WannaCryptor Ransomware Analysis

Similar documents
Best Practical Response against Ransomware

A Simple Guide to Understanding EDR

Dear Beckman Coulter Customer, AutoMate 2500 Family System Security Update

100% Signatureless Anti-ransomware

Trend Micro. Apex One as a Service / Apex One. Best Practice Guide for Malware Protection. 1 Best Practice Guide Apex One as a Service / Apex Central

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

Intercepting WannaCry

McAfee Labs Threat Advisory Ransom-Petya Ransom-BadRabbit

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Massive Attack WannaCry Update and Prevention. Eric Kwok KL.CSE

Design Your Security

ForeScout CounterACT. Security Policy Templates. Configuration Guide. Version

ein wichtiger Baustein im Security Ökosystem Dr. Christian Gayda (T-SEC) und Ingo Kruckewitt (Symantec)

Targeted Ransomware No Longer a Future Threat

Symantec Ransomware Protection

Outsmarting Ransomware: Hints and Tricks. Netwrix Corporation Adam Stetson System Engineer

FIREWALL BEST PRACTICES TO BLOCK

McAfee Labs Threat Advisory

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

CounterACT Security Policy Templates

Cisco Advanced Malware Protection against WannaCry

Almighty Zero-day Attack: GodMode

Protecting Your Enterprise Databases from Ransomware

Securing the Modern Data Center with Trend Micro Deep Security

Service Provider View of Cyber Security. July 2017

AhnLab Software License Agreement

Cisco Ransomware Defense The Ransomware Threat Is Real

Endpoint Protection : Last line of defense?

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Zimperium Global Threat Data

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

No Stone. and Servers Alike.

Synchronized Security

Seqrite Endpoint Security

Locking down a Hitachi ID Suite server

THE REAL TRUTH BEHIND RANSOMWARE EDDY WILLEMS SECURITY EVANGELIST

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

FIREWALL BEST PRACTICES TO BLOCK

The 2017 State of Endpoint Security Risk

MRG Effitas 360 Degree Assessment & Certification Q1 2018

Network Security. Multi-Layer Approach to Security. Protection, Detection, and Remediation. Clay Ostlund Business Development Manager

NetDefend Firewall UTM Services

Targeted Ransomware No Longer a Future Threat

CS 356 Operating System Security. Fall 2013

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Don't 'WannaCry' No More: How to Shield Your IT Infrastructure from Ransomware. Netwrix Corporation Roy Lopez System Engineer

DNS Security. Ch 1: The Importance of DNS Security. Updated

Cisco Advanced Malware Protection (AMP) for Endpoints

McAfee Labs Threat Advisory Photominer

Too Little Too Late: Top Reasons Why You Got Hacked

Achieve deeper network security

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Invasion of Malware Evading the Behavior-based Analysis

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

WEB BROWSER SANDBOXING: SECURITY AGAINST WEB ATTACKS

Data Protection, Disaster Recovery, and Ransomware Protection with DRaaS

converged agile practical Design Your Security We build tailored, converged security for you.

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Threat Centric Vulnerability Management

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Hello! we are here to share some stories

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

GTIC Monthly Threat Report June 2017

Server Tailgating A Chosen- Plaintext Attack on RDP. - Eyal Karni - Yaron Zinar - Roman Blachman

Malware Initial Findings Report (MIFR)

MRG Effitas 360 Degree Assessment & Certification Q MRG Effitas 360 Assessment & Certification Programme Q2 2017

MRG Effitas 360 Degree Assessment & Certification Q4 2017

Information Security and Cyber Security

UTM 5000 WannaCry Technote

MRG Effitas Trapmine Exploit Test

McAfee Labs: Combating Aurora

Getting over Ransomware - Plan your Strategy for more Advanced Threats

PCGenesis Future: Migration to a Relational Database. GASBO Augusta, GA November 7, 2018

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

Défense In-Depth Security. Samson Oduor - Internet Solutions Kenya Watson Kamanga - Seacom

Proofpoint, Inc.

QUICK START GUIDE. Microsoft Windows 10 / 8.1 / 8 / 7 / Vista / Home Server 2011

Seamless Security in the Age of Cloud Services: Securing SaaS Applications & Cloud Workloads

Maximum Security with Minimum Impact : Going Beyond Next Gen

Trend Micro OfficeScan XG

Countering ransomware with HPE data protection solutions

TestBraindump. Latest test braindump, braindump actual test

RANSOMWARE. All Locked Up and No Place to Go. Mark

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

MRG Effitas 360 Assessment & Certification Programme Q4 2015

Symantec Client Security. Integrated protection for network and remote clients.

Impact of WannaCry and Petya Ransomware on Leica Biosystems CytoVision, Aperio, Ariol scanners and software

Connect Securely in an Unsecure World. Jon Clay Director: Global Threat

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

McAfee Labs Threat Advisory FakeAlert System Defender

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

TDDB68 Processprogrammering och operativsystem / Concurrent programming and operating systems , 14:00 18:00

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Sample excerpt. Virtual Private Networks. Contents

TLP:GREEN FBI. FBI Liaison Alert System #A mw SUMMARY TECHNICAL DETAILS

E-Commerce Security Pearson Prentice Hall, Electronic Commerce 2008, Efraim Turban, et al.

FILELESSMALW ARE PROTECTION TEST OCTOBER2017

ANATOMY OF AN ATTACK!

Certified Ethical Hacker (CEH)

Transcription:

WannaCryptor Ransomware Analysis In-depth analysis of Trojan/Win32.WannaCryptor 220, Pangyoyeok-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, South Korea, 13493 Tel: 031-722-8000 Fax: 031-722-8901 www.ahnlab.com AhnLab, Inc. All rights reserved.

Contents 01. Overview... 3 02. Routes of Infection... 4 03. Attack Method of WannaCryptor... 5 1) Detailed analysis of operating process... 5 2) Symptoms of infection... 8 3) Method of file encryption and decryption... 12 04. Countermeasures... 16 AhnLab, Inc. All rights reserved. 2

01. Overview The first attack by the WannaCryptor ransomware, also known as WannaCry and Wcrypt, was reported on May 12, 2 017 in Spain and the UK, and it has quickly spread worldwide. 1 2 WannaCryptor was first discovered in February 2017. Newly discovered Wannacryptor was created from a strain of Ete rnalblue, a National Security Agency (NSA) exploit leaked by the Shadow Brokers in April 2017. This exploit toolkit, Et ernalblue, exploits vulnerability in the Server Message Block (SMB) protocol of Microsoft Windows, also known as MS 17-010 3. Microsoft released security updates to resolve the SMB vulnerability in March 2017, but majority of the users did not update the patch, resulting in an unchanged exposure of systems. On May 12, 2017, WannaCryptor began to spread worldwide and as of May 17, 2017, more than 500 variants have been found, according to AhnLab Smart Defense (ASD), an AhnLab threat analysis system. Samples of WannaCryptor analyzed in this report are as of [Table 1]. MD5 File name Size Features 1 DB349B97C37D22F5EA1D1841E3C89EB4 mssecsvc.exe 3,723,264 Dropper propagating via SMB vulnerability 2 84C82835A5D21BBCF75A61706D8AB549 tasksche.exe 3,514,368 File encryption [Table 1] Samples of WannaCryptor 1 http://www.bbc.com/news/technology-39901382 2 http://varlamov.ru/2370148.html 3 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx AhnLab, Inc. All rights reserved. 3

02. Routes of Infection Most ransomware infect users computer by leading them to open compromised email attachments or visit malicious websites. WannaCryptor leveraged the Windows vulnerability (MS17-010, SMB Remote Code Execution Vulnerability) a nd rapidly infected vulnerable systems. WannaCryptor was able to spread fast since computer of an unpatched Windo ws version can become infected simply by connecting to the Internet connection, without requiring any user action. Windows SMB vulnerability related to the WannaCryptor distribution is shown in [Table 2]. Windows SMB Remote Code Execution Vulnerability (CVE-2017-0143) Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144) Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145) Windows SMB Remote Code Execution Vulnerability (CVE-2017-0146) Windows SMB Information Disclosure Vulnerability (CVE-2017-0147) Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148) [Table 2] SMB vulnerability related to the WannaCryptor distribution Operating systems that are affected by SMB vulnerabilities are shown in [Table 3]. Despite the vulnerabilities, Windows 10 has not been targeted by WannaCryptor. Windows XP/ Vista/ 7/ 8.1/ RT 8.1 Windows 10 (not targeted by WannaCryptor, despite having SMB vulnerabilities) Windows Server 2003/ 2008 R2 SP1, SP2/ 2012 R2/ 2016 [Table 3] Operating systems affected by SMB vulnerabilities AhnLab, Inc. All rights reserved. 4

03. Attack Method of WannaCryptor 1) Detailed analysis of operating process The operating process of the WannaCryptor exploit is shown in [Figure 1]. [Figure 1] WannaCryptor operating process (1-1) Accesses to certain URLs Once activated, WannaCryptor attempts to connect to the URLs shown in [Table 4]. Only when the connection fails d oes it continue execution of the attack. Through this action, WannaCryptor avoids behavioral based anti-malware prot ection by ensuring that the PC environment is real, not virtual. Still in May of 2017, new variants of ransomware that attempt to connect to URLs, other than those stated in [Table 4], are being discovered. - http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com [Table 4] URLs used by WannaCryptor AhnLab, Inc. All rights reserved. 5

The execution code that checks the connection to the stated URL is shown in [Figure 2]. [Figure 2] Code to confirm connection to the URL WannaCryptor registers itself as a service within the system by accessing the root administrator privilege. This allows WannaCryptor to automatically execute the malicious code every time the system starts. The service name mssecsvc2. 0 is disguised as a Microsoft service with the -m security service argument. Information of the service is shown belo w in [Figure 3]. [Figure 3] Service properties registered by ransomware (1-2) Exploits SMB vulnerability targeting victim IP band and random IP When the WannaCryptor starts running as a service, it exploits the SMB vulnerability in order to distribute itself. It sc ans victim IP range and also randomly generated IP to transmit SMB packets via port 445. An excessive number of p ackets may be generated in this process, resulting in traffic overload. AhnLab, Inc. All rights reserved. 6

(1-3) Infects systems via SMB vulnerabilities WannaCryptor uses the IP scanning process to find more target systems with SMB vulnerabilities to send the packets to. As shown in [Figure 4], WannaCryptor generates data that includes Remote Code Execution (RCE) in the header of the SMB packet, which exploits the SMB vulnerability. The shellcode will be activated if the target s operating system is unpatched. [Figure 4] RCE packet that exploits SMB vulnerability [Figure 5] shows the shellcodes that were executed after exploitation. [Figure 5] Shellcode executed after the SMB exploit (1-4) Infects other systems The WannaCryptor runs on the initially infected system and then spreads through the SMB vulnerability again, which can infect other systems. (2-1) Creates additional malicious file After the initial execution, WannaCryptor creates an additional malicious file in one of the system paths shown in [Ta ble 5]. The system path used for file creation may differ depending on the targeted Windows version. [Random] is a folder name of the newly created file that generates a unique value, combining the system information. AhnLab, Inc. All rights reserved. 7

- C:\ProgramData\[Random]\tasksche.exe - C:\Intel\[Random]\tasksche.exe - C:\Windows\tasksche.exe - C:\User\(Username)\AppData\Local\Temp\[Random]\tasksche.exe [Table 5] Paths where malicious file is created 2) Symptoms of infection The file that performs the malicious behavior is the additionally created file, tasksche.exe. This file is executed in the i nstall mode using the /i argument given by the dropper. When this executable file runs for the first time with the /i argument, it is registered as a service, as shown in [Figure 6]. The name of the service follows the name of the [Ran dom] folder, where the executable files are stored. [Figure 6] Service properties of tasksche.exe file AhnLab, Inc. All rights reserved. 8

Once registered, tasksche.exe runs as a service and creates additional files on the same path, as shown in [Table 6], h iding it by attributing attrib + h. File name b.wnry c.wnry f.wnry r.wnry s.wnry t.wnry u.wnry taskdl.exe taskse.exe 00000000.pky 00000000.eky File function Image file that is set as the wallpaper after file encryption. Configuration file on Tor (Access URL, Download URL). List of sample files to decrypt. readme.txt ZIP compressed file of Tor module. Encryption module, which itself is encrypted. Identical file of the @WanaDecryptor@.exe program that demands Bitcoin payment. Internal program used by the encryption module. Internal program used by the encryption module. Public key file. Encrypted private key file. [Table 6] List of files generated by tasksche.exe [Figure 7] List of files generated by tasksche.exe (2) AhnLab, Inc. All rights reserved. 9

Message files displayed as a ransom note in 28 languages are created in the msg folder, as shown in [Figure 8]. [Figure 8] List of ransom note files named after 28 languages Files on Tor networks are created in the TaskData folder, as shown in [Figure 9]. The Tor network, which enables anon ymous communication, is used to make tracking more difficult. [Figure 9] Tor files created in TaskData folder WannaCryptor encrypts files of the infected system and adds.wncry to the extension. The targeted files extensions are shown in [Table 7]..der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm AhnLab, Inc. All rights reserved. 10

.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqllitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.paq.arc.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb docx.doc [Table 7] List of extensions targeted by WannaCryptor An encrypted file from WannaCryptor changes the wallpaper of the system, as shown in [Figure 10], and informs the user of the infection. AhnLab, Inc. All rights reserved. 11

[Figure 10] Wallpaper changed by an encrypted file Then, the ransomware displays the ransom note, which demands $300 USD in Bitcoins to recover encrypted files. The ransom note is shown in [Figure 11] and is supported in 28 languages. [Figure 11] WannaCryptor ransom note supported in 28 languages 3) Method of file encryption and decryption WannaCryptor uses the tasksche.exe file to decrypt the t.wnry file, which is an encryption module, and loads it on its own memory for encryption. The encryption method is shown in [Figure 12]. AhnLab, Inc. All rights reserved. 12

[Figure 12] WannaCryptor encryption method A public key (A) exists in the t.wnry file, which is decrypted and executed by the tasksche.exe file. RSA public/private key is created before encrypting the file. (A different key is created for each infected system.) A public key (B) is stored in the 00000000.pky file, which is used every time a file is encrypted. A private key (B) is encrypted by a public key (A) and stored in the 00000000.eky file. A file is encrypted every time using the AES-128-CBC method and an AES key is randomly generated. key (B). WannaCryptor encrypts the file with a random AES key, and this random AES key is encrypted with a public The OriginalFileName.WNCRY file is generated by combining encrypted AES key, encrypted file data, signature, an d file size. The format of the encrypted file is shown in [Figure 13]. AhnLab, Inc. All rights reserved. 13

[Figure 13] Format of encrypted file such as t.wnry file Encrypted files have a predefined structure, shown in [Table 8]. - WANACRY! Signature - Encrypted AES Key Size - Encrypted AES Key - Key Size Length - Source File Length - Encrypted File Data [Table 8] Structure of encrypted file The format of the 00000000.eky is shown in [Figure 14]. AhnLab, Inc. All rights reserved. 14

[Figure 14] Format of encrypted private key file This key file stores encryption of the RSA private key (B) without the first 4 bytes. The AES key file stored in encrypte d files can be obtained after decrypting the 00000000.eky file, and the obtained AES key can be used for further file decryption. The decryption process of encrypted files is as follows: (1) Use the private key (A) of the author to obtain the private key (B) from the 00000000.eky file. (2) Use the private key (b) to obtain the encrypted AES key in each file. (3) Use the AES key to decrypt the original files contained in the encrypted file data, as shown in [Figure 14]. Currently, without the private key (A) of the author, it is not possible to recover files encrypted by WannaCryptor. AhnLab, Inc. All rights reserved. 15

04. Countermeasures AhnLab s solutions detect and remove WannaCryptor by providing following functions. 1. V3 Products - Detects and removes WannaCryptor (Aliase: Trojan/Win32.WannaCryptor.xxxxxxxx) - V3 engine is maintained as up-to-date when Automatic Update is applied. - Performs Real-time scan. - Required to apply the latest MS Windows security patch. 2. AhnLab MDS - Detects WannaCryptor behaviors (Suspicious/MDP.Behavior, Malware/MDP.Create). - Uses the Execution Holding function via MDS agent to suspend execution of malware. - Required to apply the latest MS Windows security patch. 3. AhnLab TrusLine / AhnLab EPS - Prevents running of WannaCryptor in Lock Mode. 4. AhnLab Patch Management - Applies the latest MS Windows security updates through centralized control. - Provided security patches in March and May 2017 via AhnLab Patch Lab. (* Complete updates for closed network e nvironments.) - Provided security patch in March. (Application also completed in March.) - Provided security patch in May. (Patches for Microsoft's non-supported OS: Windows XP/ 8, Windows Server 2003.) - Required to restart the system to apply patches. 5. AhnLab TrusGuard / AhnLab TrusGuard IPX - Prevents EternalBlue exploits and WannaCryptor behaviors. For further details on Wannacryptor analysis, latest trends, response guidelines, security guidelines for prevention, and more, visit the AhnLab Security Center or the AhnLab Security Emergency Response Center (ASEC) blog. AhnLab, Inc. All rights reserved. 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback