Industry Insights with Adam Meyers

Ransomware

Inside the WannaCry Ransomware Outbreak An Insider's View of the Attack: How it was Created, Implemented and Rapidly Spread Worldwide
Inside the WannaCry Ransomware Outbreak

An insider's view of the attack: How it was created, implemented and rapidly spread worldwide

Wanna (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) ransomware exploded onto the ransomware scene on May 12, 2017, with a mass campaign impacting organizations in many countries. This second variant of the ransomware has been leveraging the EternalBlue (MS-17010) vulnerability, released by the Shadow Brokers actors, in order to spread over victim networks via the Windows file sharing protocol, Server Message Block (SMB), following an initial infection.

"Observed ransom demands have been either $300 or $600 USD worth of Bitcoin (BTC) and the decryption software shows one of three possible Bitcoin wallet addresses..." 

CrowdStrike Falcon Prevent offers protection for this variant through two types of coverage. Falcon Prevent has a Machine Learning layer (at the "Moderate Level") and a Behavioral IOA layer ("Suspicious Process"). To ensure this ransomware is prevented, the Prevention Policies must be enabled. For additional details on how to configure CrowdStrike Falcon Prevent to stop Wanna ransomware and its variants, please visit the blog, "CrowdStrike Falcon Prevents WannaCry Ransomware."

Wanna ransomware targets 177 file types for encryption. Victim files are appended with .wncry.

Unlike other ransomware families, Wanna continues to encrypt victim files following any name changes, and any new files created following infection. A ransom note is displayed on the victim machine, which is completed using text from a library of Rich Text Format (RTF) files, in multiple languages and chosen based on machine location. A similar text based ransom note named @Please_Read_Me@.txt is added to each folder containing encrypted victim files.

Observed ransom demands have been either $300 or $600 USD worth of Bitcoin (BTC) and the decryption software shows one of the following three possible Bitcoin wallet addresses:

  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 3AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Wanna contains a resource name XIA, which is a password-protected ZIP archive file using the password WNcry@2ol7. This contains the following additional resource files:

  • b.wnry
  • c.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • taskdl.exe
  • taskse.exe
  • u.wnry

Executing the main module directly drops files and folders into the directory in which it was run and causes further processes to be launched from those folders. However, executing the main module with the command line argument /i installs the malware as a service named uebdpwbdm529. When installed as a service, files and folders are installed to C:ProgramDatauebdpwbdm529. The service is started when the user logs on and executes the file C:ProgramDatauebdpwbdm529tasksche.exe.

In order to utilize the SMB shadow broker exploitation capability, a process named winsecsvc.exe is installed in the Wanna directory. From current samples of Wanna, the file winsecsv.exe performs a check to the domain www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, which has now been sinkholed by an unknown entity. Should the victim machine make a successful connection to this domain, the process will not perform SMB exploitation. However, if the domain is not reachable, the process tasksche.exe will be launched with the /i parameter to initialize the service installation. If the service is created successfully, Wanna will perform its usual file encryption operations as well as seek to exploit vulnerable SMB shares. The registration of the domain has disabled the SMB exploitation capability.

The resource file named s.wnry is another ZIP file that contains a folder called TaskData. This contains a TOR bundle to communicate with the command-and-control (C2) servers, which is required for the victim to make the ransom payment. At present, observed C2s are:

  • gx7ekbenv2riucmf[.]onion
  • 57g7spgrzlojinas[.]onion
  • xxlvbrloxvriy2c5[.]onion
  • 76jdd2ir2embyv47[.]onion
  • cwwnhwhlz52maqm7[.]onion

A file named 00000000.pky contains an RSA 2048-bit key, and file encryption is performed using the Microsoft Cryptographic Service Provider with a mix of AES with randomly generated 128-bit key and RSA, which occurs regardless of the network's connectivity status.

RSA Modulus:

0x3daf5cc1317b0ef2a9859f054b11e8deb3b9a3911c31a72022ced1d82139ac 0177eda0c3f7e5c2d29abc0cbe899fba5e2a66d7871e401e7e998d88f9c5ae14 03e65aa461f5e7dd90349f628de02ea60a02bed4128afab5420b7060d20196bf 2b76c34d661a75860c29bb87891315ae333b5ca5b3b4bf2dc15d96c7da3c5ad9 66fd74dc68ccc271b5edbd4b1219b9d9427fdf16f86748eea78f4fa8ae39db7b 71399fb03abce42d915666b5674d3d5a03e8fe37635e39158fc2cd05dd4a7189 64f66c6c06a15eaa74f03b17b19fd1eec920b1585098b6e4ed59ce629b65a6c1 244f82a0c53c26020461ca4a6aa3a395a8f834575a2de9d8e7fc313c76c84a03 b3

Exponent: 0x10001

CrowdStrike Intelligence will continue to monitor the development of this ransomware and continue to provide more in-depth technical analysis.

Watch a video to learn more: How To Stop WannaCry Ransomware with CrowdStrike Falcon Endpoint Protection.

Click here for more information on subscribing to Falcon Intelligence and to learn more about how Falcon prevents ransomware attacks.



About the Author

Adam Meyers

Adam Meyers

Vice President, Intelligence

Meyers is a recognized expert in the security and intelligence communities. With more than 15 years of experience in the security space, Meyers has extensive experience building and leading intelligence practices in both the public and private sector. He is a founding employee and VP of Intelligence at CrowdStrike Inc., a global provider of security technology and services focused on identifying advanced threats and targeted attacks. A sought-after thought-leader, Meyers conducts speaking engagements and training classes around the world on the topics of threat intelligence, reverse engineering, and data breach investigations. Prior to joining CrowdStrike, Meyers was the Director of Cyber Security Intelligence at SRA International. During his tenure, he provided technical expertise and strategic guidance for both commercial sector customers, as well as civilian, military, and intelligence customers.




Around the Network