WannaCryptor Ransomware Analysis - AhnLab,...

WannaCryptor Ransomware Analysis

In-depth analysis of Trojan/Win32.WannaCryptor

220, Pangyoyeok-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, South Korea, 13493 | Tel: 031-722-8000 | Fax: 031-722-8901 | www.ahnlab.com

© AhnLab, Inc. All rights reserved.

WannaCryptor Ransomware Analysis Report

© AhnLab, Inc. All rights reserved. 2

Contents

01. Overview ................................................................................................................................................................... 3

02. Routes of Infection ......................................................................................................................................... 4

03. Attack Method of WannaCryptor .................................................................................................... 5

1) Detailed analysis of operating process ........................................................................................................... 5

2) Symptoms of infection............................................................................................................................................ 8

3) Method of file encryption and decryption .................................................................................................. 12

04. Countermeasures ........................................................................................................................................... 16



01. Overview

The first attack by the WannaCryptor ransomware, also known as WannaCry and Wcrypt, was reported on May 12, 2

017 in Spain and the UK, and it has quickly spread worldwide.1 2

WannaCryptor was first discovered in February 2017. Newly discovered Wannacryptor was created from a strain of Ete

rnalBlue, a National Security Agency (NSA) exploit leaked by the Shadow Brokers in April 2017. This exploit toolkit, Et

ernalBlue, exploits vulnerability in the Server Message Block (SMB) protocol of Microsoft Windows, also known as MS

17-0103. Microsoft released security updates to resolve the SMB vulnerability in March 2017, but majority of the users

did not update the patch, resulting in an unchanged exposure of systems.

On May 12, 2017, WannaCryptor began to spread worldwide and as of May 17, 2017, more than 500 variants have

been found, according to AhnLab Smart Defense (ASD), an AhnLab threat analysis system.

Samples of WannaCryptor analyzed in this report are as of [Table 1].

MD5 File name Size Features

1 DB349B97C37D22F5EA1D1841E3C89EB4 mssecsvc.exe 3,723,264 Dropper propagating via

SMB vulnerability

2 84C82835A5D21BBCF75A61706D8AB549 tasksche.exe 3,514,368 File encryption

[Table 1] Samples of WannaCryptor

1 http://www.bbc.com/news/technology-39901382

2 http://varlamov.ru/2370148.html

3 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx



02. Routes of Infection

Most ransomware infect users’ computer by leading them to open compromised email attachments or visit malicious

websites. WannaCryptor leveraged the Windows vulnerability (MS17-010, SMB Remote Code Execution Vulnerability) a

nd rapidly infected vulnerable systems. WannaCryptor was able to spread fast since computer of an unpatched Windo

ws version can become infected simply by connecting to the Internet connection, without requiring any user action.

Windows SMB vulnerability related to the WannaCryptor distribution is shown in [Table 2].

Windows SMB Remote Code Execution Vulnerability (CVE-2017-0143)




Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)


[Table 2] SMB vulnerability related to the WannaCryptor distribution

Operating systems that are affected by SMB vulnerabilities are shown in [Table 3]. Despite the vulnerabilities, Windows

10 has not been targeted by WannaCryptor.

Windows XP/ Vista/ 7/ 8.1/ RT 8.1

Windows 10 (not targeted by WannaCryptor, despite having SMB vulnerabilities)

Windows Server 2003/ 2008 R2 SP1, SP2/ 2012 R2/ 2016

[Table 3] Operating systems affected by SMB vulnerabilities



03. Attack Method of WannaCryptor

1) Detailed analysis of operating process

The operating process of the WannaCryptor exploit is shown in [Figure 1].

[Figure 1] WannaCryptor operating process

(1-1) Accesses to certain URLs

Once activated, WannaCryptor attempts to connect to the URLs shown in [Table 4]. Only when the connection fails d

oes it continue execution of the attack. Through this action, WannaCryptor avoids behavioral based anti-malware prot

ection by ensuring that the PC environment is real, not virtual. Still in May of 2017, new variants of ransomware that

attempt to connect to URLs, other than those stated in [Table 4], are being discovered.

- http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

- http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

[Table 4] URLs used by WannaCryptor



The execution code that checks the connection to the stated URL is shown in [Figure 2].

[Figure 2] Code to confirm connection to the URL

WannaCryptor registers itself as a service within the system by accessing the root administrator privilege. This allows

WannaCryptor to automatically execute the malicious code every time the system starts. The service name mssecsvc2.

0 is disguised as a Microsoft service with the -m security service argument. Information of the service is shown belo

w in [Figure 3].

[Figure 3] Service properties registered by ransomware

(1-2) Exploits SMB vulnerability targeting victim IP band and random IP

When the WannaCryptor starts running as a service, it exploits the SMB vulnerability in order to distribute itself. It sc

ans victim IP range and also randomly generated IP to transmit SMB packets via port 445. An excessive number of p

ackets may be generated in this process, resulting in traffic overload.



(1-3) Infects systems via SMB vulnerabilities

WannaCryptor uses the IP scanning process to find more target systems with SMB vulnerabilities to send the packets

to. As shown in [Figure 4], WannaCryptor generates data that includes Remote Code Execution (RCE) in the header of

the SMB packet, which exploits the SMB vulnerability. The shellcode will be activated if the target’s operating system

is unpatched.

[Figure 4] RCE packet that exploits SMB vulnerability

[Figure 5] shows the shellcodes that were executed after exploitation.

[Figure 5] Shellcode executed after the SMB exploit

(1-4) Infects other systems

The WannaCryptor runs on the initially infected system and then spreads through the SMB vulnerability again, which

can infect other systems.

(2-1) Creates additional malicious file

After the initial execution, WannaCryptor creates an additional malicious file in one of the system paths shown in [Ta

ble 5]. The system path used for file creation may differ depending on the targeted Windows version. [Random] is a

folder name of the newly created file that generates a unique value, combining the system information.



- C:\ProgramData\[Random]\tasksche.exe

- C:\Intel\[Random]\tasksche.exe

- C:\Windows\tasksche.exe

- C:\User\(Username)\AppData\Local\Temp\[Random]\tasksche.exe

[Table 5] Paths where malicious file is created

2) Symptoms of infection

The file that performs the malicious behavior is the additionally created file, tasksche.exe. This file is executed in the i

nstall mode using the /i argument given by the dropper. When this executable file runs for the first time with the /i

argument, it is registered as a service, as shown in [Figure 6]. The name of the service follows the name of the [Ran

dom] folder, where the executable files are stored.

[Figure 6] Service properties of tasksche.exe file



Once registered, tasksche.exe runs as a service and creates additional files on the same path, as shown in [Table 6], h

iding it by attributing attrib + h.

File name File function

b.wnry Image file that is set as the wallpaper after file encryption.

c.wnry Configuration file on Tor (Access URL, Download URL).

f.wnry List of sample files to decrypt.

r.wnry readme.txt

s.wnry ZIP compressed file of Tor module.

t.wnry Encryption module, which itself is encrypted.

u.wnry Identical file of the @[email protected] program that demands Bitcoin payment.

taskdl.exe Internal program used by the encryption module.

taskse.exe Internal program used by the encryption module.

00000000.pky Public key file.

00000000.eky Encrypted private key file.

[Table 6] List of files generated by tasksche.exe

[Figure 7] List of files generated by tasksche.exe (2)



Message files displayed as a ransom note in 28 languages are created in the msg folder, as shown in [Figure 8].

[Figure 8] List of ransom note files named after 28 languages

Files on Tor networks are created in the TaskData folder, as shown in [Figure 9]. The Tor network, which enables anon

ymous communication, is used to make tracking more difficult.

[Figure 9] Tor files created in TaskData folder

WannaCryptor encrypts files of the infected system and adds .WNCRY to the extension. The targeted files’ extensions

are shown in [Table 7].

.der .pfx .key .crt .csr

.p12 .pem .odt .ott .sxw

.stw .uot .3ds .max .3dm



.ods .ots .sxc .stc .dif

.slk .wb2 .odp .otp .sxd

.std .uop .odg .otg .sxm

.mml .lay .lay6 .asc .sqlite3

.sqllitedb .sql .accdb .mdb .db

.dbf .odb .frm .myd .myi

.ibd .mdf .ldf .sln .suo

.cs .c .cpp .pas .h

.asm .js .cmd .bat .ps1

.vbs .vb .pl .dip .dch

.sch .brd .jsp .php .asp

.rb .java .jar .class .sh

.mp3 .wav .swf .fla .wmv

.mpg .vob .mpeg .asf .avi

.mov .mp4 .3gp .mkv .3g2

.flv .wma .mid .m3u .m4u

.djvu .svg .ai .psd .nef

.tiff .tif .cgm .raw .gif

.png .bmp .jpg .jpeg .vcd

.iso .backup .zip .rar .7z

.gz .tgz .tar .bak .tbk

.bz2 .PAQ .ARC .aes .gpg

.vmx .vmdk .vdi .sldm .sldx

.sti .sxi .602 .hwp .snt

.onetoc2 .dwg .pdf .wk1 .wks

.123 .rtf .csv .txt .vsdx

.vsd .edb .eml .msg .ost

.pst .potm .potx .ppam .ppsx

.ppsm .pps .pot .pptm .pptx

.ppt .xltm .xltx .xlc .xlm

.xlt .xlw .xlsb .xlsm .xlsx

.xls .dotx .dotm .dot .docm

.docb docx .doc

[Table 7] List of extensions targeted by WannaCryptor

An encrypted file from WannaCryptor changes the wallpaper of the system, as shown in [Figure 10], and informs the

user of the infection.



[Figure 10] Wallpaper changed by an encrypted file

Then, the ransomware displays the ransom note, which demands $300 USD in Bitcoins to recover encrypted files. The

ransom note is shown in [Figure 11] and is supported in 28 languages.

[Figure 11] WannaCryptor ransom note supported in 28 languages

3) Method of file encryption and decryption

WannaCryptor uses the tasksche.exe file to decrypt the t.wnry file, which is an encryption module, and loads it on its

own memory for encryption. The encryption method is shown in [Figure 12].



[Figure 12] WannaCryptor encryption method

A public key (A) exists in the t.wnry file, which is decrypted and executed by the tasksche.exe file.

RSA public/private key is created before encrypting the file. (A different key is created for each infected system.)

A public key (B) is stored in the 00000000.pky file, which is used every time a file is encrypted.

A private key (B) is encrypted by a public key (A) and stored in the 00000000.eky file.

A file is encrypted every time using the AES-128-CBC method and an AES key is randomly generated.

WannaCryptor encrypts the file with a random AES key, and this random AES key is encrypted with a public

key (B).

The OriginalFileName.WNCRY file is generated by combining encrypted AES key, encrypted file data, signature, an

d file size.

The format of the encrypted file is shown in [Figure 13].



[Figure 13] Format of encrypted file such as t.wnry file

Encrypted files have a predefined structure, shown in [Table 8].

- WANACRY! Signature

- Encrypted AES Key Size

- Encrypted AES Key

- Key Size Length

- Source File Length

- Encrypted File Data

[Table 8] Structure of encrypted file

The format of the 00000000.eky is shown in [Figure 14].



[Figure 14] Format of encrypted private key file

This key file stores encryption of the RSA private key (B) without the first 4 bytes. The AES key file stored in encrypte

d files can be obtained after decrypting the 00000000.eky file, and the obtained AES key can be used for further file

decryption.

The decryption process of encrypted files is as follows:

(1) Use the private key (A) of the author to obtain the private key (B) from the 00000000.eky file.

(2) Use the private key (b) to obtain the encrypted AES key in each file.

(3) Use the AES key to decrypt the original files contained in the encrypted file data, as shown in [Figure 14].

Currently, without the private key (A) of the author, it is not possible to recover files encrypted by WannaCryptor.



04. Countermeasures

AhnLab’s solutions detect and remove WannaCryptor by providing following functions.

1. V3 Products

- Detects and removes WannaCryptor (Aliase: Trojan/Win32.WannaCryptor.xxxxxxxx)

- V3 engine is maintained as up-to-date when Automatic Update is applied.

- Performs Real-time scan.

- Required to apply the latest MS Windows security patch.

2. AhnLab MDS

- Detects WannaCryptor behaviors (Suspicious/MDP.Behavior, Malware/MDP.Create).

- Uses the Execution Holding function via MDS agent to suspend execution of malware.

- Required to apply the latest MS Windows security patch.

3. AhnLab TrusLine / AhnLab EPS

- Prevents running of WannaCryptor in Lock Mode.

4. AhnLab Patch Management

- Applies the latest MS Windows security updates through centralized control.

- Provided security patches in March and May 2017 via AhnLab Patch Lab. (* Complete updates for closed network e

nvironments.)

- Provided security patch in March. (Application also completed in March.)

- Provided security patch in May. (Patches for Microsoft's non-supported OS: Windows XP/ 8, Windows Server 2003.)

- Required to restart the system to apply patches.

5. AhnLab TrusGuard / AhnLab TrusGuard IPX

- Prevents EternalBlue exploits and WannaCryptor behaviors.

For further details on Wannacryptor analysis, latest trends, response guidelines, security guidelines for prevention, and

more, visit the AhnLab Security Center or the AhnLab Security Emergency Response Center (ASEC) blog.

Date post:	11-Apr-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

WannaCryptor Ransomware Analysis - AhnLab,...

Documents