What you need to know about the WannaCry Ransomware

WannaCry / Wcry / WannaCrypt Ransomware

A large-scale cyber attack (WannaCry ransomware) that began on May 13th has already infected over 230,000 computers in 150 countries, demanding ransom payments in 28 languages – these numbers continue to grow and given the patch for the vulnerability being exploited is only two months old, we are likely to see these numbers increase.

The perpetrators of the attack are not yet known, however, the origins are. The infection vector was made “wormable” or self-spreading, by exploiting a piece of NSA code known as “Eternal Blue” that was released last month by a group known as the Shadow Brokers. Wormable vulnerabilities are the bane of a security administrator’s existence since they don’t require user interaction to infect a machine. Years ago as I was just deploying a couple hundred Intrusion Prevention devices, Conficker began spreading around the world and at the time was the largest and fastest spreading malware the security community had observed. IPSs won’t be saving the day this time. I’ll address what can help save the day shortly; first, let’s dig to what is known about the ##WannaCry.

WannaCry Ransomware: The Facts

• As is the case with Ransomware, a demand of $300 is made (payable via Bitcoin) that doubles to $600, if not paid within 3 days. Progressively harsher, the infection threatens to delete the files it has encrypted, if the payment is not made within a week.
• The infection takes advantage of a known vulnerability within Microsoft windows, for which critical patch MS-17-010 was issued on March 14.
• The persistent NSA backdoor, DOUBLEPULSAR, is also being used to spread the infection: https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor. When the malware detects the presence of the DOUBLEPULSAR backdoor it simply uses that vector to infect the host machine.

Cryptography Details

• Each infection generates a new RSA-2048 keypair.
• The public key is exported as blob and saved to 00000000.pky.
• The private key is encrypted with the ransomware public key and saved as 00000000.eky.
• Each file is encrypted using AES-128-CBC, with a unique AES key per file.
• Each AES key is generated CryptGenRandom.
• The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection-specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

• https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)
• https://haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob dumped from the DLL by blasty.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Indicators of WannaCry Ransomware Compromise

As observed by security researchers at Talos, there are several signs that a machine has been infected, on top of the message (above) that is displayed onscreen.

Source: Talos – http://blog.talosintelligence.com/2017/05/wannacry.html?m=1

File names

d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa b.wnry

055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622 c.wnry

402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry

e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 taskdl.exe

2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d taskse.exe

97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 t.wnry

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 u.wnry

Command and Control IPs

188[.]166[.]23[.]127:443

193[.]23[.]244[.]244:443

2[.]3[.]69[.]209:9001

146[.]0[.]32[.]144:9001

50[.]7[.]161[.]218:9001

217.79.179[.]77

128.31.0[.]39

213.61.66[.]116

212.47.232[.]237

81.30.158[.]223

79.172.193[.]32

89.45.235[.]21

38.229.72[.]16

188.138.33[.]220

Observed hash values

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894

428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f

5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6

62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1

72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd

85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186

a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b

a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3

b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c

eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e

7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545

a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b

fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc

9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967

b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c

4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

List of file names encrypted by WannaCry ransomware:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc,

What can organizations do?

Patch your windows machines. There is little excuse for not having a robust patch process in place, but in the real world of infosec we know there is no shortage of challenges that keep us from that ideal state of being 100% patched at all times.

Lock down access on endpoints. As we have discussed before, controlling local administrator access greatly reduces the threat surface, providing less chance of falling victim to Ransomware and insider threats.

Identify and protect sensitive data proactively. Wannacry throws a pretty wide net looking for sensitive information that it can encrypt. Get ahead of Ransomware threats by identifying your sensitive data and taking measures to protect it by having a data classification policy in place.

Restrict access to networked resources by switching to resource-based groups provisioning. Resource-based group implementation of least privileged access across unstructured data further reduces the exposure of sensitive data to both human and automated threats.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*