For the last few days the WannaCry ransomware event created mayhem, where organizations worldwide were hit with ransomware that spread quickly primarily via a self-propagating worm mechanism. It exploited vulnerable versions of Windows, even though patches were made available two months ago. Most organizations should have been able to avoid this situation by using a supported version of Windows and patching quickly enough. Here we are going to recap where things stand with this threat and share a few details from our analysis.
The initial infection vector that kicked everything off is still murky. There has been some indication of low-volume email seeding campaigns containing URL links leading to the initial malware being downloaded. We have not been able to independently confirm this, but it remains a possibility. One thing is clear, we have not seen any large-scale email campaigns distributing the malware to date, although that could change at any time.
Regardless of initial infection, the malware quickly spreads via networks:
The main launcher has a curious feature, where, before it does anything else, it checks connectivity to a certain domain. If that domain resolves, the binary exits and does nothing further. This has been dubbed the killswitch. The killswitch domains below that have been found so far have been registered by Security Researchers, see here and here. This has had the effect of hampering the spread of the malware. Hint: don't block these domains.
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
If there is no reply from the killswitch domain, it then checks for command line argument, if it is less than two, create a new service with Display name: "Microsoft Security Center (2.0) Service" and service name: "mssecsvc2.0"
Next, the WannaCry ransomware is extracted from resource section, then dropped to C:\Windows and a new process is spawned C:\WINDOWS\tasksche.exe.
If command line argument is two or more then it proceeds to open malware service named "mssecsvc2.0", change the service configuration to "SERVICE_CONFIG_FAILURE_ACTIONS", then start the service running the propagation function using the SMB exploit.
Next, one thread is run for scanning local IPs, and 128 threads for scanning public IPs:
For scanning local IPs, It gathers IP addresses using GetAdaptersInfo() API, and then scans the target IP for MS17-010 and transfers the payload if the IP is vulnerable:
For scanning public IP addresses, the malware generates target IP addresses using the CryptGenRandom() API by default, otherwise it uses the rand() function. The randomly generated first octet of the IP address cannot be equal 127 or >= 224. The second, third and fourth octets are also randomly generated. It then checks if port 445 of the target IP is open.
If it deemed that port 445 is open, it starts to scan the entire /24 IP range, and then creates a thread for each target IP and attempts to exploit it.
We unpacked the PE file manually, which showed several layers. Any tool that dumps the resource (.rsrc) section of a PE file can be used. In this case, we used an internal tool.
The file "R-1381" is the embedded PE file in the launcher.
Running "R-1381" against the .rsrc dumper, we can see that it has the following files:
"XIA-2058" is actually a password-protected zip file. PW: 'WNcry@2ol7'. When extracted, it contains the following:
The R-1831 file drops an encrypted DLL file called "t.wnry". Once the DLL is decrypted, the WannaCry ransomware itself is run.
The "b.wnry" is the a BMP file used for the ransom note desktop wallpaper.
The "c.wnry" holds a list of TOR sites (*.onion)
The "r.wnry" contains a simple text "readme ransom note"
The msg folder holds ransom notes messages in different languages.
The file "s.wnry" is another ZIP file that contains Tor-related binaries which will be later used for C2 beaconing:
The actual ransomware component itself is not all that remarkable, it does what ransomware does, encrypts a wide range of files and demands ransom, to be paid in bitcoins in a most insistent way. Here is a list of some of the files it encrypts.
What we have seen to date is likely only the beginning. Expect new variants of this threat to quickly emerge. These are likely to have different killswitch domains or no killswitch domains at all. Note, even though you might have patched your systems, it may still be possible to get impacted by the WannaCry Ransomware itself if it is spread via email or the web in the future. However, if you are up to date with patches and have taken some of the mitigation steps below the impact and spread should be well contained.
Trustwave customers will find active protection against this campaign in many of our security offerings including:
Finally, if you find yourself or your organization infected, our Trustwave Incident Response team is happy to help you. You can visit https://www.trustwave.com/en-us/company/about-us/spiderlabs/ for more information or call our 24hr Incident Response Hotline: +1 (866) 659-9097 and select "Option 5".