WannaCrypt blackmailer attacks non-updated systems

Original author: Karthik Selvaraj, Elia Florio, Andrea Lelli, Tanmay Ganacharya
  • Transfer
On May 12, a technical article appeared in the official Microsoft blog with comments on the WannaCrypt blackmail program. Since this topic is still of concern to many, we have translated it for you. We invite you to cat.



On May 12, 2017, we discovered a new blackmail program that spreads like a worm using previously fixed vulnerabilities. On most computers, security updates are automatically installed, but some users and enterprises delay their installation. Unfortunately, a blackmailer known as WannaCrypt attacks computers that do not have patches to fix these vulnerabilities. As attacks continue, we remind users to install security update MS17-010if they have not done so until now.

Microsoft's anti-virus telemetry system immediately detected signs of an attack. Our expert systems made it possible to recognize and determine the context of this new attack during its development, which made it possible for Windows Defender to provide real-time protection. Thanks to the use of automated analysis, machine learning, and predictive modeling, we were able to quickly organize protection against this malware.

In this blog, we present the results of a preliminary analysis of this attack. Please note that we are continuing to study this threat. The attack continues, and the possibility remains that the attackers will try to counter our defensive measures.

Attack vector


Blackmail programs are usually not distributed quickly. In malicious programs such as WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, and WCRY), social engineering techniques and e-mail are usually used as the main attack vector, with the expectation that the user will download and run the malware. But in this extraordinary case, the creators of the blackmail program used a publicly available exploit code to resolve the EternalBlue SMB server vulnerability ( CVE-2017-0145 ), which manifests itself when sending a specially created package to the target SMBv1 server. This vulnerability was fixed in security bulletin MS17-010 , released on March 14, 2017.

WannaCrypt distribution mechanism was borrowed fromthe well-known open SMB exploits that provided this blackmailer with worm capabilities by creating an entry point to machines that were not updated even after a security update appeared.

The WannaCrypt exploit code is designed only for non-updated Windows 7 and Windows Server 2008 systems (or earlier versions of the OS), so this attack is harmless for machines running Windows 10.

We did not find evidence of exactly which input vector was involved in the attack, but there is two highly probable scenarios, which, in our opinion, explain the spread of this blackmail program:

  • Distribution of e-mail messages developed in accordance with social engineering techniques that prompted users to open them and launch malicious code and activate the distribution function of the worm with the SMB exploit.
  • Infection through the SMB exploit when accessing non-updated computers from other infected machines.

Dropper


Malicious software takes the form of a dropper trojan, which consists of two components:

  1. A component trying to exploit the vulnerability CVE-2017-0145 of the SMB server on other computers.
  2. The blackmailer component known as WannaCrypt.

Dropper tries to connect to the following domains using the InternetOpenUrlA () API function:

  • www [.] iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [.] com
  • www [.] ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [.] com

In case of successful connection to the domains, the dropper stops further infection of the system with the blackmailer component and does not try to use the vulnerability for further distribution; he just stops working. But if it fails to connect, the virus continues to dump the blackmail component and creates a service in the system.

In other words, unlike most other malware infections, IT administrators should not block access to these domains . Note that the virus does not support work through a proxy, so you may need to create an appropriate entry in the local DNS. This entry does not have to point to a server on the Internet - it is enough that it redirects to any available server that accepts connections on TCP port 80.



The virus creates a service called mssecsvc2.0 , the role of which is to use the SMB vulnerability on other computers accessible from the infected system:

Service name: mssecsvc2.0
Service description: (Microsoft Security Center (2.0) Service) Service
parameters: “-m security ”




WannaCrypt blackmailer


The blackmailer is a dropper that contains a password-protected ZIP archive in its resource section. The document encryption procedure and files in the ZIP archive contain auxiliary tools, a decryption utility, and a ransom request message. In the examples that came to us for analysis, the ZIP archive was encrypted with the WNcry @ 2ol7 password.

In the process of its work, WannaCrypt creates the following parameters in the registry:

  • HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \\ <random string> = “<working directory of the blackmailer component> \ tasksche.exe”
  • HKLM \ SOFTWARE \ WanaCrypt0r \\ wd = “<working directory of the blackmailer component>”

The component replaces the desktop wallpaper with an ransom demand image by changing the following registry value.

  • HKCU \ Control Panel \ Desktop \ Wallpaper: “<working directory of the blackmailer component> \ @ WanaDecryptor @ .bmp”

She creates the following files in the working directory of the blackmailer component:

  • 00000000.eky
  • 00000000.pky
  • 00000000.res
  • 274901494632976.bat
  • @ Please_Read_Me @ .txt
  • @ WanaDecryptor @ .bmp
  • @ WanaDecryptor @ .exe
  • b.wnry
  • c.wnry
  • f.wnry
  • m.vbs
  • msg \ m_bulgarian.wnry
  • msg \ m_chinese (simplified) .wnry
  • msg \ m_chinese (traditional) .wnry
  • msg \ m_croatian.wnry
  • msg \ m_czech.wnry
  • msg \ m_danish.wnry
  • msg \ m_dutch.wnry
  • msg \ m_english.wnry
  • msg \ m_filipino.wnry
  • msg \ m_finnish.wnry
  • msg \ m_french.wnry
  • msg \ m_german.wnry
  • msg \ m_greek.wnry
  • msg \ m_indonesian.wnry
  • msg \ m_italian.wnry
  • msg \ m_japanese.wnry
  • msg \ m_korean.wnry
  • msg \ m_latvian.wnry
  • msg \ m_norwegian.wnry
  • msg \ m_polish.wnry
  • msg \ m_portuguese.wnry
  • msg \ m_romanian.wnry
  • msg \ m_russian.wnry
  • msg \ m_slovak.wnry
  • msg \ m_spanish.wnry
  • msg \ m_swedish.wnry
  • msg \ m_turkish.wnry
  • msg \ m_vietnamese.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • TaskData \ Tor \ libeay32.dll
  • TaskData \ Tor \ libevent-2-0-5.dll
  • TaskData \ Tor \ libevent_core-2-0-5.dll
  • TaskData \ Tor \ libevent_extra-2-0-5.dll
  • TaskData \ Tor \ libgcc_s_sjlj-1.dll
  • TaskData \ Tor \ libssp-0.dll
  • TaskData \ Tor \ ssleay32.dll
  • TaskData \ Tor \ taskhsvc.exe
  • TaskData \ Tor \ tor.exe
  • TaskData \ Tor \ zlib1.dll
  • taskdl.exe
  • taskse.exe
  • u.wnry

WannaCrypt can also create the following files:

  • % SystemRoot% \ tasksche.exe
  • % SystemDrive% \ intel \ <random directory name> \ tasksche.exe
  • % ProgramData% \ <random directory name> \ tasksche.exe

The blackmailer component sometimes also creates a service with a random name and the following path to the image: “cmd.exe / c“ <working directory of the blackmailer component> \ tasksche.exe ”” .

The component searches for files on the entire computer with the following extensions:

.123, .jpeg, .rb, .602, .jpg, .rtf, .doc, .js, .sch, .3dm, .jsp, .sh, .3ds, .key, .sldm, .3g2, .lay .sldm, .3gp, .lay6, .sldx, .7z, .ldf, .slk, .accdb, .m3u, .sln, .aes, .m4u, .snt, .ai, .max, .sql,. ARC, .mdb, .sqlite3, .asc, .mdf, .sqlitedb, .asf, .mid, .stc, .asm, .mkv, .std, .asp, .mml, .sti, .avi, .mov, .stw, .backup, .mp3, .suo, .bak, .mp4, .svg, .bat, .mpeg, .swf, .bmp, .mpg, .sxc, .brd, .msg, .sxd, .bz2 , .myd, .sxi, .c, .myi, .sxm, .cgm, .nef, .sxw, .class, .odb, .tar, .cmd, .odg, .tbk, .cpp, .odp,. tgz, .crt, .ods, .tif, .cs, .odt, .tiff, .csr, .onetoc2, .txt, .csv, .ost, .uop, .db, .otg, .uot, .dbf, .otp, .vb, .dch, .ots, .vbs, .der ”, .ott, .vcd, .dif, .p12, .vdi, .dip, .PAQ, .vmdk, .djvu, .pas,. vmx, .docb, .pdf, .vob, .docm, .pem, .vsd, .docx, .pfx, .vsdx, .dot, .php, .wav, .dotm, .pl, .wb2, .dotx, .png, .wk1, .dwg, .pot, .wks, .edb,.potm, .wma, .eml, .potx, .wmv, .fla, .ppam, .xlc, .flv, .pps, .xlm, .frm, .ppsm, .xls, .gif, .ppsx, .xlsb, .gpg, .ppt, .xlsm, .gz, .pptm, .xlsx, .h, .pptx, .xlt, .hwp, .ps1, .xltm, .ibd, .psd, .xltx, .iso, .pst , .xlw, .jar, .rar, .zip, .java, .raw.

WannaCrypt encrypts and renames all found files by adding the .WNCRY extension to the file name . For example, the picture.jpg file the blackmailer will encrypt and rename picture.jpg.WNCRY .

Also, in each folder with encrypted files, it creates the file @ Please_Read_Me @ .txt . The latter contains the same ransom demand message that is present on spoofed desktop wallpapers (see screenshot below).

After encryption is complete, WannaCrypt deletes shadow copies of the volume with the following command:
cmd.exe / c vssadmin delete shadows / all / quiet & wmic shadowcopy delete & bcdedit / set {default} bootstatuspolicy ignoreallfailures & bcdedit / set {default} recoveryenabled no & wbadmin delete catalog -quiet

After that, the desktop background is replaced with the image with the following message :



An executable component is also launched that displays a buyback demand of $ 300 in bitcoins, as well as a timer:



The text is localized in the following languages: Bulgarian, Chinese (simplified and traditional letters), Croatian, Czech, Danish, English, Filipino, Finnish, French, German , greek, indonesian, italian, japanese, ko Raysky, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish and Vietnamese.

The blackmailer component also demonstrates the ability to decrypt encrypted files, allowing the user to decrypt several random files for free. After that, he quickly reminds about the need to pay the ransom in order to decrypt the remaining files.



Ability to spread


The worm attempts to infect non-updated Windows machines located on the local network. At the same time, it performs a mass scan of Internet IP addresses to find and infect other vulnerable computers. This creates a large amount of SMB traffic from the infected host, which security experts may notice, as shown below.



The Internet scanning procedure generates random octets that are collected in IPv4 addresses. After that, the malware attacks the computer located at an accessible IP address, trying to exploit the vulnerability CVE-2017-0145. The program does not infect computers whose first octet of IPv4 address is 127 or greater than 224 so as not to waste time contacting local loopback addresses. Once a vulnerable machine is detected and infected, it becomes the next source of infection for other machines. The infection cycle continues as unprotected computers are detected.

After successfully infecting the vulnerable computer, the malicious program executes shell-level code at the kernel level, which seems to be copied from an open trojan that uses the DOUBLEPULSAR backdoor, but with some changes to reset and reset the blackmailer component for 32-bit and 64-bit systems.



WannaCrypt Attack Protection


To get the most up-to-date protection from Microsoft, upgrade to Windows 10 . Keeping your computer up to date allows you to take advantage of the latest features and active protection mechanisms that are present in the latest versions of Windows.

We recommend that customers who have not yet installed the MS17-010 security update do this as quickly as possible. If at the moment you do not have the opportunity to install this update, we recommend two possible solutions that will reduce the scale of the infection:

  • Disable SMBv1 by following the instructions in Microsoft Knowledge Base Article 2696547 and the previous recommendations.
  • Consider adding a rule to your firewall or router that blocks incoming SMB traffic on port 445.

Windows Defender Anti-Virus (Windows Defender) defines this threat as Ransom: Win32 / WannaCrypt starting with update 1.243.297.0. Windows Defender antivirus uses cloud-based protection that protects against the latest threats.

At enterprises, it is recommended to use Device Guard to lock devices and provide kernel-level security based on virtualization, which ensures the execution of trusted applications only and effectively prevents the execution of malware.

Use Advanced Threat Protection Office 365 , which has a machine learning feature that blocks dangerous email attachments, such as blackmail programs.

Monitor your networks with Advanced Threat Protection (ATP) in Windows Defender , which alerts your security teams about suspicious activity. Download this brochure to find out how Windows Defender ATP helps you find, investigate, and eliminate blackmail programs from the network. Windows Defender Advanced Threat Protection - Ransomware response playbook .

Resources



Signs of an Invasion


The SHA1 code of the analyzed examples:

  • 51e4307093f8ca8854359c0ac882ddca427a813c
  • e889544aff85ffaf8b0d0da705105dee7c97fe26

Files created by the blackmailer:

  • % SystemRoot% \ mssecsvc.exe
  • % SystemRoot% \ tasksche.exe
  • % SystemRoot% \ qeriuwjhrf
  • b.wnry
  • c.wnry
  • f.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • u.wnry
  • taskdl.exe
  • taskse.exe
  • 00000000.eky
  • 00000000.res
  • 00000000.pky
  • @ WanaDecryptor @ .exe
  • @ Please_Read_Me @ .txt
  • m.vbs
  • @ WanaDecryptor @ .exe.lnk
  • @ WanaDecryptor @ .bmp
  • 274901494632976.bat
  • taskdl.exe
  • Taskse.exe
  • Files with “.wnry” extension
  • Files with “.WNCRY” extension

Registry keys created by the blackmailer:

  • HKLM \ SOFTWARE \ WanaCrypt0r \ wd

If you see an inaccuracy in the translation, please report this in private messages.

Also popular now: