In the middle of May we witnessed an event that could have been described as a normal ransomware attack, yet it turned out to have an incredible impact: we’re talking about WannaCry.
In a few hours, this ransomware infected thousands of computers and knocked out several infrastructures before being limited. Let’s analyze what happened and why it was an attack particular in its genre and, under certain aspects, even disturbing.
A chronology of events
The MalwareHunterTeam, GData and Malwarebytes research groups observed the malware Trojan.Encoder.11432 (also known as WannaCry, WannaCryptor, WanaCrypt0r, WCrypt, Wana Decrypt0r, WCRY and WNCRY) a few weeks before the actual attack, without detecting such a distribution and activity that could lead to a forthcoming attack. Dr.Web added Wanna Decryptor 1.0 to its virus database on March, 27.
Then the attack started on Friday, May 12, with the first signals recorded in the morning when Spanish ISP Telefonica issued a warning to its clients to power-off their computers due to a raging IT attack. The ransomware claimed thousands of victims all around the world: the New York Times published an interactive map which shows the evolution of the main infection areas in the hours following the attack.
The next day two unexpected events happened: Microsoft released a patch for operating systems like XP and Server 2003 which have been EOL (End Of Life) since years and a researcher managed, almost by accident, to contain the attack by leveraging a vulnerability in the architecture of the ransomware.
The attack went on for the whole weekend but found less and less systems to hit as people started to patch their systems. New versions of WannaCry and other copy-cat ransoware were found on Monday 15
Attacks continued in the following days, and we still record infections these days. Hundreds of thousands systems (more than 400.000 as of 17 May) with Windows OS have been hit in 150 countries of the World, with famous victims like the British health service (NHS), Telefonica, FedEx, the universities of Montreal, Shandong and Milano-Bicocca, Renault, Hitachi, Petrobras and several hospitals, russian and german railways, and other public administrations.
At least 336 people paid the ransom with a net gain of 50,5 BitCoin, that is, almost 112.000 Euros.
The structure of the ransomware
WannaCry is a ransomware, ie a malware that encrypts data on a computer and asks for a ransom in virtual value in order to give the decryption key required to unlock data.
This type of malware is not new: the first documented case was in 1989 with “PC Cyborg”, but it’s only by the end of 2013 that it’s recognized as one of the most dangerous and widespread threats.
WannaCry leverages two exploits (ie code that uses vulnerabilities to its advantage to perform an IT attack) that have been stealed to the NSA by a group of hackers called Shadow Brockers and then released with other exploits, most of them aimed to the Microsoft Window operating system.
The first exploit used is EternalBlue (first detected by French researcher Kaffeine) and scans the network to find any Windows computer that is exposed with port 445 (TCP, the one used for Samba-CIFS): in practice it exploits a vulnerability of the SMBv1 protocol (Server Message Block), the one that provides connectivity with network components like printers and shares.
After locating a vulnerable server, the worm accesses to the system, creates a copy of itself and runs: first tries to contact a certain Internet site, and if it manages to, then it does nothing to data, but remains active and keeps on contacting the site and spreading to other computers on the Internet and on internal networks: SMB is a protocol that is usually use without prudence in business scenarios given its wide usage, so the diffusion of the ransomware results very easy.
If the wom can’t contact the test domain, it extracts a password protected ZIP file in the same folder where it resides and runs the ransomware component that encrypts data on the target machine.
The payload, ie the ransomware code that encrypts files, is downloaded and executed with DoublePulsar, the second NSA exploit used. Double Pulsar is a backdoor that allows to inject any payload onto a computer by working directly in the kernel at Ring 0 level, the one with most privileges: at the core of the operating system. In April a wave of DoublePulsar infection was recorded, with 30.000 infections identified by Below0Day, which also released a tool to verify whether the backdoor is on your operating system.
Files with the most common extension are encrypted: documents, images, audio and video file, Office files, archives, databases, code, scripts and also Virtual Machine files like .vmx, .vmdk (VMware) and .iso and .raw images. The .WNCRY extension is added to files and the @[email protected] and @[email protected] files are added to every folder with encrypted files.
Then the malware deletes and VSS copies (Volume Snapshot Service), disables any restore point and deletes the chronology of Windows Server Backup so that you can’t restore any version of the file before the encryption.
Lastly, the WanaDecrypt0r 2.0 screen is shown with all information about the payment of the $300 ransom.
An accidental hero
We explained in the previous paragraph that the worm bases its actions whether it can contact a test domain or not. A researcher known as MalwareTech on Twitter explained in a post called “How to Accidentally Stop a Global Cyber Attacks” how he discovered this behaviour when examining the code of the ransomware, and registered such domains so that the malware could contact them and, as explained, would not encrypt any file.
MalwareTech is an accidental (?) hero that somehow slowed down the infection rate giving time to users to acknowledge the attack and start to patch their systems, avoiding a scenario that, given the capacity of diffusion and the vector of diffusion (EternalBlue), could have led to a catastrophic outcome.
Many sites talked about a “kill switch” in the ransomware, but it’s worth to note that this is a countermeasure, yet trivial and unsecure, used by the malware itself to determine if is running in a real operating system or is in sandbox or in a virtual machine: in the latter case it doesn’t encrypt any data not to draw the attention of researchers (who manage the sandbox/vm, ie a special area isolated from the rest of the world where the behaviour of samples can be analyzed) and thus going unnoticed and not being dissected looking for a remedy.
This domain-based system informs the malware is not in a real OS if it can’t contact the domain (which is not registred and is casually created: one of the domain used is iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com); but if it’s running in a sandobox it receives an artificial reply from the domain that is crafted by the sandbox itself, given the way they behave: all incoming and outcoming traffic is permitted and analyzed. This technique has been used by Locky and Bart ransomware too.
The great idea of MalwareTech was to register the domain, a 10 dollar and 5 minute operation.
WannaCry developers developed new versions of the malware without this “kill-switch”.
Attack mitigation and data restore
Microsoft released the cumulative update MS17-010 in March that contained a patch for the SMBv1 protocol vulnerability which was exploited to access to systems; Windows 10, which has automated updates, went unharmed through the attack, as well as all systems that were patched with MS17-010.
The day after the attack, May 13, Microsoft released a patch for Windows XP, 8 and Server 2003 which weren’t covered by MS17-010 (8 is considered obsolete as the update to 8.1 or 10 is considered mandatory), thus correcting the vulnerability on all Windows operating systems. To understand the range and the exceptionality of the attack, it’s worth to know that Windows XP and Server 2003 haven’t received a single update since May 2014 when their extended support by Microsoft ceased.
Microsoft itself in 2015 suggested to disable SMBv1 in favour of later versions of the protocol.
Below0Day too recently invited users to disable the protocol on Server 2003 and XP or update, as you can still read on the website created to verify if DoublePulsar is on your computer. No-one had the suspect back then that that exploit could be used to download the payload of a ransomware.
In some cases the prime numbers used to encrypt data are still present in the RAM memory, provided the computer hasn’t been rebooted: in this case you can restore files with WanaKiwi, a tool available at this address.
The private keys required to create a decryption tools haven’t been posted yet, so WanaKiwi is the only possible tool to decrypt file. However we suggest to keep all files as a decryption tool might be available sooner or later.
Aftermath e future scenarios
WannaCry proved to be particularly nasty because of its architecture and operating mode. Indeed this ransomware includes two NSA exploits and can spread itself autonomously by taking advantage of two known Windows vulnerabilities, including the SMB protocol which is usually required for normal business operations.
If before ransomware were distributed almost only by email attachments or phishing sites, therefore being avoidable with a proper user education, now WannaCry traced the path for autonomously distributed malware that don’t require any user interaction at all.
Authors of the attack haven’t been identified yet nor nobody claimed it; speculations are going on about being an action by the Lazarous Group, allegedly supported by North Korea. Flash Point researchers published a study based on linguistic analysis of the notes created left by the ransomware regarding the payment: the study suggests that the authors have a good knowledge of the English language and speak Chinese correctly: all notes were translated with Google Translate except the ones in English and Chinese. Researchers cleverly note that you must not conclude that the authors are Chinese or that, basing on this analysis, you can deduce their nationality: after all they might have included their mother language among the one artificially translated.The attack leveraged a vulnerability in SMBv1 that Microsoft knew about and issued a patch; as stated before, Microsoft in 2015 explicitly invited users to disable the protocol.
The discovery of the “kill-switch” slowed down the attack that resulted less destructive than what it could have been; yet with a proper update policy of operating systems and a proper user education, WannaCry could have done even less damage.
Regardless the WannaCry phenomenon being dammed, Shadow Brokers team has already released other exploits in addition to EternalBlue and Double Pulsar, and threats to do so monthly with “The ShadowBrokers Data Dump of the Month” for a monthly fee (subscription).
Four researchers, Matthew Hickey (@HackerFantastic), @X0rz, Nicholas Weaver (@ncweaver), and Tim Strazzere (@timstrazz) launched a crowdfunding campaign on Patreon with the goal of reaching $22.000 (the actual value of 100 ZCASH -a BitCoin-like crypto-value- asked by Shadow Brokers) required to obtain the monthly dump so that it can be distributed to vendors and used to find countermeasures to the released exploits.