A4 Black Friday: Massive Ransomware Attack Leveraging on Wannacry Hit Systems Worldwide
WannaCry ransomware hit Windows computers worldwide
A massive malicious ransomware-based attack made the headlines on Friday, first targeting UK hospitals and Spanish banks before rapidly spreading worldwide. The news was promptly confirmed by the Spanish Telco companies Telefónica, one of the numerous victims of the ransomware attack. The newspaper El Pais also reported the massive attack, while experts at Telefónica confirmed the systems in its intranet had been infected, adding that the situation was under control. The fixed and mobile telephone services provided by Telefónica were not been affected by the ransomware-based attack.
The Spanish CERT issued an alert warning the organizations and confirmed that the malware was rapidly spreading.
Become a certified reverse engineer!
The ransomware, dubbed WannaCry (aka Wcry, WanaCrypt, WannaCrypt), targeted many other companies in Spain and across the world, including Vodafone, FedEx, and other critical infrastructure.
El Reg reported that 6 NHS health trusts in the UK were taken out by the malware. According to Prime Minister Theresa May, the ransomware "has crippled" UK hospitals, the Government representative also confirmed that the situation was monitored by the intelligence agency GCHQ.
The NHS faced serious problems due to the antiquated nature of its IT infrastructure that still includes a large number of systems running Windows XP systems.
"Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget Hospital in Norfolk, Lanarkshire, and Leicester." Reported El Reg.
Figure 1 - A computer infected by the WannaCry ransomware
Experts from the security firm Avast detected more than 75,000 attacks in 99 countries, most of the infections were observed in Russia, Ukraine, and Taiwan.
A real-time map of the infections is available at the following address:
https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all
Figure 2 - Real Time Infections Map
Source Arstechnica
A Ransomware that leverages the NSA EternalBlue and DoublePulsar exploits
The WannaCry ransomware exploits the two NSA exploits EternalBlue and DoublePulsar to infect computers and propagate the threat to any another connected Windows systems on the same network.
Researchers from Kaspersky Lab have confirmed that the WannaCry" attack is initiated through an SMBv2 remote code execution in Microsoft Windows.
"It is important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the "EternalBlue" exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn't really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak," reported the analysis from Kaspersky
Experts highlighted the network warm capabilities that allow the malicious code to spread rapidly.
"The special criticality of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 using EternalBlue / DoublePulsar, which can infect other connected Windows systems on the same network that are not properly updated. Infection of a single computer can end up compromising the entire corporate network." states the security alert issued by the Spanish CERT.
"The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability mentioned in the previous paragraph that allows the execution of remote commands through Samba (SMB) and is distributed to other Windows machines in That same network."
The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system; it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).
The WannaCry ransomware spreads via SMB, it encrypts the files on the infected machines and charges $300 or $600 in Bitcoin to restore them.
The ransomware can encrypt a wide variety of documents on the infected machines, it also attacks documents stored on any attached storage, and snatches any keys for remote desktop access. The malware deletes volume snapshots and disables system repair tools to make impossible recovery files.
Experts observed the malware determine the victim's language to display a ransom demand in the correct language
Security experts at CISCO Talos team have published a detailed analysis on the WannaCry ransomware.
Below the complete infection process described in the analysis published by the experts at the Talos team:
"An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated, and data is transferred. We believe this network traffic is an exploit payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletinMS17-010. We currently don't have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method." states the analysis.
"The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory 'Tor/' into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe."
Experts that want to analyze the WannaCry ransomware can find samples on the following GitHub repository:
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
the page includes useful information such as the addresses of Bitcoin wallets for the malware.
The ransomware directs victims to a page with displaying a QR code at btcfrog, which links to attacker main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.
Figure 3 - Payment Page displays QR code
Below Key findings of the threat:
- Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
- Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
- Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
- Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: Malwarebytes)
- Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: Malwarebytes). This domain has been sinkholed, stopping the spread of the worm.
A decrypted sample of the WannaCry ransomware is available here:
https://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE
The Kill Switch
A few hours after the massive attacks security experts started their analysis of the malicious code after a reverse engineering of the samples of the malware available in the wild. The good news emerged from the first investigation is that malware researchers have discovered a kill switch in the ransomware code, a condition that could halt the execution of the code when matched.
Figure 4 - Kevin Beaumont Tweet about the kill switch
The UK experts at MalwareTechBlog have registered the domain after they made a reverse engineering of the code.
The Kill Switch domain is iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com; the domain was sinkholed by law enforcement. To a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we are told. "IP addresses from our sinkhole have been sent to FBI.
Figure 5 - Kill Switch domain
Below the messages displayed when a machine tries to connect it:
"IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon," said the researcher. The InfoSec body admitted they registered the domain first, then realized it was a kill switch. Still, job done."
Experts from CISCO Talos group made an interesting analysis of the WannaCry ransomware.
"WannaCry does not appear to only be leveraging the ETERNALBLUE modules associated with this attack framework; it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry." reads the analysis from Talos. " In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet."
Microsoft has published a security advisory for the threat and an emergency patch for Windows XP.
The IT giant released emergency security patches for Windows Server 2003 (SP2 x64 / x86); Windows XP (SP2 x64, SP3 x86); Windows XP Embedded (SP3, x86); as well as the 32-bit and 64-bit versions of Windows 8.
Conclusions
The following aspects of the massive ransomware attack must be carefully considered:
- This attack demonstrates the risks related to the militarization of the cyberspace. Malware, exploits code and hacking tools developed by intelligence agencies and governments could be very dangerous when out of control.
- The success of the malware is due to the wrong security posture of the victims that have no awareness of the threat, and that did not apply security patches released by Microsoft.
- Modern critical infrastructure is not resilient to cyber-attacks.
References
http://securityaffairs.co/wordpress/59072/cyber-crime/wannacry-ransomware-kill-switch.html
http://securityaffairs.co/wordpress/59057/cyber-crime/massive-attack-wannacry-ransomware.html
http://tecnologia.elpais.com/tecnologia/2017/05/12/actualidad/1494585889_857386.html
Become a certified reverse engineer!
https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- A4 Black Friday: Massive Ransomware Attack Leveraging on Wannacry Hit Systems Worldwide
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Android malware worm auto-spreads via WhatsApp messages
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis