Byte and Board

All Windows versions before Windows 10 are vulnerable to the WannaCry (WannaCrypt, WannaCry, WanaCrypt0r, WCrypt or WCRY) ransomware if not patched for MS-17-010.

The ransom is between $300 to $600, there is code to delete files in the virus so it’s not just a threat.

The worm loops through every RDP session on a system to run the ransomware as that user, also installs the DOUBLEPULSAR backdoor and it corrupts shadow volumes to make recovery harder.

If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com in the b9318a66 version) is up the virus exits instead of infecting the host. The domains have been sink-holed, stopping the spread of the ransomware worm.

It uses the ETERNALBLUE MS-17-010 vulnerability to propagate, vulnerability developed by the Equation Group (closely tied to the NSA) and leaked by the Shadow Brokers.

The binary blob in the PE is encrypted with the pass WNcry@2ol7, you can use 7z to uncompress the files:

$ 7z x wannacry.exe -pWNcry@2ol7 > /dev/null

The archive contains the following files:

b.wnry							c17170262312f3be7027bc2ca825bf0c	
c.wnry							ae08f79a0d800b82fcbe1b43cdbdbefc	
r.wnry							3e0020fc529b1c2a061016dd2469ba96	
t.wnry							5dcaac857e695a65f5c3ef1441a73a8f	
taskdl.exe						4fef5e34143e646dbf9907c4374276f5	
taskse.exe						8495400f199ac77853c53b5a3f278f3e	
u.wnry							7bf2b57f2a205768755c07f238fb32cc	
m_bulgarian.wnry				95673b0f968c0f55b32204361940d184	
m_chinese (simplified).wnry		0252d45ca21c8e43c9742285c48e91ad	
m_chinese (traditional).wnry	2efc3690d67cd073a9406a25005f7cea	
m_croatian.wnry					17194003fa70ce477326ce2f6deeb270	
m_czech.wnry					537efeecdfa94cc421e58fd82a58ba9e	
m_danish.wnry					2c5a3b81d5c4715b7bea01033367fcb5	
m_dutch.wnry					7a8d499407c6a647c03c4471a67eaad7	
m_english.wnry					fe68c2dc0d2419b38f44d83f2fcf232e	
m_filipino.wnry					08b9e69b57e4c9b966664f8e1c27ab09	
m_finnish.wnry					35c2f97eea8819b1caebd23fee732d8f	
m_german.wnry					3d59bbb5553fe03a89f817819540f469	
m_greek.wnry					fb4e8718fea95bb7479727fde80cb424	
m_indonesian.wnry				3788f91c694dfc48e12417ce93356b0f	
m_italian.wnry					30a200f78498990095b36f574b6e8690	
m_japanese.wnry					b77e1221f7ecd0b5d696cb66cda1609e	
m_korean.wnry					6735cb43fe44832b061eeb3f5956b099	
m_latvian.wnry					c33afb4ecc04ee1bcc6975bea49abe40	
m_norwegian.wnry				ff70cc7c00951084175d12128ce02399	
m_polish.wnry					e79d7f2833a9c2e2553c7fe04a1b63f4	
m_portuguese.wnry				fa948f7d8dfb21ceddd6794f2d56b44f	
m_romanian.wnry					313e0ececd24f4fa1504118a11bc7986	
m_russian.wnry					452615db2336d60af7e2057481e4cab5	
m_slovak.wnry					c911aba4ab1da6c28cf86338ab2ab6cc	
m_spanish.wnry					8d61648d34cba8ae9d1e2a219019add1	
m_swedish.wnry					c7a19984eb9f37198652eaf2fd1ee25c	
m_turkish.wnry					531ba6b1a5460fc9446946f91cc8c94b	
m_vietnamese.wnry				8419be28a0dcec3f55823620922b00fa

The contents are as following:

• b.wnry – Ransom desktop wallpaper.
• c.wnry – Configuration file containing C2 server addresses, BitCoin Wallet etc.
• r.wnry – Ransom note.
• s.wnry – ZIP archive containing the TOR client.
• t.wnry – The encryption part of the ransomware encrypted using a WanaCry specific format; can be decrypted using the private key embedded inside the ransomware executable.
• u.wnry – Decrypter executable.
• Taskdl.exe – Deletes all temporary files created during encryption.
• Taskse.exe – Runs given program in all user sessions.
• msg directory – Language files.

Cryptography

• Each infection generates a new RSA-2048 key-pair.
• The public key is exported as blob and saved to 00000000.pky.
• The private key is encrypted with the ransomware public key and saved as 00000000.eky.
• Each file is encrypted using AES-128-CBC, with a unique AES key per file.
• The AES key is encrypted using the infection specific RSA key-pair.

Malware tries initially to open 00000000.dky, if it is available, will import the key into Crypto API object. Presumably this would be decryption key from the authors of ransomware.

If cannot open *.dky file, it will generate new RSA key pair of 2048-bits. The public key is exported as blob and saved to 00000000.pky. Private key is exported as blob and encrypted with ransomware public key before being saved to 00000000.eky.

The RSA public key used to encrypt the users RSA key pair is embedded inside the DLL. The AES-128 key generated for each file is derived from CryptGenRandom which is cryptographically secure and is not known to have any weakness.

The AES keys are encrypted using the users public key in *.pky. In order to decrypt, the users private key is needed, which is encrypted using a public key owned by the ransomware authors.

Command Centers

There are five Tor .onion addresses hardcoded in the malware:

• gx7ekbenv2riucmf.onion
• 57g7spgrzlojinas.onion
• xxlvbrloxvriy2c5.onion
• 76jdd2ir2embyv47.onion
• cwwnhwhlz52maqm7.onion

The malware is not using HTTP to communicate to the C2 servers, but a custom protocol.

Bitcoin addresses

There are three addresses hardcoded into the malware:

• 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
• 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
• 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Variants

• 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
• 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
• 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
• ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
• b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06

Links

• Microsoft Security Bulletin MS17-010
• Say Hello to ‘WannaCry’
• Customer Guidance for WannaCrypt attacks
• Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool
• How to accidentally stop a global cyber attack
• Public MalwareTech botnet tracker
• Malware samples: 1, 2 and 3
• Protecting customers and evaluating risk
• YARA rules
• New variants detected
• The largest ransom-ware infection in History