WannaCry
WannaCry
Type Internet worm, Ransomware
Creator Lazarus Group
Date Discovered 12-MAY-2017
Place of Origin North Korea
Source Language
Platform MS Windows
File Type(s) .exe
Infection Length 3,723,264 bytes
Reported Costs

WannyCry, also known as Wcrypt, WCRY, WannaCrypt, and Wana Decrypt0r 2.0, is ransomeware that has gained a great deal of media attention since 2017. It spreads primarily through a worm that takes advantage of a Windows remote desktop vulnerability. It propagated through EternalBlue, an exploit discovered by the United States National Security Agency (NSA) for older Windows systems. The ransomeware targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

Though the ransomware is its most prominent feature, our wiki's focus is on self-replicating programs, so we will focus on the worm, touching the subject of the ransomware where it is relevant.

Behavior

The target system receives a connection on port 445, which SMB uses on the network. The worm on the attacking system checks for the presense of the "EternalBlue" vulnerability. It then checks for the DoublePulsar backdoor and if it is not there, it will install it. It then uses DoublePulsar to infect the system. The worm arrives on a system as the file mssecsvc.exe.

When the main function of the worm's executable is run, it attempts to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and exits if it finds the site. It is uncertain what this website does, though there is speculation it was a killswitch. The site itself has been turned into a "sinkhole" that resolves so the worm quits if it is run on any system. This function still works when connecting to a proxy.

It creates the following registry keys to run itself as a system service in next execution:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mssecsvc2.0
Type = "16"
Start = "2"
ErrorControl = "1"
ImagePath = {initial malware file path} -m security
DisplayName = Microsoft Security Center (2.0) Service
ObjectName = LocalSystem

If it was run with one or no arguments, it installs a service called mssecsvc2.0 with display name "Microsoft Security Center (2.0) Service". It starts that service, drops the ransomware binary located in the resources of the worm, and runs it. If it was run with two or more arguments (started as a service itself) it will run the worm function. It will first call a function named WSAStartup() which initializes networking. The next function it calls is CryptAcquireContext(), which initializes the crypto API so it can use a cryptographically-secure pseudo-random number generator. It calls a function that initializes two buffers used for storing the worm payload DLLs, one for a 32-bit x86 and another for the 64-bit. It copies the payload DLLs from the .data section of the worm executable and then copies the worm binary.

Wannacry then creates two threads. One thread scans hosts on the LAN. It uses GetAdaptersInfo() and gets a list of IP ranges on the local network, then creates an array of every IP in those ranges to scan. Wannacry's LAN scanning is multithreaded, and there is code to prevent scanning more than 10 IP addresses on the LAN at a time. It attempts to connect to port 445 and if it finds a system, attempts to exploit to the system using the EternalBlue exploit. The exploitation routine times out at 10 minutes.

It creates the other thread for internet scanning 128 times and it scans hosts on the wider Internet. The threads that scan the Internet generate a random IP address, using either the OS’s cryptographically secure pseudo-random number generator initialized earlier, or a weaker pseudo-random number generator if the CSPRNG failed to initialize. If connection to port 445 on that random IP address succeeds, the entire /24 range is scanned, and if port 445 is open, it attempts to exploit the system. These exploit attempts time out after an hour.

The exploitation thread tries several times to exploit, with two different sets of buffers used (possibly for different bit numbers). If it detects the presence of DoublePulsar after any exploitation attempt, it uses DoublePulsar to load the payload DLL.

Variants

By August of 2019, about 7,000 new variants appeared and over 10,000 variants of the ransomware existed by fall of 2019, however only a few of the actual worm has been documented. Wannacry.B appeared a few days after the original on 15-MAY-2017. Its function is virtually identical to the original and even has the same byte length.

Sophos Labs noted many of these bypassed the original's killswitch. Many also had an ineffective encryption routine, rendering them useless. Since Wannacry variant won't infect computers that have already been infected, they acted as a vaccine.

[[Eternalrocks]]] was allegedly similar to Wannacry and was predicted to have an even bigger impact.

Effects

Researchers at Sophos estimate WannaCry hijacked 200,000 systems in 150 countries. The first infections were largely in Southeast Asia. Russia received the largest number of attacks by far with over 70% of the attacks occuring there, followed by Ukraine and India, both with less than 5% each. WannaCry reportedly caused disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey.

Blackpool Victoria Hospital in the UK reportedly pleaded for patients to seek treatment only for life-threatening emergencies after Wcry crippled its network. It also caused Bart's Hospital in London to redirect ambulances. Spanish telecom Telefonica were also affected. Other Spanish organizations known to be disrupted include telecom Vodafone Espana, banks BBVA and Santander, and power company Iberdrola. Some train stations in Germany were attacked.

By the Tuesday after the worm appeared, three bitcoin wallets had received 253 payments totaling 41.78807332 BTC ($71,647.06 USD). A month later, the total was up to $140,000, though some errors were made that would make any conversion from cash to Bitcoin very difficult, as the transactions could easily be traced.

The worm was mostly contained when a researcher who uses the Twitter handle MalwareTech and works for security firm Kryptos Logic took control of a domain name that was hard-coded into the exploit. Often users could decrypt their systems without paying the ransom. The tools Wannakey and wanakiwi took advantage of weaknesses in the Microsoft Cryptographic Application Programming Interface that WannaCry and other Windows applications use to generate keys for encrypting and decrypting files.
n

Origin

The EternalBlue exploit was stolen from the US National Security Agency and leaked by a group called The Shadow Brokers at least a year prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches are imperative to an organization's cyber-security but many were not applied because of needing 24/7 operation, risking having applications that used to work break, inconvenience, or other reasons.

By June, the US National Security Agency strongly suspected the Democratic People's Republic of Korea of creating the worm and ransomware. Allegedly the agency found patterns in the techniqies and tactics that pointed to the DPRK's Reconnaissance General Bureau, their spy agency. It was suspected of being an attempt to raise revenue for the DPRK regime.

In December 2017, the United States, United Kingdom and Australia formally asserted that North Korea was behind the attack. In the next year, a criminal complaint was filed against North Korean computer programmer, Park Jin-Hyok (박진혁) who may have also been involved in the attacks on Sony for a film considered insulting to the leaders of North Korea. Park has yet to arrive in the US to face the charges.

Other Facts

Researchers drew comparions to much earlier worm outbreaks, particularly those from the 2000s. Similarities to Conficker and Slammer attacks were noted mostly because of their use of previously patched vulnerabilities that many organization did not fix. Though worms have become less frequent in favor of more targeted attacks, they still appear infrequently, with some antivirus vendors declaring "the return of the worm".

Sources

Zammis Clark. MalwareBytes, The worm that spreads WanaCrypt0r. 16-JUN-2021

Anthony Joe Melgarejo. Trend Micro, WORM_WCRY.A 08-JUN-2017

Byron Jon Gelera. Trend Micro, WORM_WCRY.B. 16-MAY-2017

Naked Security. Sophos, WannaCry: the ransomware worm that didn’t arrive on a phishing hook. 17-MAY-2021

-. -, WannaCry benefits from unlearned lessons of Slammer, Conficker. 14-MAY-2021

Dan Goodin. Ars Technica, An NSA-derived ransomware worm is shutting down computers worldwide. 12-MAY-2021

-. -, More people infected by recent WCry worm can unlock PCs without paying ransom. 19-MAY-2017

Ellen Nakashima. The Washington Post, The NSA has linked the WannaCry computer worm to North Korea. 14-JUN-2017

David Bisson. Tripwire, Over 12,000 WannaCry Variants Detected in the Wild. 19-SEP-2019

Hirokazu Murakami. Sans Whitepaper "Reverse Engineering of WannaCry Worm and Anti Exploit Snort Rules." 2021

Alex Scroxton. Computer Weekly, WannaCry variants accidentally protecting against WannaCry. 18-Sep-2019

Deepen Desai. Zscaler, WannaCry 2.0 ransomware attacks continue... 15-MAY-2017

Mehul Revankar. Tenable, WannaCry 2.0: Detect and Patch EternalRocks Vulnerabilities Now. 23-MAY-2017

Swati Khandelwal. Hacker News, WannaCry Kill-Switch(ed)? It's Not Over! WannaCry 2.0 Ransomware Arrives. 13-MAY-2017

BBC News, Cyber-attack: US and UK blame North Korea for WannaCry. 19-DEC-2017

UNITED STATES DISTRICT COURT for the Central District of California CRIMINAL COMPLAINT. 08-JUN-2018

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License