bulgarian.wnry
  • %AllUsersProfile%\msg\m_chinese (simplified).wnry
  • %AllUsersProfile%\msg\m_chinese (traditional).wnry
  • %AllUsersProfile%\msg\m_croatian.wnry 
  • %AllUsersProfile%\msg\m_czech.wnry 
  • %AllUsersProfile%\msg\m_danish.wnry 
  • %AllUsersProfile%\msg\m_dutch.wnry 
  • %AllUsersProfile%\msg\m_english.wnry
  • %AllUsersProfile%\msg\m_filipino.wnry 
  • %AllUsersProfile%\msg\m_finnish.wnry 
  • %AllUsersProfile%\msg\m_french.wnry 
  • %AllUsersProfile%\msg\m_german.wnry 
  • %AllUsersProfile%\msg\m_greek.wnry 
  • %AllUsersProfile%\msg\m_indonesian.wnry
  • %AllUsersProfile%\msg\m_italian.wnry 
  • %AllUsersProfile%\msg\m_japanese.wnry
  • %AllUsersProfile%\msg\m_korean.wnry 
  • %AllUsersProfile%\msg\m_latvian.wnry
  • %AllUsersProfile%\msg\m_norwegian.wnry
  • %AllUsersProfile%\msg\m_polish.wnry 
  • %AllUsersProfile%\msg\m_portuguese.wnry
  • %AllUsersProfile%\msg\m_romanian.wnry
  • %AllUsersProfile%\msg\m_russian.wnry 
  • %AllUsersProfile%\msg\m_slovak.wnry
  • %AllUsersProfile%\msg\m_spanish.wnry
  • %AllUsersProfile%\msg\m_swedish.wnry
  • %AllUsersProfile%\msg\m_turkish.wnry
  • %AllUsersProfile%\msg\m_vietnamese.wnry
  • %AllUsersProfile%\@Please_Read_Me@.txt
  • %AllUsersProfile%\TaskData\Tor\libeay32.dll
  • %AllUsersProfile%\TaskData\Tor\libevent-2-0-5.dll
  • %AllUsersProfile%\TaskData\Tor\libevent_core-2-0-5.dll
  • %AllUsersProfile%\TaskData\Tor\libevent_extra-2-0-5.dll
  • %AllUsersProfile%\TaskData\Tor\libgcc_s_sjlj-1.dll
  • %AllUsersProfile%\TaskData\Tor\libssp-0.dll
  • %AllUsersProfile%\TaskData\Tor\ssleay32.dll
  • %AllUsersProfile%\TaskData\Tor\tor.exe 
  • %AllUsersProfile%\TaskData\Tor\zlib1.dll
  • %AllUsersProfile%\TaskData\Tor\taskhsvc.exe
Registry Activity
The following registry keys are known to be registered as part of its persistent:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
=C:\Users\tasksche.exe

Temporary registry later on will delete by the malware itself:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe


Network Indicators
The following list is known to be domain name over TOR network uses by the malware during the infection and scanning for IP range for getting vulnerable machine:
  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion 
  • xxlvbrloxvriy2c5.onion 
  • 76jdd2ir2embyv47.onion 
  • cwwnhwhlz52maqm7.onion 
The malware has capability to check whether certain domain name is existing or online or not. This feature has been known as its “kill switch”. It has been use on certain condition to prevent the malware from execute on vulnerable machine. The following are its domain name:


Encryption
The WannaCry ransomware has use AES 128-bit with CBC mode to encrypt victim files while the AES key itself has been encrypted using RSA-2048 encryption. The following diagram is the workflow of WannaCry cryptography:
 
Figure 4: Show the encryption process and cryptography perspective.


Every generated key is stored as 00000000.pky. Every user file is encrypted using random AES 128-bit key. Those key are encrypted with RSA 2048-bit public key generated earlier paired with its RSA 2048-bit Private key.

Those generated RSA 2048-bit private key are encrypted using RSA Master public key. In other hand, to decrypt the RSA Master key, only malware author has its RSA Master Private key.
Once all the encryption file done, the encrypted file will have “.WNRY” file extension. The original file will be deleted.
 

Figure 5: Show example of encrypted file with “.wnry” file extension.


Decryption
There are no general tools for easy decrypting the files that already been encrypted. However, several researchers have come out with the tools to provide solution to decrypt the file. The tools are wanakey, wanakiwi, wanafork and several others. This tool will try to get the prime number from computer memory. This tool may not perfect enough, as you need the following condition in order to successfully decrypt the files:

1. User must not restart or shutdown the machine after the infection.
2. User must act fast as the prime number might be overwritten in the computer memory. It is a matter of how fast you can use the tool to decrypt the encrypted file as delays may cause the prime number to be overwritten on memory.
3. The decryption tool only works on 32 bits Windows only and does not work on 64 bits Windows.
4. Not all variant can successfully decrypt the file.
 

Figure 6: wanakiwi.exe decrypting files with prime number found in memory.


5.0 Recovery of Deleted Files from Infected Machines

Users may now recover the original files from infected machines after WannaCry encrypts them, using file recovery softwares. The softwares are not decryptors.This is made possible as WannaCry has serious programming flaw that leads user to file recovery without the need of a private key to decrypt the files.

Our analysis and test had confirmed that the following folders can be used to recover the files:

No.PathRemark
1.C:\Windows\TEMP\Located at system drive
2.X:\$RECYCLE\Located at non-system drive; Hidden attribute
Note: ‘X’ is where your drive letter for non-system drive.


Those two directories will act as temporary folders before encryption process take place. Although the file extension inside those folder end with .WNCRYPT, the content is still intact as in original files. Only the filename cannot be recovered at this point, even though the file is recovered. Users may later rename the files once they are recovered.

All files can be recovered using free tools available on the internet such as Recuva and Undelete which had been tested by MyCERT and proven to be able to recover the files on infected machines.

Users need to download the tool and scan the above folders to recover the files.


Users may download the tools which is available for free at:
1. Recuva 

2. FreeUndelete  



Figure 7: Show an example of recovered files located at F:\$RECYCLE\.
 


Figure 8: Using Piriform Recuva to recover files located at C:\Windows\Temp\ folder.


The tools are unable to recover files on removable drives, such as on thumbdrives.



6.0 Recommendations

For End Users:

 Users of this product are advised to review and patch the vulnerability described in MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 Microsoft Patch for Unsupported Versions such as Windows XP, Vista, Server 2003, Server 2008 can be referred here:

 Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
 Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline;
 Maintain up-to-date anti-virus software;
 Keep operating system and software up-to-date regularly with the latest patches.
 Keep operating system and software up-to-date regularly with the latest patches;
 Do not follow unsolicited web links in email;
 Be extra careful when opening email attachments;
 Follow best and safe practices when browsing the web.


For System Administrators:

 Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
 Block all SMB (445/tcp) traffic. 
 A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978, 42329-42332, 42340.
 Emerging threats has an IDS rule that catches the ransomware activity (ID: 2024218).
 As preventive measure, Yara signature can be useful to prevent future infection on enterprise as well protecting its customer from spreading the malware at first place. The following rule can be applied on IDS/IPS:





Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.


For further enquiries, please contact MyCERT through the following channels:
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442 
Mobile: +60 19 2665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Cyber999 Mobile Apps: IOS Users or Android Users


7.0 References