Published on May 19th, 2017 | by Vatsal Desai

Looking back at WannaCry

The ransomware widely known as ‘WannaCry’ made headlines last week after its global spread, notably shutting down healthcare systems across the United Kingdom. Our researchers have taken a look at the infection, and now share their analysis and tips to avoid infection.

The works:

WannaCry/WannaCrypt/WCry propagates over SMB by leveraging the MS-17-010 RCE vulnerability. Once propagation is complete, a sandbox check is performed; this is accomplished by domain resolution of a hard-coded domain name, if the ransomware resolves the unregistered domain, the system is identified to be in a sandbox. If the resolution fails, encryption payload is executed.

Encryption is performed on limited file types; these are identified by their file extensions. On completion of the encryption process, the associated in-memory private key is transferred to a C2 server before being destroyed. The ransomware now tries to propagate over other hosts running SMBv1. WannaCry is also known to infect the victim with DoublePulsar backdoor for persistence.

Vector used for the initial compromise of the ransomware is unclear, however, an unpatched and open SMBv1 service available through a public IP was the only requirement for propagation, and it would then enable the initial victim to propagate the ransomware over to other systems on the network.

WannaCry demands $300 as an initial ransom amount and is known to increase to $600 after a certain time frame; this amount is to be transferred via bitcoin to either of the following wallets:

  • 113AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Various WannaCry samples are known to have communicated with the following TOR based C2 servers:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52ma.onion

The failures:

A sandbox check was leveraged as a kill-switch by domain registration; this would cause certain variants of the ransomware to fail as the domain would now resolve to an IP address rendering public facing servers being regarded as to be contained in a sandbox.

Upon experimentation it was discovered that WannaCry fails to propagate over Windows HomeGroup shares on unpatched client systems, thus home users may have lower susceptibility to the ransomware.

The pointers:

Patches for exploits associated with WannaCry were released by Microsoft on March 14, 2017. The infected systems were at least 2 months behind the patch schedule.

Data backup and versioning would have eliminated the need of ransom payment, yet 44.67 Bitcoins or $80,942 worth of transactions have been made to the above mentioned wallets as of 2:00 PM May 17, 2017.

Enterprises have allowed TOR, a protocol that is recommended to be blocked on business networks; this facilitated the infection and propagation of WannaCry.

IOCs (IPs and Domains) associated with the malware were made available publicly as early as Friday May 12, yet enterprises continued to get infected over the same IOCs over the weekend. IR policies may need to be refined.

Vatsal is a Threat Researcher at SS8. He believes that security is a time-based control — it is only a matter of time before someone breaks into the network, the goal is to improve the control time to surpass the value of the asset under protection.

Leave a Reply

Back to Top ↑

Show Buttons
Hide Buttons