How wannaCry Ransomware Works

What is Ransomware ?

Ransomware is a subset of malware in which the data on a victim's computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access returned to the victim

What is WannaCrypt Ransomware?

WannaCry is a type of ransomware that infected the National Health Service(NHS) and other organisations across the globe including government institutions in China, Russia, the US and most of Europe. India was among the countries worst affected by the WannaCry attack. NHS England was also the victim of a massive ransomware attack resulting in some patients’ operations being cancelled.
The attack occurred after the USA’s National Security Agency discovered a vulnerability in Microsoft’s software called EternalBlue. This exploit was leaked by a hacker group called the Shadow Brokers earlier this year but the vulnerability was patched by Microsoft as soon as it happened. The problem comes from older versions of Windows or those without Windows Updates, as these were not patched by Microsoft and were left open to attacks. Russia and India were hit particularly hard because Microsoft’s Windows XP-one of the operating systems most at risk- was still widely used in these countries.

This threat arrives as a dropper Trojan that has two components:

·         A component that attempts to exploit the CVE-2017-0145 vulnerability in other computers
·         Ransomware component
It tries to connect to the following domains:
·         www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
·         www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
·         www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test

If this threat successfully connects to the domains, it stops running. Because of this, IT administrators should NOT block these domains. This threat is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
This Trojan dropper then creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:
Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: “-m security”

This threat uses publicly available exploit code for the patched SMB vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. The exploit code used is designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this exploit attack. The said vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.
When run, the ransomware component creates the following registry entries:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "<malware working directory>\tasksche.exe"
In subkey: HKLM\SOFTWARE\WanaCrypt0r
Sets value: "wd"
With data: "<malware working directory>"
It also modifies the following registry entry to change your computer's wallpaper:
In subkey: HKCU\Control Panel\Desktop
Sets value: "Wallpaper"
With data: "<malware working directory>\@WanaDecryptor@.bmp"
It creates the following files in the malware’s working directory:
·         00000000.eky
·         00000000.pky
·         00000000.res
·         274901494632976.bat
·         @Please_Read_Me@.txt
·         @WanaDecryptor@.bmp
·         @WanaDecryptor@.exe
·         b.wnry
·         c.wnry
·         f.wnry
·         m.vbs
·         msg\m_bulgarian.wnry
·         msg\m_chinese (simplified).wnry
·         msg\m_chinese (traditional).wnry
·         msg\m_croatian.wnry
·         msg\m_czech.wnry
·         msg\m_danish.wnry
·         msg\m_dutch.wnry
·         msg\m_english.wnry
·         msg\m_filipino.wnry
·         msg\m_finnish.wnry
·         msg\m_french.wnry
·         msg\m_german.wnry
·         msg\m_greek.wnry
·         msg\m_indonesian.wnry
·         msg\m_italian.wnry
·         msg\m_japanese.wnry
·         msg\m_korean.wnry
·         msg\m_latvian.wnry
·         msg\m_norwegian.wnry
·         msg\m_polish.wnry
·         msg\m_portuguese.wnry
·         msg\m_romanian.wnry
·         msg\m_russian.wnry
·         msg\m_slovak.wnry
·         msg\m_spanish.wnry
·         msg\m_swedish.wnry
·         msg\m_turkish.wnry
·         msg\m_vietnamese.wnry
·         r.wnry
·         s.wnry
·         t.wnry
·         TaskData\Tor\libeay32.dll
·         TaskData\Tor\libevent-2-0-5.dll
·         TaskData\Tor\libevent_core-2-0-5.dll
·         TaskData\Tor\libevent_extra-2-0-5.dll
·         TaskData\Tor\libgcc_s_sjlj-1.dll
·         TaskData\Tor\libssp-0.dll
·         TaskData\Tor\ssleay32.dll
·         TaskData\Tor\taskhsvc.exe
·         TaskData\Tor\tor.exe
·         TaskData\Tor\zlib1.dll
·         taskdl.exe
·         taskse.exe
·         u.wnry

It may also create the following files:

·         %SystemRoot% \tasksche.exe
·         %SystemDrive% \intel\<random directory name>\tasksche.exe
·         %ProgramData% \<random directory name>\tasksche.exe
It may create a randomly named service that has the following associated ImagePath:
"cmd.exe /c "<malware working directory>\tasksche.exe""
Encrypts files
This threat searches for and encrypts files with the following filename extensions:

It appends .WNCRY to the filename of encrypted files. For example:
·         file.docx is renamed to file.docx.WNCRY
·         file.pdf is renamed to file.pdf.WNCRY
This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
After completing the encryption process, the malware deletes the volume shadow copies. It then replaces the desktop background image with the following message:

It also runs an executable showing a ransomnote, which indicates a $300 ransom as well as a timer:

The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
Spreads to unpatched computers
To spread, this threat uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.
The exploit code used by this threat to spread to other computers was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems. The exploit does not affect Windows 10 PCs.
The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel.
The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.
When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.

SHA1s used in this analysis: 
·         51e4307093f8ca8854359c0ac882ddca427a813c
·         5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
·         bd44d0ab543bf814d93b719c24e90d8dd7111234
·         87420a2791d18dad3f18be436045280a4cc16fc4
·         e889544aff85ffaf8b0d0da705105dee7c97fe26

==========     Hacking Don't Need Agreements     ==========
Just Remember One Thing You Don't Need To Seek Anyone's  To Hack Anything Or Anyone As Long As It Is Ethical, This Is The Main Principle Of Hacking Dream
    Thank You for Reading My Post, I Hope It Will Be Useful For You

I Will Be Very Happy To Help You So For Queries or Any Problem Comment Below Or You Can Mail Me At

Bhanu Namikaze

Bhanu Namikaze is an Ethical Hacker, Security Analyst, Blogger, Web Developer and a Mechanical Engineer. He Enjoys writing articles, Blogging, Debugging Errors and Capture the Flags. Enjoy Learning; There is Nothing Like Absolute Defeat - Try and try until you Succeed.

No comments:

Post a Comment