WannaCry / Wcry / WannaCrypt Ransomware
A large-scale cyber attack (WannaCry ransomware) that began on May 13th has already infected over 230,000 computers in 150 countries, demanding ransom payments in 28 languages – these numbers continue to grow and given the patch for the vulnerability being exploited is only two months old, we are likely to see these numbers increase.
The perpetrators of the attack are not yet known, however, the origins are. The infection vector was made “wormable” or self-spreading, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers. Wormable vulnerabilities are the bane of a security administrator’s existence since they don’t require user interaction to infect a machine. Years ago as I was just deploying a couple hundred Intrusion Prevention devices, Conficker began spreading around the world and at the time was the largest and fastest spreading malware the security community had observed. IPSs won’t be saving the day this time. I’ll address what can help save the day shortly; first, let’s dig to what is known about the ##WannaCry.
WannaCry Ransomware: The Facts
- As is the case with Ransomware, a demand of $300 is made (payable via Bitcoin) that doubles to $600, if not paid within 3 days. Progressively harsher, the infection threatens to delete the files it has encrypted, if the payment is not made within a week.
- The infection takes advantage of a known vulnerability within Microsoft windows, for which critical patch MS-17-010 was issued on March 14.
- The persistent NSA backdoor, DOUBLEPULSAR, is also being used to spread the infection: https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor. When the malware detects the presence of the DOUBLEPULSAR backdoor it simply uses that vector to infect the host machine.
- Each infection generates a new RSA-2048 keypair.
- The public key is exported as blob and saved to 00000000.pky.
- The private key is encrypted with the ransomware public key and saved as 00000000.eky.
- Each file is encrypted using AES-128-CBC, with a unique AES key per file.
- Each AES key is generated CryptGenRandom.
- The AES key is encrypted using the infection specific RSA keypair.
The RSA public key used to encrypt the infection-specific RSA private key is embedded inside the DLL and owned by the ransomware authors.
- https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)
- https://haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob dumped from the DLL by blasty.
https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!
Indicators of WannaCry Ransomware Compromise
As observed by security researchers at Talos, there are several signs that a machine has been infected, on top of the message (above) that is displayed onscreen.
Source: Talos – http://blog.talosintelligence.com/2017/05/wannacry.html?m=1
Command and Control IPs
Observed hash values
List of file names encrypted by WannaCry ransomware:
.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc,
What can organizations do?
Patch your windows machines. There is little excuse for not having a robust patch process in place, but in the real world of infosec we know there is no shortage of challenges that keep us from that ideal state of being 100% patched at all times.
Lock down access on endpoints. As we have discussed before, controlling local administrator access greatly reduces the threat surface, providing less chance of falling victim to Ransomware and insider threats.
Identify and protect sensitive data proactively. Wannacry throws a pretty wide net looking for sensitive information that it can encrypt. Get ahead of Ransomware threats by identifying your sensitive data and taking measures to protect it by having a data classification policy in place.
Restrict access to networked resources by switching to resource-based groups provisioning. Resource-based group implementation of least privileged access across unstructured data further reduces the exposure of sensitive data to both human and automated threats.