WannaCryptor Ransomware Analysis In-depth analysis of Trojan/Win32.WannaCryptor 220, Pangyoyeok-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, South Korea, 13493 Tel: 031-722-8000 Fax: 031-722-8901 www.ahnlab.com AhnLab, Inc. All rights reserved.
Contents 01. Overview... 3 02. Routes of Infection... 4 03. Attack Method of WannaCryptor... 5 1) Detailed analysis of operating process... 5 2) Symptoms of infection... 8 3) Method of file encryption and decryption... 12 04. Countermeasures... 16 AhnLab, Inc. All rights reserved. 2
01. Overview The first attack by the WannaCryptor ransomware, also known as WannaCry and Wcrypt, was reported on May 12, 2 017 in Spain and the UK, and it has quickly spread worldwide. 1 2 WannaCryptor was first discovered in February 2017. Newly discovered Wannacryptor was created from a strain of Ete rnalblue, a National Security Agency (NSA) exploit leaked by the Shadow Brokers in April 2017. This exploit toolkit, Et ernalblue, exploits vulnerability in the Server Message Block (SMB) protocol of Microsoft Windows, also known as MS 17-010 3. Microsoft released security updates to resolve the SMB vulnerability in March 2017, but majority of the users did not update the patch, resulting in an unchanged exposure of systems. On May 12, 2017, WannaCryptor began to spread worldwide and as of May 17, 2017, more than 500 variants have been found, according to AhnLab Smart Defense (ASD), an AhnLab threat analysis system. Samples of WannaCryptor analyzed in this report are as of [Table 1]. MD5 File name Size Features 1 DB349B97C37D22F5EA1D1841E3C89EB4 mssecsvc.exe 3,723,264 Dropper propagating via SMB vulnerability 2 84C82835A5D21BBCF75A61706D8AB549 tasksche.exe 3,514,368 File encryption [Table 1] Samples of WannaCryptor 1 http://www.bbc.com/news/technology-39901382 2 http://varlamov.ru/2370148.html 3 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx AhnLab, Inc. All rights reserved. 3
02. Routes of Infection Most ransomware infect users computer by leading them to open compromised email attachments or visit malicious websites. WannaCryptor leveraged the Windows vulnerability (MS17-010, SMB Remote Code Execution Vulnerability) a nd rapidly infected vulnerable systems. WannaCryptor was able to spread fast since computer of an unpatched Windo ws version can become infected simply by connecting to the Internet connection, without requiring any user action. Windows SMB vulnerability related to the WannaCryptor distribution is shown in [Table 2]. Windows SMB Remote Code Execution Vulnerability (CVE-2017-0143) Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144) Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145) Windows SMB Remote Code Execution Vulnerability (CVE-2017-0146) Windows SMB Information Disclosure Vulnerability (CVE-2017-0147) Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148) [Table 2] SMB vulnerability related to the WannaCryptor distribution Operating systems that are affected by SMB vulnerabilities are shown in [Table 3]. Despite the vulnerabilities, Windows 10 has not been targeted by WannaCryptor. Windows XP/ Vista/ 7/ 8.1/ RT 8.1 Windows 10 (not targeted by WannaCryptor, despite having SMB vulnerabilities) Windows Server 2003/ 2008 R2 SP1, SP2/ 2012 R2/ 2016 [Table 3] Operating systems affected by SMB vulnerabilities AhnLab, Inc. All rights reserved. 4
03. Attack Method of WannaCryptor 1) Detailed analysis of operating process The operating process of the WannaCryptor exploit is shown in [Figure 1]. [Figure 1] WannaCryptor operating process (1-1) Accesses to certain URLs Once activated, WannaCryptor attempts to connect to the URLs shown in [Table 4]. Only when the connection fails d oes it continue execution of the attack. Through this action, WannaCryptor avoids behavioral based anti-malware prot ection by ensuring that the PC environment is real, not virtual. Still in May of 2017, new variants of ransomware that attempt to connect to URLs, other than those stated in [Table 4], are being discovered. - http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com [Table 4] URLs used by WannaCryptor AhnLab, Inc. All rights reserved. 5
The execution code that checks the connection to the stated URL is shown in [Figure 2]. [Figure 2] Code to confirm connection to the URL WannaCryptor registers itself as a service within the system by accessing the root administrator privilege. This allows WannaCryptor to automatically execute the malicious code every time the system starts. The service name mssecsvc2. 0 is disguised as a Microsoft service with the -m security service argument. Information of the service is shown belo w in [Figure 3]. [Figure 3] Service properties registered by ransomware (1-2) Exploits SMB vulnerability targeting victim IP band and random IP When the WannaCryptor starts running as a service, it exploits the SMB vulnerability in order to distribute itself. It sc ans victim IP range and also randomly generated IP to transmit SMB packets via port 445. An excessive number of p ackets may be generated in this process, resulting in traffic overload. AhnLab, Inc. All rights reserved. 6
(1-3) Infects systems via SMB vulnerabilities WannaCryptor uses the IP scanning process to find more target systems with SMB vulnerabilities to send the packets to. As shown in [Figure 4], WannaCryptor generates data that includes Remote Code Execution (RCE) in the header of the SMB packet, which exploits the SMB vulnerability. The shellcode will be activated if the target s operating system is unpatched. [Figure 4] RCE packet that exploits SMB vulnerability [Figure 5] shows the shellcodes that were executed after exploitation. [Figure 5] Shellcode executed after the SMB exploit (1-4) Infects other systems The WannaCryptor runs on the initially infected system and then spreads through the SMB vulnerability again, which can infect other systems. (2-1) Creates additional malicious file After the initial execution, WannaCryptor creates an additional malicious file in one of the system paths shown in [Ta ble 5]. The system path used for file creation may differ depending on the targeted Windows version. [Random] is a folder name of the newly created file that generates a unique value, combining the system information. AhnLab, Inc. All rights reserved. 7
- C:\ProgramData\[Random]\tasksche.exe - C:\Intel\[Random]\tasksche.exe - C:\Windows\tasksche.exe - C:\User\(Username)\AppData\Local\Temp\[Random]\tasksche.exe [Table 5] Paths where malicious file is created 2) Symptoms of infection The file that performs the malicious behavior is the additionally created file, tasksche.exe. This file is executed in the i nstall mode using the /i argument given by the dropper. When this executable file runs for the first time with the /i argument, it is registered as a service, as shown in [Figure 6]. The name of the service follows the name of the [Ran dom] folder, where the executable files are stored. [Figure 6] Service properties of tasksche.exe file AhnLab, Inc. All rights reserved. 8
Once registered, tasksche.exe runs as a service and creates additional files on the same path, as shown in [Table 6], h iding it by attributing attrib + h. File name b.wnry c.wnry f.wnry r.wnry s.wnry t.wnry u.wnry taskdl.exe taskse.exe 00000000.pky 00000000.eky File function Image file that is set as the wallpaper after file encryption. Configuration file on Tor (Access URL, Download URL). List of sample files to decrypt. readme.txt ZIP compressed file of Tor module. Encryption module, which itself is encrypted. Identical file of the @WanaDecryptor@.exe program that demands Bitcoin payment. Internal program used by the encryption module. Internal program used by the encryption module. Public key file. Encrypted private key file. [Table 6] List of files generated by tasksche.exe [Figure 7] List of files generated by tasksche.exe (2) AhnLab, Inc. All rights reserved. 9
Message files displayed as a ransom note in 28 languages are created in the msg folder, as shown in [Figure 8]. [Figure 8] List of ransom note files named after 28 languages Files on Tor networks are created in the TaskData folder, as shown in [Figure 9]. The Tor network, which enables anon ymous communication, is used to make tracking more difficult. [Figure 9] Tor files created in TaskData folder WannaCryptor encrypts files of the infected system and adds.wncry to the extension. The targeted files extensions are shown in [Table 7]..der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm AhnLab, Inc. All rights reserved. 10
.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqllitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.paq.arc.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb docx.doc [Table 7] List of extensions targeted by WannaCryptor An encrypted file from WannaCryptor changes the wallpaper of the system, as shown in [Figure 10], and informs the user of the infection. AhnLab, Inc. All rights reserved. 11
[Figure 10] Wallpaper changed by an encrypted file Then, the ransomware displays the ransom note, which demands $300 USD in Bitcoins to recover encrypted files. The ransom note is shown in [Figure 11] and is supported in 28 languages. [Figure 11] WannaCryptor ransom note supported in 28 languages 3) Method of file encryption and decryption WannaCryptor uses the tasksche.exe file to decrypt the t.wnry file, which is an encryption module, and loads it on its own memory for encryption. The encryption method is shown in [Figure 12]. AhnLab, Inc. All rights reserved. 12
[Figure 12] WannaCryptor encryption method A public key (A) exists in the t.wnry file, which is decrypted and executed by the tasksche.exe file. RSA public/private key is created before encrypting the file. (A different key is created for each infected system.) A public key (B) is stored in the 00000000.pky file, which is used every time a file is encrypted. A private key (B) is encrypted by a public key (A) and stored in the 00000000.eky file. A file is encrypted every time using the AES-128-CBC method and an AES key is randomly generated. key (B). WannaCryptor encrypts the file with a random AES key, and this random AES key is encrypted with a public The OriginalFileName.WNCRY file is generated by combining encrypted AES key, encrypted file data, signature, an d file size. The format of the encrypted file is shown in [Figure 13]. AhnLab, Inc. All rights reserved. 13
[Figure 13] Format of encrypted file such as t.wnry file Encrypted files have a predefined structure, shown in [Table 8]. - WANACRY! Signature - Encrypted AES Key Size - Encrypted AES Key - Key Size Length - Source File Length - Encrypted File Data [Table 8] Structure of encrypted file The format of the 00000000.eky is shown in [Figure 14]. AhnLab, Inc. All rights reserved. 14
[Figure 14] Format of encrypted private key file This key file stores encryption of the RSA private key (B) without the first 4 bytes. The AES key file stored in encrypte d files can be obtained after decrypting the 00000000.eky file, and the obtained AES key can be used for further file decryption. The decryption process of encrypted files is as follows: (1) Use the private key (A) of the author to obtain the private key (B) from the 00000000.eky file. (2) Use the private key (b) to obtain the encrypted AES key in each file. (3) Use the AES key to decrypt the original files contained in the encrypted file data, as shown in [Figure 14]. Currently, without the private key (A) of the author, it is not possible to recover files encrypted by WannaCryptor. AhnLab, Inc. All rights reserved. 15
04. Countermeasures AhnLab s solutions detect and remove WannaCryptor by providing following functions. 1. V3 Products - Detects and removes WannaCryptor (Aliase: Trojan/Win32.WannaCryptor.xxxxxxxx) - V3 engine is maintained as up-to-date when Automatic Update is applied. - Performs Real-time scan. - Required to apply the latest MS Windows security patch. 2. AhnLab MDS - Detects WannaCryptor behaviors (Suspicious/MDP.Behavior, Malware/MDP.Create). - Uses the Execution Holding function via MDS agent to suspend execution of malware. - Required to apply the latest MS Windows security patch. 3. AhnLab TrusLine / AhnLab EPS - Prevents running of WannaCryptor in Lock Mode. 4. AhnLab Patch Management - Applies the latest MS Windows security updates through centralized control. - Provided security patches in March and May 2017 via AhnLab Patch Lab. (* Complete updates for closed network e nvironments.) - Provided security patch in March. (Application also completed in March.) - Provided security patch in May. (Patches for Microsoft's non-supported OS: Windows XP/ 8, Windows Server 2003.) - Required to restart the system to apply patches. 5. AhnLab TrusGuard / AhnLab TrusGuard IPX - Prevents EternalBlue exploits and WannaCryptor behaviors. For further details on Wannacryptor analysis, latest trends, response guidelines, security guidelines for prevention, and more, visit the AhnLab Security Center or the AhnLab Security Emergency Response Center (ASEC) blog. AhnLab, Inc. All rights reserved. 16