The Who, What, Where, When, and Why of WCry
Security professionals from across the world have been writing up commentaries of the recent WCry ransomware. The below breaks this down in under 600 words.
While the current actors behind WCry are unknown it is the second iteration of ransomware known as WanaCrypt0r that was spotted in February 2017 (Blog.avast.com, 2017), asking victims to pay 0.1 Bitcoins for their files to be de-crypted (Hern and Gibbs, 2017). This ransomware is possible due to a vulnerability that was disclosed publicly by a group known as ‘The Shadow Brokers’ that stated it was a known vulnerability that the National Security Agency in the United states were aware of for some time. They referred to the vulnerability that allowed the ransomware to spread as “ETERNALBLUE“, an SMBv2 exploit (Hunt, 2017). While the Shadow Brokers released this vulnerability it is unlikely that they are connected to the ransomware and instead it is more probable that it is connected to an opportunistic hacking group.
A patch has existed since March 14th 2017 for the ETERNALBLUE vulnerability, labelled MS17-010 by Microsoft.
WCry also referred to as WannaCry and Wana Decrypt0r (Patel, 2017). Its a piece of ransomware that propagates from infected machines after scanning over TCP port 445 (Server Message Block/SMB). Before leveraging ETERNALBLUE for the initial exploitation WCry first scans accessible hosts for the presence of DOUBLEPULSAR, a persistent backdoor. If it does not spot the backdoor it will use the ETERNALBLUE SMB vulnerability. This causes the worm like activity as it spreads from host to host (Chiu, 2017). At the moment one of the confirmed initial infection vectors for the ransomware is the usage of the ETERNALBLUE exploit directly on hosts which have SMB directly exposed to the internet (Fox-IT International blog, 2017).
The author of malwaretech.com soon after analyzing the ransomware discovered that the ransomware routinely tried to communicate with the sudo-random web domain: ‘iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com’. Soon after realizing this he registered the domain as a sink hole.
“Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which i promptly registered.” – malwaretech.com
After this website was registered it was then discovered that if the ransomware could communicate with the host name it would exit but until the name was registered it continued to execute (Hunt, 2017). This is referred to as a Kill Switch domain. That being the case however a simple change to the ransomware code would allow this to be circumvented and for it to continue to propagate.
Some of the largest organisations effected include Telefonica in Spain, the National Health Service in the UK, and FedEx in the US (Chiu, 2017). After registering the above URL it was possible to view the hosts that attempted to communicate with the server.
The author of malwaretech.com has set up a live feed of this data: https://intel.malwaretech.com/WannaCrypt.html.
Analysts began seeing scans against honeypots at around 05:00 on May the 12th 2017, with Cisco Umbrella researchers observing requests starting at 07:24 UTC (Chiu, 2017).
While the exact motive of the WCry attack is unknown ransomware as a whole is a profitable venture. The ransom is $300 with 3 days to pay before it doubles to $600. Finally after seven days the files are deleted (Hunt, 2017). It also states on the ransom note “We will have free events for users who are so poor that they cannot pay in 6 months”. There is reference to three bitcoin addresses in the ransomware (14:00 on 13/05/2017).
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 – 4.44680459 BTC ≈ $7707.56
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 5.80461565 BTC ≈ $10061.02
- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 3.09654389 BTC ≈ $5367.18