Pierluigi Paganini
May 13, 2017
It was a Black Friday for cyber security, organizations and critical infrastructure across at least 74 countries have been infected by the WannaCry ransomware worm, aka WanaCrypt, WannaCrypt or Wcry.
Experts from the security firm Avast detected more than 75,000 attacks in 99 countries, most of the infections were observed in Russia, Ukraine, and Taiwan.
A real-time map of the infection if available at the following address:
https://intel.malwaretech.com/botnet/wcrypt/?t=5m&bid=all
The massive ransomware attack was first observed targeting UK hospitals and Spanish banks, big companies like Telefónica, Vodafone, FedEx has some of their systems infected with the threat that also hit rail stations and universities.
The Spanish CERT issued an alert warning the organizations and confirming that the malware was rapidly spreading.
Source Arstechnica
The WannaCry exploits the NSA EternalBlue / DoublePulsar exploits to infect other connected Windows systems on the same network, the malware implements network warm capabilities that allow it to rapidly spread.
“The special criticality of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 using EternalBlue / DoublePulsar, which can infect other connected Windows systems on the same network that are not properly updated. Infection of a single computer can end up compromising the entire corporate network.” states the security alert issued by the CERT.
“The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability mentioned in the previous paragraph that allows the execution of remote commands through Samba (SMB) and is distributed to other Windows machines in That same network.”
The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).
The WannaCry ransomware spreads via SMB, it encrypts the files on the infected machines and charges $300 or $600 in Bitcoin to restore them.
The good news is that malware researchers have discovered a kill switch in the ransomware code. The WannaCry ransomware checks for the existence of a particular domain in order to stop the infection.
https://twitter.com/GossiTheDog/status/863160534308454400
The domain was created today by a UK experts at MalwareTechBlog that made a reverse engineering of the code.
The Kill Switch domain is iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, the domain was sinkholed by law enforcement. to a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we’re told. “IP addresses from our sinkhole have been sent to FBI.
Below the messages displayed when a machine tries to connect it:
“IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon,” said the researcher. The infosec bod admitted they registered the domain first, then realized it was a kill switch. Still, job done.”
Experts from CISCO Talos group made an interesting analysis of the WannaCry ransomware.
“WannaCry does not appear to be only be leveraging the ETERNALBLUE modules associated with this attack framework, it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry.” reads the analysis from Talos.”In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.”
Below the complete infection process described in the analysis published by the experts at the Talos team:
“An initial file mssecsvc.exe drops and executes the file tasksche.exe. The kill switch domain is then checked. Next, the service mssecsvc2.0 is created. This service executes the file mssecsvc.exe with a different entry point than the initial execution. This second execution checks the IP address of the infected machine and attempts to connect to port 445 TCP of each IP address in the same subnet. When the malware successfully connects to a machine, a connection is initiated and data is transferred. We believe this network traffic is an exploit payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed by Microsoft in bulletin MS17-010. We currently don’t have a complete understanding of the SMB traffic, and exactly what conditions need to be present for it to spread using this method.” states the analysis.
“The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory ‘Tor/’ into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in and of itself the ransomware, only the ransom note. The encryption is performed in the background by tasksche.exe.”
Malware samples are listed on GitHub, the page also included addresses of Bitcoin wallets for the malware. A decrypted sample of the WannaCry ransomware is available here:
https://twitter.com/laurilove/status/863072240123949059
Microsoft has published a security advisory for the threat and an emergency patch for Windows XP.
[adrotate banner=”9″]
(Security Affairs – WannaCry ransomware, cybercrime)
[adrotate banner=”13″]
