What you need to know about the WannaCry Ransomware

What you need to know about the WannaCry Ransomware

WannaCry / Wcry / WannaCrypt Ransomware

A large-scale cyber attack (WannaCry ransomware) that began on May 13th has already infected over 230,000 computers in 150 countries, demanding ransom payments in 28 languages – these numbers continue to grow and given the patch for the vulnerability being exploited is only two months old, we are likely to see these numbers increase.

The perpetrators of the attack are not yet known, however, the origins are. The infection vector was made “wormable” or self-spreading, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers. Wormable vulnerabilities are the bane of a security administrator’s existence since they don’t require user interaction to infect a machine. Years ago as I was just deploying a couple hundred Intrusion Prevention devices, Conficker began spreading around the world and at the time was the largest and fastest spreading malware the security community had observed. IPSs won’t be saving the day this time. I’ll address what can help save the day shortly; first, let’s dig to what is known about the ##WannaCry.

WannaCry Ransomware: The Facts

  • As is the case with Ransomware, a demand of $300 is made (payable via Bitcoin) that doubles to $600, if not paid within 3 days. Progressively harsher, the infection threatens to delete the files it has encrypted, if the payment is not made within a week.
  • The infection takes advantage of a known vulnerability within Microsoft windows, for which critical patch MS-17-010 was issued on March 14.
  • The persistent NSA backdoor, DOUBLEPULSAR, is also being used to spread the infection: https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor. When the malware detects the presence of the DOUBLEPULSAR backdoor it simply uses that vector to infect the host machine.

Wannacry ransomware demands for bitcoin payment

Cryptography Details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky.
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky.
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection-specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

  • https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)
  • https://haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob dumped from the DLL by blasty.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Indicators of WannaCry Ransomware Compromise

As observed by security researchers at Talos, there are several signs that a machine has been infected, on top of the message (above) that is displayed onscreen.

Source: Talos – http://blog.talosintelligence.com/2017/05/wannacry.html?m=1

File names

d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa b.wnry
055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622 c.wnry
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 taskdl.exe
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d taskse.exe
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 t.wnry
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 u.wnry

Command and Control IPs


Observed hash values


List of file names encrypted by WannaCry ransomware:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc,

What can organizations do?

Patch your windows machines. There is little excuse for not having a robust patch process in place, but in the real world of infosec we know there is no shortage of challenges that keep us from that ideal state of being 100% patched at all times.

Lock down access on endpoints. As we have discussed before, controlling local administrator access greatly reduces the threat surface, providing less chance of falling victim to Ransomware and insider threats.

Identify and protect sensitive data proactively. Wannacry throws a pretty wide net looking for sensitive information that it can encrypt. Get ahead of Ransomware threats by identifying your sensitive data and taking measures to protect it by having a data classification policy in place.

Restrict access to networked resources by switching to resource-based groups provisioning. Resource-based group implementation of least privileged access across unstructured data further reduces the exposure of sensitive data to both human and automated threats.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.