The Who, What, Where, When, and Why of WCry

WCry infects the University of Milano-Bicocca
WCry at The University of Milano-Bicocca | Photo Credit @dodicin

Security professionals from across the world have been writing up commentaries of the recent WCry ransomware. The below breaks this down in under 600 words.

The Who

While the current actors behind WCry are unknown it is the second iteration of ransomware known as WanaCrypt0r that was spotted in February 2017 (Blog.avast.com, 2017), asking victims to pay 0.1 Bitcoins for their files to be de-crypted (Hern and Gibbs, 2017). This ransomware is possible due to a vulnerability that was disclosed publicly by a group known as ‘The Shadow Brokers’ that stated it was a known vulnerability that the National Security Agency in the United states were aware of for some time. They referred to the vulnerability that allowed the ransomware to spread as “ETERNALBLUE“, an SMBv2 exploit (Hunt, 2017). While the Shadow Brokers released this vulnerability it is unlikely that they are connected to the ransomware and instead it is more probable that it is connected to an opportunistic hacking group. 

A patch has existed since March 14th 2017 for the ETERNALBLUE vulnerability, labelled MS17-010 by Microsoft.

The What

WCry also referred to as WannaCry and Wana Decrypt0r (Patel, 2017). Its a piece of ransomware that propagates from infected machines after scanning over TCP port 445 (Server Message Block/SMB). Before leveraging ETERNALBLUE for the initial exploitation WCry first scans accessible hosts for the presence of DOUBLEPULSAR, a persistent backdoor. If it does not spot the backdoor it will use the ETERNALBLUE SMB vulnerability. This causes the worm like activity as it spreads from host to host (Chiu, 2017). At the moment one of the confirmed initial infection vectors for the ransomware is the usage of the ETERNALBLUE exploit directly on hosts which have SMB directly exposed to the internet (Fox-IT International blog, 2017).

The author of malwaretech.com soon after analyzing the ransomware discovered that the ransomware routinely tried to communicate with the sudo-random web domain: ‘iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com’. Soon after realizing this he registered the domain as a sink hole.

“Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which i promptly registered.” – malwaretech.com

After this website was registered it was then discovered that if the ransomware could communicate with the host name it would exit but until the name was registered it continued to execute (Hunt, 2017). This is referred to as a Kill Switch domain. That being the case however a simple change to the ransomware code would allow this to be circumvented and for it to continue to propagate.

The Where

New York Times heat map (Pearce, 2017)

Some of the largest organisations effected include Telefonica in Spain, the National Health Service in the UK, and FedEx in the US (Chiu, 2017). After registering the above URL it was possible to view the hosts that attempted to communicate with the server.

The author of malwaretech.com has set up a live feed of this data:  https://intel.malwaretech.com/WannaCrypt.html.

The When

Analysts began seeing scans against honeypots at around 05:00 on May the 12th 2017, with Cisco Umbrella researchers observing requests starting at 07:24 UTC (Chiu, 2017).

Cisco Umbrella – (Malwaretech.com, 2017)

The Why

While the exact motive of the WCry attack is unknown ransomware as a whole is a profitable venture. The ransom is $300 with 3 days to pay before it doubles to $600. Finally after seven days the files are deleted (Hunt, 2017). It also states on the ransom note “We will have free events for users who are so poor that they cannot pay in 6 months”. There is reference to three bitcoin addresses in the ransomware (14:00 on 13/05/2017).

  1. 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 – 4.44680459 BTC ≈ $7707.56
  2. 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 5.80461565 BTC ≈ $10061.02
  3. 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn –  3.09654389 BTC ≈ $5367.18
References
Blog.avast.com. (2017). Ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far, today. [online] Available at: https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today [Accessed 13 May 2017]. Chiu, A. (2017). Player 3 Has Entered the Game: Say Hello to 'WannaCry'. [online] Blog.talosintelligence.com. Available at: http://blog.talosintelligence.com/2017/05/wannacry.html [Accessed 13 May 2017]. Fox-IT International blog. (2017). Massive outbreak of ransomware variant infects large amounts of computers around the world. [online] Available at: https://blog.fox-it.com/2017/05/12/massive-outbreak-of-ransomware-variant-infects-large-amounts-of-computers-around-the-world/ [Accessed 13 May 2017]. Hern, A. and Gibbs, S. (2017). What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS?. [online] the Guardian. Available at: https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20 [Accessed 13 May 2017]. Hunt, T. (2017). Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware. [online] Troy Hunt. Available at: https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/ [Accessed 13 May 2017]. Malwaretech.com. (2017). How to Accidentally Stop a Global Cyber Attacks | MalwareTech. [online] Available at: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html [Accessed 13 May 2017]. Patel, A. (2017). WCry: Knowns And Unknowns. [online] News from the Lab. Available at: https://labsblog.f-secure.com/2017/05/13/wcry-knowns-and-unknowns/ [Accessed 13 May 2017]. Pearce, J. (2017). Animated Map of How Tens of Thousands of Computers Were Infected With Ransomware. [online] Nytimes.com. Available at: https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html [Accessed 13 May 2017].

    James Stevenson

    Im a Cyber Security enthusiast that loves all things to do with technology. I'm specifically interested in cyber security and ethical hacking.

    You may also like...