{"id":1342,"date":"2017-05-16T11:08:03","date_gmt":"2017-05-16T11:08:03","guid":{"rendered":"https:\/\/www.varutra.com\/blog\/?p=1342"},"modified":"2022-12-02T16:27:43","modified_gmt":"2022-12-02T10:57:43","slug":"threat-advisory-report-on-ransomware-wannacry-critical-severity","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/threat-advisory-report-on-ransomware-wannacry-critical-severity\/","title":{"rendered":"Threat Advisory Report on WannaCry Ransomware (Critical Severity)"},"content":{"rendered":"


\n\"WannaCry<\/a><\/p>\n

Here we will discuss Threat Advisory Report on WannaCry Ransomware (Critical Severity).<\/p>\n

1. Introduction
\n<\/strong><\/span><\/h3>\n


\n<\/strong><\/span>On Friday, May 12, countless organizations around the world began fending off attacks from a ransomware strain variously known as WannaCrypt, WanaDecrypt and Wanna.Cry.<\/p>\n

Security researchers found \u201cWannaCry\u201d or \u201cWannaDecryptor\u201d; a type of ransomware which spreads from system to system silently and remains invisible to users until it unveils itself and then warns users that all their files have been encrypted with a key known only to the attacker and that they will be locked out until they pay to an anonymous party using the cryptocurrency Bitcoin.<\/p>\n

Ransomware encrypts a victim\u2019s documents, images, music and other files unless the victim pays for a key to unlock them.<\/p>\n

Wana Decrypt0r triggered security alerts for ETERNALBLUE, an alleged NSA exploit. ETERNALBLUE works by exploiting a vulnerability in the SMBv1 protocol to get a foothold on vulnerable machines connected online. Microsoft patched the flaw in MS17-010, released in March, but there are high chances that all Windows PC owners have applied the security update.<\/p>\n

On Friday, at least 16 hospitals in the United Kingdom were forced to divert emergency patients after computer systems there were infected with Wanna. According to multiple stories in the British media, approximately 90 percent of care facilities in the U.K.\u2019s National Health Service are still using Windows XP \u2013 a 16-year-old operating system.<\/p>\n

 <\/p>\n

2. Attack Scenario<\/strong><\/span><\/h3>\n

The initial infection vector of WannaCrypt 2.0 is not confirmed. It is possible that the initial vector is spam with malicious attachments (.pdf, .hta, and macro embedded MS Office files) commonly used in other ransomware campaigns.<\/p>\n

Once WannaCry 2.0 achieves a foothold, the ransomware infects other machines by leveraging a remote command execution vulnerability of Server Message Block (SMB). It is confirmed to exploit at least one publicly disclosed SMB vulnerability – CVE 2017-0143 also referred to as “EternalBlue” – which was released by a group called ShadowBrokers in April 2017. Using arbitrary code execution privileges, the ransomware installs itself to the machine, then proceeds to encrypt a wide array of files.<\/p>\n

Files are encrypted with the .WNCRY file extension added to them. The ransomware also downloads and installs TOR, with all dependencies, onto the infected machine, and uses this service to reach out to one of at least six .onion domains. The ransomware drops a ransom note named @Please_Read_Me@.txt; it also adds a lock screen, named “WanaCrypt0r 2.0\u201d<\/p>\n

At the time of reporting, the malware was requesting $300 USD in BitCoins, though this amount was later increased to $600. The Bitcoin wallets associated with the activity had received approximately 500 ransom payments, estimated to be worth over $150,000.<\/p>\n

Additionally, reports indicate the ransomware may have increased its payment demands from $300 to $600, indicating the actors have some level of control over the demanded amount and are increasing the cost of decryption, likely due to the success of the malware.<\/p>\n

The ransomware uses a unique encryption key for each binary placed onto a computer, but since the ransomware uses asymmetric RSA encryption even having the encryption key will not allow for convenient decryption.<\/p>\n

Upon infection, the following files are created:<\/p>\n

%Temp%\\b.wnry<\/p>\n

%Temp%\\c.wnry<\/p>\n

%Temp%\\m.wnry<\/p>\n

%Temp%\\r.wnry<\/p>\n

%Temp%\\t.wnry<\/p>\n

%Temp%\\u.wnry<\/p>\n

%Temp%\\m.vbs<\/p>\n

%Temp%\\taskdl.exe<\/p>\n

C:\\ProgramData\\taskse.exe<\/p>\n

%Temp%\\[14 random digits].bat<\/p>\n

The file c.wry contains information needed by the malware to further the infection and communication with its Command and control server.<\/p>\n

wanna18@hotmail[.]com<\/a><\/p>\n

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94<\/p>\n

sqjolphimrr7jqw6[.]onion<\/p>\n

https:\/\/www.dropbox[.]com\/s\/deh8s52zazlyy94\/t.zip?dl=1<\/a><\/p>\n

win32-0.2.8.11.zip<\/p>\n

https:\/\/dist.torproject[.]org\/torbrowser\/6.5.1\/tor-win32-0.2.9.10.zip<\/a><\/p>\n

https:\/\/www.dropbox[.]com\/s\/c1gn29iy8erh1ks\/m.rar?dl=1<\/a><\/p>\n

Adding the following registry entry for persistence:<\/p>\n

HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \/v “” \/t REG_SZ \/d<\/p>\n

“\\”C:\\Users\\\\AppData\\Local\\Temp\\tasksche.exe\\”” \/f<\/p>\n

It also drops the ransom file named @Please_Read_Me@.txt and the decryptor file named @WanaDecryptor@.exe, as shown below:<\/p>\n

WannaCrypt0r 2.0 uses TOR hidden services for command and control, dropping and installing a fully functional version of TOR with all necessary components onto an infected machine. The TOR service reaches out to one of a number of .onion domains, including:<\/p>\n