Since Friday this week has been most eventful because of a malware – Wanacrypt, infecting thousands of computer networks in a jiffy. As speculated, it leveraged a very potent exploit that was made public by the Shadow Brokers. The name of the exploit is ETERNALBLUE, which was used by the Equation Group to exploit a large number of systems right untill Windows 10. List of Equation Group Exploits lists the exploits and their targets.
What do we know about Wanacrypt?
Wanacrypt, WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY – this malware is known by multiple names and targets all Microsoft Windows versions prior to Windows 10, if they are not patched with MS17-010. Microsoft yesterday released a patch – KB4012598, for the end of life – Windows XP, Windows 8 and Windows Server 2003 operating systems. As of today, there are three known variants on the internets, one of which does not spread properly. Comae.io lists the following information about the malware:
Name : 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd LastWriteTime : 5/14/2017 5:56:00 PM MD5 : D724D8CC6420F06E8A48752F0DA11C66 SHA2 : 07C44729E2C570B37DB695323249474831F5861D45318BF49CCF5D2F5C8EA1CD Length : 3723264 Name : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c LastWriteTime : 5/13/2017 7:26:44 AM MD5 : DB349B97C37D22F5EA1D1841E3C89EB4 SHA2 : 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C Length : 3723264 Name : 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf LastWriteTime : 5/14/2017 4:11:45 PM MD5 : D5DCD28612F4D6FFCA0CFEAEFD606BCF SHA2 : 32F24601153BE0885F11D62E0A8A2F0280A2034FC981D8184180C5D3B1B9E8CF Length : 3723264
This ransomware asks for amount between $300 to $600 USD in Bitcoins. It loops through every RDP session on they system to run the ransomware as that user, while installing the DOUBLEPULSAR backdoor. It also seems to corrupt shadow volumes to make recovery harder. The following Bitcoin addresses are hard-coded in Wanacrypt:
https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
There is a twitter bot – @actual_ransom, which is watching the above mentioned Bitcoin wallets and reports if any payments are made to it. As of now, the three bitcoin wallets have received 131 payments totaling $37,736.09 USD!
It has localization for a lot of languages. Their relative language files are – m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese.
The files that Wanacrypt looks to encrypt end with these extensions – .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der.
Each of these files are ecrypted using AES-128-ECB encryption, with a unique AES key per file, which is generated using a cryptographically secure pseudorandom number generator function that is included in Microsoft CryptoAPI – CryptGenRandom. The AES key is encrypted using this infection specific RSA keypair. Wanacry also a ZIP archive in it’s resources which is encrypted with the password “WNcry@2ol7”
On infection, a new RSA-2048 keypair is generated and the public key is exported as blob and saved to 00000000.pky. The private key is encrypted with the ransomware public key and saved as 00000000.eky.
Interestingly, there are kill-switches in the ransomware:
- www.ayy1maotjhsstasdfasdfasdfasdfasdfasdfasdf.com – Thanks @verovaleros!
The second kill-switch was introduced with the second variant. If either of the two domains are up, the ransomware simply quits and does not infect the host. If you create a dummy app with MsWinZonesCacheCounterMutexA, MsWinZonesCacheCounterMutexW or MsWinZonesCacheCounterMutexA0 as the mutex, the ransomware will fail to launch. The ransomware also drops a TOR browser in the TaskData folder to communicate with it’s C&C located at the following locations:
gx7ekbenv2riucmf.onion 57g7spgrzlojinas.onion xxlvbrloxvriy2c5.onion 76jdd2ir2embyv47.onion cwwnhwhlz52maqm7.onion
@gentilkiwi has already released a tool – wanadecrypt to decrypt your files encrypted by Wanacrypt malware if you have the RSA key! This can be obtained from the memory of a system that already is infected. He has now followed it up with wanakiwi, a tool based on wannakey, which helps you with an in-memory Wanacry key recovery. There is a drawback with this method that the machine should not have been rebooted and that it works only on Windows XP. Another recently released too – Telefónica WannaCry File Restorer helps recover files that have not yet been encrypted.
Personally, I think that this is a work of NSA, CIA or other such agencies, so that Microsoft is forced to release a patch for their exploit. They can’t afford having their potent exploit running amok in the wild with the general public. To make matters interesting, the code to delete files incase of the demand for ransom is not met is absent in the ransomware itself! The counter simply resets if the ransomware crashes. Who ever did this is banking on the fact that the security community will be able to develop a keygen for Wanacrypt.
How do you prevent a Wanacrypt infection?
Here are a few steps that I can think can help protect you:
- If you are on a end of life (Windows XP, Windows 2003, Windows 8, etc.) Windows version, install KB4012598.
- If you are on a supported (Windows 7, Windows 8.1, etc.) Windows version, install MS17-010.
All related patches are listed under KB4012212, KB4012213, KB4012214, KB4012215, KB4012216, KB4012217, KB4013429, KB4015217, KB4015438, KB4015549, KB4015550, KB4015551, KB4015552, KB4015553, KB4016635, KB4019215, KB4019216, KB4019264, KB4019472.
- Create an app with MsWinZonesCacheCounterMutexA or MsWinZonesCacheCounterMutexA0 mutexes. Use code by @N3mes1s or get it below:
$createdNew = $False; $mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexA0", [ref]$createdNew);
$createdNew = $False; $mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexW", [ref]$createdNew);
- Run the following as an administrator that disables the SMBv1 protocol:
dism /online /norestart /disable-feature /featurename:SMB1Protocol
OR with PowerShell
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
This will only run on Windows 8.1, Windows 8, Windows 7, Windows Server 2008 R2 and Windows Server 2008 SP2 systems.
- Install a good anti-malware, anti-virus as most of them now will have signatures detecting multiple Wanacrypt variants.
- Deny access external to TCP ports 135 and 445. If you use Windows firewall only, you can apply the following rules in an administrative prompt:
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135" netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"