Under Attack? Contact Us Start a Free Demo

WannaCry Ransomware Explained

Summary:

WannaCry is a ransomware worm that exploits SMB V1 vulnerability (CVE-2017-0144) and caused a worldwide cyberattack by encrypting data and demanding ransom payments in Bitcoins from computers running Microsoft Windows. In May 2017, WannaCry made headlines when it infected the National Health Service (NHS) and other organizations across the globe, including government institutions in China, Russia, the United States, and most of Europe. The WannaCry worm has been referred to as a "study in preventable catastrophes" because Microsoft issued a patch two months before it became known worldwide in 2017. Many of these systems remain vulnerable today as hundreds of thousands of systems were not updated in time.

WannaCry is effective against computers with Microsoft Windows that do not have a security patch (patch "MS17-010"). As a result of the NSA's discovery of EternalBlue, WannaCry exploits the vulnerability in Microsoft Windows. The NSA developed it as a means of enabling surveillance. The unpatched vulnerability in Microsoft Windows allows WannaCry code to spread quickly on computers that have not applied the security update. Once the vulnerability has been exploited, the ransomware installs encryption software remotely on the affected computers. By identifying and using file-sharing arrangements on a computer, WannaCry can infect additional computers within the same network. Upon encrypting files, WannaCry demands a ransom in the form of Bitcoin ($300-$600 per computer affected). During April 2017, a group called The Shadow Brokers allegedly leaked the EternalBlue and DoublePulsar exploits for WannaCry which enables hackers to later gain further access to infected systems through a "backdoor."

How it works?

There are several components to WannaCry. The primary delivery program contains other programs, including encryption and decryption DLLs. The WannaCry infection searches for dozens of specific file types, including Microsoft Office files, pictures, videos, and sounds. Afterward, it encrypts the files with a digital key that needs to be delivered externally to decrypt them.

Port 445 of the SMB v1 protocol is used to connect two networks. Through Wireshark, the REMnux machine can intercept all network communications and act as a DNS and HTTP server. With the help of Fake DNS and HTTP Daemon utilities, REMnux enabled DNS and HTTP services. WannaCry performed system-level actions on the infected Windows 7 SP1 machine with the IP address 192.168.180.130. Using the SysAnalyzer tool, we observed and reported the steps that WannaCry took while running the system. Using SysAnalyzer, users can inspect system attributes such as running processes, open ports, loaded DLLs, registry key changes, runtime file modifications, scheduled tasks, mutual exclusion objects, and network connections before and during, and after malware execution. Additionally, SysAnalyzer is capable of scanning memory dumps for specific regular expressions. SysAnalyzer was configured to apply a 120 s delay between system snapshots before executing the WannaCry sample on the infected machine, allowing inspection of all system attribute changes.

WannaCry Ransomware IOCs

WannaCry IOCs

 

Worm component

MD5

db349b97c37d22f5ea1d1841e3c89eb4

SHA1

e889544a85af8b0d0da705105dee7c97fe26

SHA256

24d004a104d4d54034dbcc2a4b19a11f39008a575aa614ea04703480b1022c

File type

PE32 executable (GUI) Intel 80386,for MS Windows

 

Encryption component

MD5

84c82835a5d21bbcf75a61706d8ab549

SHA1

5465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

File type

PE32 executable (GUI) Intel 80386,for MS Windows

Worm component DLLs

Library

Imports

Description

ws2 32.dll

13

Windows Socket 2.0 32-bit DLL

iphlpapi.dll

2

IP Helper API

wininet.dll

3

Internet Extensions for Win32

kernel32.dll

32

Windows NT Base API Client DLL

advapi32.dll

11

Advanced Windows 32 Base API

msvcp60.dll

2

Windows NT C++ Runtime Library DLL

msvcrt.dll

28

Windows NT CRT DLL

Encryption component DLLs

Library

Imports

Description

kernel32.dll

54

Windows NT Base API Client DLL

advapi32.dll

10

Advanced Windows 32 Base API

user32.dll

1

Multi-User Windows User API Client DLL

msvcrt.dll

49

Windows NT CRT DLL

The worm component invokes iphlpapi.dll to retrieve the infected computer's network configuration settings. Encryption components typically invoke kernel32.dll and msvcrt.dll. These two malicious libraries may have implemented the main encryption functionality. To confirm this, it was necessary to examine the imported functions of the libraries. The most suspicious functions identified among them are shown in below table:

Encryption component functions

Function

Location

Function

Location

GetCurrentThread

0xa53a

GetComputerNameW

0xd8b2

GetStartupInfoA

0xa97a

CreateServiceA

0xdc2a

StartServiceCtrDispatcherA

0xa6f6

OpenServiceA

0xdc62

RegisterServiceCtrDispatcherA

0xa6d8

StartServiceA

0xdc52

CreateServiceA

0xa688

CryptReleaseContext

0xdc14

StartServiceA

0xa662

RegCreateKeyW

0xdc04

CryptGenRandom

0xa650

fopen

0xdcd4

CryptAcquireContextA

0xa638

fread

0xdccc

OpenServiceA

0xa714

fwrite

0xdcc2

GetAdaptersInfo

0xa792

fclose

0xdcb8

InternetOpenUrlA

0xa7c8

CreateFileA

0xd922

OpenMutexA

0xda84

 

ReadFile

0xd964

The WannaCry malware uses Microsoft's cryptographic, file management, and runtime file APIs. Random symmetric and asymmetric cryptographic keys are generated and managed by the crypto API library.

Initial Interaction: Using the Internet Open Url function, the worm component attempts to connect to the following domain upon start up.

A kill-switch domain is the one referred to above. Consequently, the worm component will not run if the domain is active. When developing a defense system, the kill-switch domain may be utilized as a detection technique.

Persistence Mechanism: If the worm component fails to establish a connection with the kill-switch domain, the worm component attempts to create a mssecsvs2.0 process with the Display Name “Microsoft Security Center (2.0) Service”. Process Hacker displays a 4016 PID, indicating that the service has been launched. The WannaCry worm extracts the hardcoded R resource binary and copies it to the "C:/Windows/taskche.exe" directory path. A resource called R contains the WannaCry encryption component's binary. The executable is then run with the following parameters in the command line: "C:/Windows/taskche.exe/i." As a next step, the worm attempts to replace the original "C:/Windows/taskche.exe" file with "C:/Windows/qeriuwjhrf." This procedure is followed to ensure multiple infections and avoid any issues with the tasksche.exe process.

Lastly, WannaCry creates an entry in the Windows registry to ensure it runs every time the computer is restarted. The new entry contains a string (for example, "midtxzggq900"), a unique identifier generated by using the computer name. Infected machines copy themselves to a folder with a randomly generated name once thetasksche.exe runs. A memory persistence attempt is made by adding itself to the AutoRun feature.

Impact

WannaCry was a four-day attack, but the damage caused was significant. There were infected systems in over 150 countries, resulting in a $100,000 payout for the attackers - however, the lost productivity and deleted files are estimated to have cost billions. According to an op-ed in The Washington Post by then-Homeland Security Advisor Tom Bossert in May 2017, the United States, Japan, New Zealand, and Canada have all claimed that North Korea and its government were responsible for the attack known as the Lazarus Group.

While WannaCry has not resurfaced in the years, there have been waves of resurgence. In 2018, Boeing experienced a high-profile incident. The incident ultimately resulted in more panic than damage, but the aircraft manufacturer's productivity was affected.

There has been a recent resurgence of WannaCry infections. Several reports indicate that WannaCry ransomware was the top family used in the Americas in January, with 1,240 detections. In addition, the latest variants of the exploits being used by hackers no longer feature a kill-switch URL.

Mitigation

  • Install the latest version of Windows OS and antivirus software.
  • Make regular backups of your files on an external hard drive.
  • Make sure that file history is enabled or that system protection is enabled. File history must be enabled on your Windows 10 or Windows 8.1 device, and a driver must be configured for file history.
  • OneDrive can be used by consumers or businesses.
  • Do not click on malicious attachments, spam emails, or phishing emails.
  • SmartScreen protection can be obtained by using Microsoft Edge. As a result, you will be protected from websites that are known to host exploits and socially-engineered attacks such as phishing and malware downloads.
  • Ensure that your Office programs do not load macros.
  • Remote Desktop should be disabled whenever possible.
  • Password-protected, two-step authentication is recommended.

How to Defend Your Network from Ransomware Attacks?

Cyber security threats and Zero-day vulnerabilities are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Author image
Dulles, Virginia Website
Morgan is an experienced and certified cyber security specialist with expertise in security operations, threat detection and response, forensic investigations, threat intelligence, and threat hunting.
Author image
About Inno Eroraha
Dulles, Virginia Website
Inno Eroraha is the Founder & Chief Strategist of NetSecurity Corporation, a cybersecurity products and services company based in Dulles, VA. NetSecurity is the developer of ThreatResponder Platform.
You've successfully subscribed to NetSecurity Blog
Great! Next, complete checkout for full access to NetSecurity Blog
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.