Last week’s WannaCry ransomware outbreak made international waves, raising concerns across the globe about just how bad things might get and what other nefarious malware could be on the horizon. Fortunately, the damage wasn’t as bad as feared with the perpetrators reportedly collecting a mere $50k in ransom and the hack deemed amateur by several industry experts.
Getting far less attention was the technical side of the attack, but it’s important to understand how this infection managed to spread to more than 200,000 machines, according to reports. The VIPRE Labs team has extensively analyzed WannaCry in order to understand how it operates.
Initial Execution Phase
WannaCry (or Wannacrypt) is made up of two main components: a worm to spread the malware and the actual ransomware itself. On most parts of the ransomware, RSA-AES is the algorithm used by Wannacrypt for encryption and decryption.
The worm tries to connect to www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com which at the time of the analysis was already sinkholed.
If the site is down, the code will execute further; if the site was registered the execution is halted, effectively serving as a killswitch for WannaCry. It appears the authors put this mechanism in place perhaps as a testing mechanism.
The binary masquerades as a Microsoft executable:
If the targeted system is configured to access the internet via proxy, that does not protect it from WannaCry’s effects because the ransomware uses INTERNET_OPEN_TYPE_DIRECT as an access type parameter on standard InternetOpen API - the operating system will happily supply a valid connection:
This initial dropper code first creates a service called “mssecsvc2.0” with arguments
-m security which will attempt to exploit the EternalBlue SMB vulnerability in remote computers.
Next, the ransomware executable component – %programdata%\wxbloxtho009\tasksche.exe – is dropped, creating two threads for LAN and WAN infection agents. After than, the initial malware process exits.
Local Area Network Exploitation
This thread will scan 10 local IP addresses at once, checking to see if it can connect in port 445 (the standard Windows SMB file share port) of the target computer. Presumably the limitation on 10 concurrent connections is to reduce the risk of detection.
The generated IPs aren't completely random; it will skip the loopback address and will be less than 224.x.x.x.
If successful, it will launch the EternalBlue exploit, reportedly developed by the NSA.
If connection succeeds, it proceeds by negotiating to get the SMB tree ID. It then makes 5 attempts to send a packet based on the ETERNALBLUE (MS17-010) exploit.
The response that it expects from the target is a value of 0x51 found in the response data.
This means that the exploit was successful and the DoublePulsar payload can be sent.
At this time, installation of DoublePulsar is attempted and, if successful, will run the payload in the target computer. The payload is then encrypted using a simple XOR before sending it to the target.
The image below shows the shellcode being sent in a packet.
Here's a snip of the shellcode disassembly:
Wide Area Network Exploitation
WannaCry also attempts to spread beyond the LAN by randomly generating an IP address, which will presumably be on some remote network. Otherwise the WAN attack is similar to the LAN variant.
Encryption (Ransomware) Component
The downloader mentioned above downloads an encryptor component as well, which showed up as 8dd63adb68ef053e044a5a2f46e0d2cd in our sample. This file imports CryptoAPI from advapi32.dll, although we've seen some variation across samples on how this is handled.
Wannacrypt ransomware begins by making a file copy of itself as:
The random generated string is calculated based on the computer name. It attempts to run the dropped copy as a system service. If that fails, it executes the dropped copy of itself as a normal user process.
One notable aspect of WannaCry is that a computer can be immunized from infection: if a certain mutex object name exists, most of the ransomware behavior is disabled (it will still modify some registry entries and drop some files, but will not encrypt any files). Here are the mutexes that we have seen it looking for:
*Global means that it is a system wide object.
The encryption begins by extracting a zip archive from the encryptor's resource section called “CFG” (in some variants; others use different section names). This archive contains the following six files, all created in the same folder where the ransomware ran. The file contents vary somewhat across WannaCry variants, and some variants use the extension
.wnry instead of
.wry. Here's a typical file set:
- b.wnry - bitmap file. The desktop background image used.
- c.wnry - contains data such as onion sites, email, and some web sites.
- m.wry - (dropped in other variants instead of "msg" folder) - RTF file containing ransom information. Analyzed variant has this in english language.
- r.wnry - ransom payment information template
- s.wnry - zip file containing Tor program
- t.wnry - Contains decrypt key and the ransomware DLL
- u.wnry - the Wanna Decryptor executable file that shows the ransom notes window.
- a folder named "msg" that contains more .wnry files. These files are RTF files containing ransom information in many, many languages. Examples:
- m_chinese (simplified).wnry
- m_chinese (traditional).wnry
- ... and many more
- taskse.exe - program that runs the executable passed in its arguments
taskdl.exe - Finds files in the folder where this file is executed and deletes files with ".WNCRYT" extension name. It also does the same in the $RECYCLE (a.k.a. Recycle Bin) folder.
It attempts to set the folder where the WannaCrypt executable file is to be hidden by running this command line:
Then grants the Everyone group full access to the folder:
The file “t.wry” is processed first, starting with checking for “WANNACRY” (or "WANACRY!") in the header and then decrypting an RSA AES key blob and a Win32 PE DLL file into an allocated memory space.
Code execution is then passed to the only export function of the DLL, which contains the rest of the ransomware behavior.
The DLL portion of the process begins by making the following entry in the registry:
If that fails, the following entry is created instead:
We've seen other variants drop slightly different registry entries as well.
For persistence, either a scheduled job or registry entry will then be created. For Windows versions lower than Windows 10 or Server 2016, it will create a scheduled task.
Should that fail, or if running on Windows 10 or Server 2016, the following registry entry is generated:
WannaCry then begins processing the “c.wry” file, reading links contained within the file and other data for later use. Then, “u.wry” is copied as “!WannaDecryptor!.exe” in the same directory containing the WannaCry executable file. A batch file with a randomly-generated name is also created, consisting of all numbers, i.e. 12998149874967.bat. WannaCry writes code in that batch file which creates a shortcut (.lnk) that points to “!WannaDecryptor!.exe.”
Next, reading the contents of “r.wry,” which contains the notification template, WannaCry creates the file “!Please Read Me!.txt” containing an updated copy of the following template, including the data read previously from “c.wry”:
The file “00000000.pky” is created, containing a public key, as well as “00000000.eky,” which contains an encrypted, private key. These keys are used to encrypt the computer’s files, creating the Mutex:
All logical drives are searched, staring from the root directory with the following file extensions:
der, pfx, key, crt, csr, p12, pem, odt, ott, sxw, stw, uot, 3ds, max, 3dm, ods, ots, sxc, stc, dif, slk, wb2, odp, otp, sxd, std, uop, odg, otg, sxm, mml, lay, lay6, asc, sqlite3, sqlitedb, sql, mdb, db, dbf, odb, frm, myd, myi, ibd, mdf, ldf, sln, suo, cs, c, cpp, pas, h, js, vb, pl, dip, dch, sch, brd, jsp, php, asp, rb, java, jar, class, sh, mp3, wav, swf, fla, wmv, mpg, vob, mpeg, asf, avi, mov, mp4, 3gp, mkv, 3g2, flv, wma, mid, m3u, m4u, ai, psd, nef, tiff, tif, cgm, raw, gif, png, bmp, backup, zip, rar, 7z, gz, tgz, tar, bak, tbk, tar, bz2, PAQ, ARC, aes, gpg, vmx, vmdk, vdi, 602, hwp, edb, potm, potx, ppam, ppsx, ppsm, pps, pot, pptm, xltm, xltx, xlc, xlm, xlt, xlw, xlsb, xlsm, dotx, dotm, dot, docm, docb, jpg, jpeg, dwg, pdf, rtf, csv, txt, wk1, wks, 123, vsdx, vsd, eml, msg, ost, pst, pptx, ppt, xlsx, xls, docx, doc
Skipped files are those with complete pathnames containing any of these strings:
- \Program Files
- \Program Files (x86)
- \Local Settings\Temp
- This folder protects against ransomware. Modifying it will reduce protection
- Temporary Internet Files
The file encryption process starts at the desktop folder, using SHGetFolderPathW API.
It will then pass this target folder to its Directory Parsing Sub Function at sub_10002270, using the APIs FindFirstFileW, FindNextFileW and FindClose to locate its targeted files.
After parsing a folder is complete, the list of files in this folder has been generated in a buffer, which will be passed to its file infection function at sub_100018EO, using APIS such as CreateFileW, ReadFile and WriteFile to create the encrypted file. Initially, the string “WANNACRY” is written on the infected files.
File buffer encryption is done by sub_10006700, accepting six arguments. Stack is shown in the pink box below:
- Buffer for File Contents = 01B20020 (Yellow Box)
- Output Buffer for Encrypted Results = 01C30020
- Size of Buffer = 000053F0
- An integer Value = 00000001
- Filename Buffer = 01301ED0
- Stack Pointer, related to AES Encryption Requirements = 0012ED48 (Prepared by sample using Crypto APIs)
After calling sub_10006700 (AES Encryption) the buffer 01C30020 contains the encrypted bytes and will be written via the WriteFile API.
Then, MoveFileW will be called to replace its temporary file “.WCRYT” with “.WCRY.”
DeleteFileW will be called to delete the original file.
Next, the sample looks at the logical drives and uses the same functions to parse through the folders and files of the computer recursively.
Wannacry Ransomware Encrypted File Format
File Encryption Summary:
- Ransomware Executable imports its RSA private key from .data section to decrypt a Payload DLL to file “t.wry.”
- Payload DLL generates a new RSA key pair.
- New RSA public key is saved to “00000000.pky.”
- New RSA private key is encrypted by CryptEncrypt API by using Payload DLL's RSA public key from its .data section.
- Encrypted RSA private key is saved to “00000000.eky.”
- Payload DLL finds the target files and generates one AES key per file.
- Payload DLL uses NEW public RSA key from “00000000.pky” to encrypt AES key of target file and saves encrypted AES key to the target file.
- Payload DLL AES encrypts the target file and writes it to the new file with .WCRY extension.
- To decrypt the files, the WANNACRY decryptor looks for “00000000.dky” file, which contains the RSA private key from the malware authors.
- RSA private key from malware authors can be used to decrypt AES key per file, then decrypt each file using AES keys.
Encrypted files are renamed with a ".WCRY" (or .WNCRY) extension as shown below.
After encryption, the following executable is run to tell the user they've been encrypted:
That executable displays the following window:
Additionally, the desktop wallpaper is replaced by a bitmap file named “!WannaCryptor!.bmp,” as shown below:
The user notification component schedules "taskdl.exe" to run every 30s which re-starts the ransomware. On subsequent rounds, the ransomware is executed with the 'vs' parameter:
It executes Wanna Decryptor with the "vs" parameter:
This results in deleting shadow copies of the users' files, preventing restoration via that mechanism. This is accomplished by running the following command:
It also kills any local Exchange and known SQL processes:
This allows the ransomware to further encrypt PST files and local databases.
In many ways, WannaCry is like many other ransomware variants that we've seen in the wild. What was new here was the aggressive use of the EternalBlue vulnerability to spread laterally within an organization once a foothold was achieved—something we've seen in other kinds of malware, but not commonly in ransomware. It should serve as a lesson that this particular vulnerability was well known and had already been patched by Microsoft (for supported OSs, at least), but said patches were not deployed in all cases. Aside from this capability, the encryption functionality and other mechanisms within WannaCry were fairly typical and not terribly sophisticated; good-quality behavioral process detection such as that available in VIPRE was able to stop it in its tracks.
- Spreading/Worm component was based on sample db349b97c37d22f5ea1d1841e3c89eb4. Unknown source as of this moment.
- Wannacrypt Ransomware initial analysis based on sample f529f4556a5126bba499c26d67892240.
- More information added based on additional samples, including the dropped ransomware component from db349b97c37d22f5ea1d1841e3c89eb4
- EternalBlue is documented at https://en.wikipedia.org/wiki/EternalBlue
DoublePulsar is documented at https://en.wikipedia.org/wiki/DoublePulsar