UPDATE 5/18/2017 10:40AM ET: A new tool was released from Adrien Guinet that can decrypt WannaCry impacted systems. This only works on Windows XP due to using proper cryptography libraries. In Windows XP, it's possible to search the wcry.exe memory and does not erase the prime numbers used to generate the key. Link here to download.

UPDATE 5/14/2017 11:38AM ET: A new variant with a different kill switch name was discovered this morning. The domain name goes to a different URL: ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com. This domain has already been registered and is sinkholed. It is advised to use internal DNS (as mentioned below) to point to an active/website internally that will always be available in the event the site is down or servers can't reach to this. Note that this is only a temporary solution and it is advised heavily that you patch your systems immediately with MS17-010. More analysis from initial discovery here.

UPDATE 5/13/2017 9:44AM ET: It's recommended to create a local DNS entry in your network for the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and point it to a HTTP website within your network that you control. This will ensure that in the event the sinkhole is DOS'd or taken offline, or if you have heavy egress filtering and don't allow HTTP communications, that you still ensure the website can be visited to shut the malicious software down.

UPDATE 5/13/2017 8:28AM ET: Microsoft, in an unexpected move, has released an emergency patch for it's non-supported and legacy operating systems. Windows Server 2003, Windows XP, Windows Vista, and Windows 8 which are end-of-life and no longer supported just received security patches. If you need the patches, visit the advisory here. Well done Microsoft.

UPDATE 5/12/2017 10:25PM ET: Due to taking over the domain name that was used as a kill switch (sinkholed) - this specific variant of WannaCrypt is effectively dead. There should be no more major infections due to this specific attack vector. It should be worth noting that the worm component of this Ransomware attack is highly customizable and is now out in the wild. You can expect Ransomware developers to incorporate these capabilities VERY quickly and initiate new campaigns starting as soon as next week. Companies are highly urged to patch MS17-010 immediately in order to reduce the likelihood of this ransomware-type technique causing substantial impact to your organization. Kudos out to MalwareTechBlog for initiating the sinkhole and kill switch. This action alone probably saved lives. For those that may not understand the technical terms, the WannaCry Ransomware when first launching would check a domain name specifically embedded in the code. This was used as a kill switch - which means if the domain existed, there was something that went wrong and the malware creators could kill the software from actually running. @MalwareTechBlog discovered this, and registered the domain and effectively shut down the ability for this specific strain of WannaCry from running. This action alone probably saved lives. Congrats to MalwareTechBlog for the heroic actions, and the quick response to shutting this down. It should be noted and a word of caution, now that this weaponized Ransomware is out there, more will follow.

The news broke today of a new variant of the WannaCry (also known as WannaCrypt, WCrypt, WanaCrypt0r, and WCRY) Ransomware variant. This variant is a fairly new strain of Ransomware that has now moved to a whole different level. The numbers keep rising, but there have been reports of WannaCry in over 99 countries and shutting down hospitals and government entities around the globe. The biggest outage thus far has been reported out of the UK's National Health Service (NHS) reporting that their hospital was taken offline and a number of life saving systems are not operational. Reports of surgery's being cancelled, and mass panic is currently being reported out of the NHS in London. Even Russia's interior ministry was reporting small-scale infections which is believes it now has contained.

Why this specific Ransomware has been more effective than its predecessors, is that it was recently updated with an exploit directly from the National Security Agency (NSA) arsenal (from 2013). On April 15th, 2017 a group known as the Shadow Brokers (attributed to Russian intelligence) leaked a large cache of weaponized exploits used by the "Equation Group" (attributed to the NSA). One particular exploit called EternalBlue was leaked within this dump and was used to target a substantial amount of newer Windows operating systems (all operating systems below Windows 10). Microsoft somehow got early warning notice (most likely from the NSA ahead of the dump), and fixed the vulnerability silently prior to the actual release occurring. This patch number was MS17-010 and was released back in March. This vulnerability allowed remote attackers to gain remote code execution on systems and fully compromise the computer with full administrative level rights (SYSTEM permissions).

Why this matters in the latest WannaCry release is that the developers of the Ransomware incorporated their code into a massive remote worm using the EternalBlue exploit that has the capability of ripping through systems at an alarming rate. Systems that have not applied MS17-010. In addition, WannaCry installs the NSA's backdoor called "DoublePulsar" which allows maintained access for attackers to gain further access to the systems. It should be noted that WannaCry is not a worm in itself, it uses a worm delivery system built on EternalBlue, and can be modified and easily used to add into other Ransomware variants.

Confirmed Command and Control infrastructure for WannaCry (credit):

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52ma.onion

While the vulnerability was critical in nature, and the industry urged companies to patch immediately, not every corporation, hospital, and computer system have the ability to be patched in such a short order. Hospitals for example have to go through a substantial amount of accreditation for patches in order to apply them to critical systems in their hospitals. The same goes for our energy sector, water treatment facilities, schools, and corporations across the globe. With this specific Ransomware going to a mass worm infection is literally going to be devastating to multiple industry verticals and impact hundreds of thousands of systems.

For those not familiar with Ransomware, this type of technique used by hackers has been on an upward trend for several years now. Ransomware works by first infecting a victims machine and then scanning the system, associated file shares, and authenticated servers in order to encrypt the files themselves. The files once encrypted are held for ransom and the victim is urged to pay a certain amount (varies based on variant) based on the volume of encrypted files. This is usually in a form of an online currency called Bitcoin. Once the victims pay the bitcoin, they may or may not get their encryption keys to decrypt the actual files themselves. It's up to the authors and the infrastructure to support decryption. This is a major problem for law enforcement due to the inability to substantially track where money is going due to the online currencies growth and popularity. We will continue to see a significant increase in Ransomware as we move forward.

How WannaCry Infects the System

  • WannaCry does not use any heavy sophistication methods for delivery. It first uses a password protected zip file, which has a document inside. (Note that this method isn't confirmed and is reported)
  • Once the document is opened, it downloads a second stage which is an unsigned executable. This executable contains the delivery method for infection, worm replication, and exploitation. (Again, this is reported but nog verified witu artifacts yet)
  • The malicious software beacons out to a domain hxxp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to check if the website is up, if it is, it will not execute. This has since been sinkholed and if the website is up, will not actually execute. This means you can either use DNS to redirect to a legitimate site to ensure it stays up, or keep it as is since it's been sinkholed and is currently up and running now. The malicious software should exit now upon checking as the kill switch is now active.
File Extensions Targeted

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Ransom Amount

Reports of anywhere between $300 to $600

What you can do now to prevent WannaCry

  • You need to patch. Right now. MS17-010 needs to be applied and across your organization (amongst all other critical security patches).
  • For systems that cannot be patched, they should be moved into a network segment to reduce the impact to the rest of the organization.
  • The website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is checked upon software execution to see if it is up. If the website is up (which it is currently and is sinkholed), the malicious software does not execute, and turns itself off. This domain as since been sinkholed and should always remain up now. Know that this is a temporary fix and the domain will most likely switch quickly. (Thanks @_Nips_)
  • For the time being until patches can be applied, consider blocking all zip attachments that contain passwords.
  • This is a common problem, disallowing non-code signed executables from running would substantially reduce the effectiveness of a large percentage of Ransomware (known good). Using Microsoft's Device Guard and other application whitelisting solutions is heavily recommended. This practice does work folks.
  • For home users, update your systems immediately with Windows updates, and be cautious on where you download files from.

Implications of WannaCry

WannaCry is just the first. There will be many more, and soon to come.

Why this is being looked at from many in the information security community as a major game changer is how far reaching this specific exploit (MS17-010) will be. Simply put, if one user opens up this type of attachment, it could literally detonate and cripple all systems that aren't patched in an organization. We are starting to see the early stages of this type of attack with WannaCry, but it is highly expected to get much worse. Companies need to patch immediately, and most importantly, the healthcare industry needs to be substantially more proactive in patching in general, and isolating life saving systems. All of these could have been prevented with solid patch management practices.

The component that is most alarming in totality is the infection/worm component. Doing analysis of the binary, it is trivial to substitute your own payload (or Ransomware variant) to execute. This means that other Ransomware creators will be looking at this as a method to deploy their Ransomware payloads almost immediately. Expect new variants, expect them quickly, and expect them now.

Additional Information

For a full technical writeup on EternalBlue, visit our sister company TrustedSec for a breakdown of the exploit.

For an excellent technical analysis and writeup of WannaCry, follow this link here.

BSIDES Boston Keynote on Shadow Brokers and Equation Group here: https://www.youtube.com/watch?v=c_B4Hj_Kqhw

For Binary Defense Vision customers and MSS customers, WannaCry is already detected on multiple stages and actively being monitored by our 24/7 security operations center. Customers with the Vision platform, containment will remove the affected systems from the network immediately upon discovery.

David Kennedy

Written by David Kennedy