The WannaCry ransomware outbreak shook the world when it occured in May 2017.
This slidedeck looks at the attack, how it was carried out, and its success rate. It also attempts to figure out who was likely to have been behind this devastating cyber attack.
For more information on this outbreak, take a look at these additional resources:
What you need to know about the WannaCry Ransomware: https://www.symantec.com/connect/blogs/wannacry-3
WannaCry: Ransomware attacks show strong links to Lazarus group: https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
Can files locked by WannaCry be decrypted: A technical analysis: https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
Before we talk about WannaCry, let’s talk a little about context: In August 2003, the Blaster worm infected 16 million machines in 24 hours
In 2008, the infamous Conficker worm infected 15 million in a day
And then WannaCry infected around 300,000, which is tiny number in relative terms. So, why did it make such a splash?
Because of this. This is what you would see when you started your computer if it was infected with WannaCry. Quantity or prevalence isn’t as important as impact: WannaCry would trash your machine whereas Conficker and Blaster both did nothing.
WannaCry affected huge companies like FedEx, the National Health Service in the UK, and the train system in Germany, among many others.
Chart shows attempts to exploit the MS17-010 vulnerability that was used to spread WannaCry
Countries with good internet access that were using unpatched machines were most heavily affected by WannaCry
Left is the infected machine
Right is the victim
SRV.SYS/SRVNET.SYS is the SMB service on the victim machine
The vulnerability is actually a straightforward buffer overflow, the buffer is too small, and the exploit code overflows it and gains control
The exploit portion is what is known as EternalBlue from the ShadowBrokers dump
It sets up just a small piece of code that then opens a listening backdoor channel within the SMB process
This just listens and accepts any file, and then will load and execute that file. This backdoor is called DoublePulsar by ShadowBrokers
Note that the exploit is delivered via SMB1, but the backdoor channel happens over SMB2. So, there was some confusion if the exploit happened via SMB1 or SMB2, but it is both. However, if you block one, you prevent the thing from working. So, many organizations disable SMB1 because, even if you use SMB in your environment, it is highly unlikely you are using SMB1 and can safely block it.
The file that is transferred over is a DLL
It has a single function in it, PlayGame, which basically extracts an embedded file inside called W/101 and saves and executes it as mssecsvc.exe
Inside that file is another embedded file in a resource called R
Now the R resource is also extracted and, within the R resource, like Russian dolls, is a password-protected ZIP file. That password-protected ZIP file is extracted to the drive with the password Wncry@2ol7
Note that this is not the password to decrypt your files, as some people mistakenly thought. This is the password that is used internally by the threat to decrypt the password-protected ZIP it carries inside of itself
Listed above are the files contained inside the ZIP
Files that are inside the ZIP: Also kill certain processes that often have files in use that can disrupt WannaCry’s encryption process
Deletes volume shadow files. This is typical of ransomware because Windows by default keeps shadow (or backup) copies of your files and, if the ransomware doesn’t do this, you can actually easily restore your files.
Languages are: Bulgarian, Chinese (Simplified & Traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese
WannaCry generates a unique encryption key for each file
It uses that to encrypt the files using AES-128
Then, it encrypts all of those keys together using RSA-2048
The attacker has generated a public and private key pair. Now, people who aren’t familiar with PKI sometimes get scared when they start hearing public and private keys, but just a simple explanation to remember is the public key can encrypt and the private key can decrypt. The public key can only be used for encryption and you need the private key if you want to decrypt.
So, the final key on your machine is then encrypted by the attacker’s public key
So now all your files are encrypted
So, how does decryption work?
The single small master key blob of data on your machine is sent to the attacker and the attacker uses their private key to decrypt it and send you back your key. This happens over Tor via a bunch of domains.
Once you have your decrypted key, you can decrypt all the individual keys and those keys then can decrypt each of your files
Are there any weaknesses? Well, unfortunately, the math here is secure. The attackers behind WannaCry are using Windows-supplied Crypto APIs rather than rolling their own crypto schemes. However, there are some potential weaknesses.
The first is that, often, when keys are generated, a copy of them is made in memory to do your work. And sometimes those copies in memory don’t get wiped properly. So, if you can recover such a copy, you can use it to then decrypt your files.
In the case of WannaCry, we see this happen on XP, but unfortunately it doesn’t infect XP via SMB, so this is useless for the vast majority of those affected. In a lab setting, it seems sometimes you may also see this in Win7 and 2008, but we have been unable to reproduce this at all in any real world environment. In the real world, these memory buffers get overwritten, so it isn’t possible. You may have seen a tool that tries to do this. You have nothing to lose if you want to try it, but it is unlikely to work.
However, WannaCry did do something weird when encrypting files
For removable drives, desktop, and My Documents, WannaCry would encrypt in place
But for all other areas on the drive, it would first copy over the file, encrypt it, and then delete the original.
As many of you probably know, when you delete a file it can often remain behind in slack space. The entry that the file exists is removed, but the actual file data remains on disk.
So, using any well known undelete disk recovery tool, you can recover many of these files.
A security researcher found a killswitch for WannaCry relatively early in its campaign. If the researcher had not found this killswitch, WannaCry would have caused a lot more trouble than it did.
In the original version (which was the one that infected the majority of machines), WannaCry calls a dropped executable to generate the unique bitcoin addresses, but that dropped executable hasn’t been created yet, so it doesn’t work.
13 hours later, you can see the attacker moves the creation of the dropped executable before the code to call it, fixing his bug. However, this fix was too late in most cases.
Interestingly at the deadline the attackers sent out a last plea for payment
Backups – the problem is even those who believe they have a good restoration plan in place often aren’t prepared for a situation like WannaCry. Make sure your restoration plans work in adverse situations.
Perimeter – In the real world, it is rare that your firewall is your perimeter, whether it is laptops coming in and out, vendor networks connected to yours, or things like cloud services. The perimeter today is an ambiguous thing, so don’t just think because something is blocked on your firewall you are safe.
Cloud – services like Dropbox have local file integration, so, even though your data is in cloud, you have a file on your local machine that looks local and data in there will get encrypted
This means your files on the cloud also get encrypted
Finally, security policies, procedures and continuity planning works. For those orgnizations that got hit but had good processes in place, we saw them recover quickly and easily.