WannaCry ransomware outbreak - what you need to know

1Copyright © 2017 Symantec Corporation
WannaCry:
The computer
worm that
disrupted the
world

August 11, 2003
Blaster
16 million

Conficker
15 million
November 21, 2008

WannaCry
300,000
May 12, 2017

JANUARY 16
US-CERT issues
advisory on new SMB
vulnerability.
FEBRUARY 10
First infection of
WannaCry in the wild.
Tools associated with
Lazarus group found
on infected
computers.
MARCH 14
Microsoft releases
patch for CVE-
2017-0144.
MAY 10
CVE-2017-0144 exploit is added to
Exploit.DB.
APRIL 14
Shadow Brokers
releases
EternalBlue
exploit code.
MAY 12
New wave of WannaCry attacks begin. This campaign
uses EternalBlue exploit to spread.
MAY 13
A new version of WannaCry surfaces.
MARCH 27
Second wave of
attacks. Backdoors
used in campaign
share code and
infrastructure with
Lazarus tools.
MAY 17
Notice displayed on infected computers claiming
files will be decrypted if ransom is paid.
APRIL 24
Symantec releases
IPS sig to block
exploit attempts.
MAY 12
Microsoft releases CVE-2017-0144 patch for Windows XP.
MAY 12
Kill switch domain #1 is sinkholed.
MAY 14
Kill switch domain #2 is sinkholed.
MAY 12
Symantec observes increased attempts to exploit CVE-
2017-0144.
MAYJAN FEB MAR APR
WannaCry Ransomware
Timeline 2017
A timeline of key events in the WannaCry ransomware attacks

WannaCry Distribution
Initial surge after WannaCry
is released into wild. Drops
over the weekend but
resurgence when people
return to work.
0
20,000
40,000
60,000
80,000
100,000
120,000

WannaCry - Distribution

Wannacry Spreading
Spreads via
MS17-010
(EternalBlue)
*No Email vector*
Enumerates All Network Adapters1
Generates list of all IP addresses within subnet
• IP address + subnet mask
• 192.168.0.1 + 255.255.255.0 => 192.168.0.1 –
192.168.0.255
• 192.168.0.1 + 255.255.0.0 => 192.168.0.1 –
192.168.255.255
2
Generates random IP addresses
• Uses CryptGenRandom() so truly pseudorandom
• Generates up to 128
• If one has port 445 open, then generates IPs a.b.c.1 –
a.b.c.d.255
3

WannaCry – MS17-010 Exploit
SRV.SYS / SRVNET.SYS
10010011
10001101
00101010
10101010
10101010
10101010
10101000
11101010
00100111
01011011
01010111
10101011
01000111
00001010
10100101
01010101
01010101
01010101
01010101
00010101
10010011
10001101
00101010
10101010
10101010
10101010
10101000
11101010
00100111
01011011
01010111
10101011
01000111
00001010
10100101
01010101
01010101
01010101
01010101
00010101
10010011
10001101
00101010
10101010
10101010
10101010
10101000
11101010
00100111
01011011
01010111
10101011
01000111
00001010
10100101
01010101
01010101
01010101
01010101
00010101
10010011
10001101
00101010
10101010
10101010
10101010
10101000
11101010
00100111
01011011
01010111
10101011
01000111
00001010
10100101
01010101
01010101
01010101
01010101
00010101
10010011
10001101
00101010
10101010
10101010
10101010
10101000
11101010
00100111
01011011
01010111
10101011
01000111
00001010
10100101
01010101
01010101
01010101
01010101
00010101
negotiate_proto_request
session_setup_andx_request
tree_connect_andx_request
peeknamedpipe_request
SMB1

Resource
WannaCry - Install
PlayGame()
W/101
.DLL
Execute
Resource
R
mssecsvc.exe
C:Windowsmssecsvc.exe

Wannacry Install
R resource copied to
• C:WINDOWStasksche.exe
• C:WINDOWSqeriuwjhrf tasksche.exe
• C:Intel[random]tasksche.exe
• %PROGRAMDATA%[Random Characters][3 digit number]tasksche.exe
1
Creates mutexes
• GlobalMsWinZonesCacheCounterMutexA0
• GlobalWINDOWS_TASKOSHT_MUTEX0
• GlobalWINDOWS_TASKCST_MUTEX
2
Creates registry keys
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMicrosoft
Update Task Scheduler
• HKEY_LOCAL_MACHINESOFTWAREWannaCryptorwd
• HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun[random]
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices[random]
3

PASSWORD
PROTECTED
XIA.ZIP
WannaCry - Install
Resource
R
mssecsvc.ex
e
Resource
PlayGame()
W/101
.DLL
Wncry@2ol7

WannaCry – Install (XIA)
o msg - folder containing ransomware messages in 28 different languages
o Data - folder containing Tor installation originating from s.wnry
o c.wnry - configuration file with Tor domains
o b.wnry - Background image of ransom note
o r.wnry - @Please_Read_Me@.txt notes
o t.wnry - encryption routine (DLL)
o u.wnry - @WanaDecryptor@.exe executable that displays payment UI
o taskse.exe - starts @WanaDecryptor@.exe
o taskdl.exe - deletes temporary files created during encryption process
o Kills mysqld.exe, sqlwriter.exe, sqlserver.exe, MSExchange*, Microsoft.Exchange.*
o Deletes volume shadow files

WannaCry – Encryption
Begins encrypting files if they match a large list of extensions
o Includes removable drives
o Includes shared folders/drives
o Includes files in the cloud with local folder integration
Uses AES-128 and RSA-2048, highly secure encryption
implementation

AES-128 AES-128 AES-128
RSA-2048
Public Key Private KeyRSA-2048
WannaCry - Encryption

WannaCry - Decryption
AES-128 AES-128 AES-128
RSA-2048
Public Key Private KeyRSA-2048 gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2i r2embyv47.onion
cwwnhwhlz52maqm7.onion

WannaCry - Weaknesses
AES-128 AES-128 AES-128
RSA-2048
Public Key Private KeyRSA-2048 RSA-2048

WannaCry - Weaknesses
o Removable drives
o Desktop
o My Documents

WannaCry Killswitch
• Explicit proxy users should create DNS
entry for killswitch domain
• Set up webserver to respond
• Best practice for all is to create internal
sinkhole to prevent future exposure
CREATING AN INTERNAL SINKHOLE
TIP
o Attempts to reach an unregistered
site and if it succeeds, exits
o Likely used to evade sandboxing
o Researchers sinkholed domain,
preventing further infections
o Multiple hex edited samples with
different killswitch domains

WannaCry Payment
o Calls
“@WanaDecryptor@.exe
fi” to contact Tor servers for
unique Bitcoin address
o Fails because exe is not
yet created
o Bug is fixed 13 hours after
original release but fix is
too late

WannaCry - Payment
o Without unique Bitcoin address defaults to 3 hardcoded
values
o 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
o 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
o 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
o Demands $300, doubles after 3 days
o After 7 days claims files will be lost
o Files are not deleted or modified after 7 days
o Have made approximately $135,000

WannaCry - Attribution
o Two weak links
o Code similarity in code that historically has only been seen in Lazarus tools
o Lazarus tools have been found on machines just prior to WannaCry
o Lazarus was responsible for:
o Sony wiping attacks
o South Korean wiping attacks
o Bangladesh bank heist ($81m was stolen)
o Polish bank attacks
o US government has claimed North Korea responsible for Sony attacks
o South Korea government has claimed North Korea responsible for South Korean wiping
attacks
o Even if this can be attributed to Lazarus, that does not mean it is a state operation

o Evidence points to Lazarus, the group responsible for:
o Sony wiping attacks
o South Korean wiping attacks
o Bangladesh $81m bank heist
o Polish banking attacks
o Links include
o Known Lazarus tools observed installing earlier WannaCry versions
o Shared infrastructure
o Code similarity between WannaCry and Lazarus tools
WannaCry Attribution

Links Lazarus tools WannaCry
Network Infrastructure
(Hard)
• Destover: 87.101.243.252
• Cruprox: 196.45.177.52
• Trojan.Bravonc: 87.101.243.252
• Trojan.Branvonc installs WannaCry
• Lazarus dropper connects to 184.74.243.67 and
196.45.177.52
• Trojan.Alphanc connects to 184.74.243.67
Infiltration (Hard)
• Backdoor.Duuzer
• W32.Brambul
• Trojan.Alphanc (Duuzer evolved) was seen installing
WannaCry 1.0
• Trojan.Bravonc was also seen installing WannaCry 1.0
• W32.Brambul and shared network infrastructure as above
Shared code
(Medium to Weak => Hard)
• Contopee 'FakeSSL’
• Duuzer network code
• Duuzer strings
• Brambul
• Obfuscated code
• WannaCry 'FakeSSL’
• Trojan.Alphanc network code
• Trojan.Alphanc strings
• Bravonc (evolved Brambul)
• Obfuscated code
Tool co-occurence
(Medium to Weak)
• Volgmer, Brambul
• Volgmer and Brambul both found in a WannaCry victim on
the same machine
• Alphanc (Duuzer evolved) present on multiple machines
with WannaCry
Techniques (Weak) • Joanap use of hardcoded credentials to spread
over SMB
• Trojan.Bravonc use of hard coded credentials to spread
over SMB
WannaCry Attribution

WannaCry - Mitigations
o Allow killswitch domain or setup DNS and webserver sinkhole
o Create mutexes, registry entries, and ACL’d files
o Patch
o Security products
- Validate against MS17-010
o Network segmentation
o Disable SMBv1
o Block 445 at perimeter (internally if possible as well)

WannaCry – Lessons Learned
o We are still bad at patching
o OEM equipment
o Legal/certification reasons
o Rogue devices
o We are still bad at performing backups
o Prepare for when the restoration server and dependencies are down
o There is no such thing as your perimeter
o Blocking port 445 at your firewall is not the same as at your perimeter
o Cloud applications are not in the cloud, but inside your perimeter
o Security policies and procedures and continuity planning works

30Copyright © 2017 Symantec Corporation 30Copyright © 2017 Symantec Corporation
Thank You.
@threatintel
https://www.symantec.com/connect/symantec-blogs/sr
Medium.com/threatintel

WannaCry ransomware outbreak - what you need to know

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to WannaCry ransomware outbreak - what you need to know

Similar to WannaCry ransomware outbreak - what you need to know (20)

More from Symantec Security Response

More from Symantec Security Response (9)

Recently uploaded

Recently uploaded (20)

WannaCry ransomware outbreak - what you need to know

Editor's Notes