This Is Why We Can’t Have Nice Things
Nation-state level exploitation tools are now in the hands of everyday cyber-criminals (thanks again Russia and Snowden!). Now the world as a whole is dealing with one of the largest ransomware attacks to date, with infections ranging from the NHS in the UK, financial institutions, the transportation sector, and universities around the world. As of today we’re over the hundred thousand infections mark.
Infection Maps and GoogleDork:
I’ve seen a few media outlets (both from within the industry and outside of it) that are heaping criticism onto the NSA for even making the exploit kits in the first place versus getting those exploits published and patched. To which I would say, what the hell do you think an intelligence organization does? Do you think the CIA taps our enemies on the shoulder every time they find a new collection technique? No. So don’t fault the NSA, USG, or anyone else except the criminals themselves and the Russians for dropping this onto the open web.
That being said, this kit was built in such an aggressive manner that even I’m kind of surprised. Previous major ransomware attacks like CryptoWall or LOCKY utilized pretty standard attack vectors and post-exploitation techniques. While effective in their own right, WANACRY has taken it a step further with the addition of the released ShadowBrokers toolkit being used to power a worm that significantly enhances the infection rate.
WANACRY makes use of the recently released
ETERNALBLUE exploit (MS17-010), which exploits SMB v1 using specially crafted packets (packet capture from SANS testing can be found here). Exploits are just used to gain access though; it’s the implant or payload that starts getting things done on the machine, and in this case the authors make further use of the ShadowBrokers dump by using the
DOUBLEPULSAR backdoor implant.
There’s plenty of information already on the web about both of these tools so I won’t go super in-depth about them right now. I’m looking at doing a post next week that takes a deeper technical look at the worm itself and its inner workings. So you’ll get the technical meat in a few days. I’ll also include a quick mitigation guide at the bottom of this post.
For reference, here is a recently analyzed sample:
Taking a closer look we can see your standard malware fare here:
- It utilizes “reg.exe” to alter the value of
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN to maintain persistence.
- It will query the machine version, timezone, volume sizes, and users names on the system using the
GetUserNameA function calls.
- Reads from
HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE in order to check language settings. Useful when you want to display your ransom note in the correct language!
- You can also tell something is fishy when you take a look at the entropy in the file sections:
On the cryptography side of the house we learn a few things as well:
- Each infection will generate its own RSA 2048-bit keypairs.
- The resulting public key is exported and saved to a file called “00000000.pky“.
- The private key of the pair is encrypted using WANACRY’s public key and is stored as “00000000.eky“.
- The keys themselves are created utilizing AES-128-CBC, with a unique AES key per file.
- WANACRY’s public key can be found here: https://haxx.in/key1.bin (clicking this will download the .bin file)
During the malware’s scan of the system, it will look to encrypt the following file types:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
Interestingly enough however, it will also skip over some items if certain strings are detected. This functionality exists because either the encrypting that object would be pointless or that doing so might destabilize the system.
- “Temporary Internet Files”
- ” This folder protects against ransomware. Modifying it will reduce protection”
- “\Local Settings\Temp”
- “\Program Files (x86)”
- “\Program Files”
@Please_Read_Me@.txt (native WANACRY file)
@WanaDecryptor@.exe.lnk (native WANACRY file)
@WanaDecryptor@.bmp (native WANACRY file)
It will also skip anything with the following extensions:
**Credit to herulume and cyg_x11 for extracting those from the binary!!**
Ransom Addresses and C2 Infrastructure
Three Bitcoin addresses are hard coded into the binary:
The samples collected so far also utilize TOR to connect to it’s C2 infrastructure. C2 servers identified so far are listed as:
If you haven’t patched your machine in a while, PATCH THE DAMN THING!! Microsoft has had updates for the
ETERNALBLUE exploit for a hot minute now and if you haven’t updated yet then you’re seriously slacking as an administrator. If you have unpatched machines, get them off the network until they can be updated with the current patches.
Disable SMB v1. Also, if you have SMB that is public facing then you should be blocking inbound traffic on ports 139 and 445.
Luke Jennings from @countercept also developed a quick python script that can remotely detect and remove the
DOUBLEPULSAR backdoor. It can be found here.
By design, the ransomware would check if the domain http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up. If it is, it will exit. If not, it would continue to run as normal. This was intended as a kill-switch that the authors could activate to cease the spread of malware. That domain has now been bought up and sinkholed, thus stopping the spread of this specific variant of WANACRY. Credit to @MalwareTechBlog for the research and quick action!
This doesn’t mean we won’t see this thing again however. It just means this specific strain will no longer continue to spread. Expect the authors and copycats alike to simply alter the binary to remove this check and further attempt to spread this thing further.