WannaCry Ransomware Spreads Across the Globe, Makes Organizations Wanna Cry About Microsoft Vulnerability – Security Intelligence (blog)
On Friday, May 12, 2017, the world was alarmed to discover that cybercrime had achieved a new record. In a widespread ransomware attack that hit organizations in more than 100 countries within the span of 48 hours, the operators of malware known as WannaCry/WanaCrypt0r 2.0 are believed to have caused the biggest attack of its kind ever recorded.
Perhaps more than anything else, this ransomware onslaught is a resounding reminder of security basics, especially where it comes to Microsoft product patching. Those who applied critical Microsoft Windows patches released in March were protected against this attack. Another basic protection is the possession of current, offline backups of data. For ransomware attacks like this one, having a viable backup will enable a successful incident response, leaving attackers high and dry and unable to collect money for their evil doings.
What is WannaCry?
WannaCry, WanaCrypt, or Wcry for short, is ransomware that works like other malware of its type, with a few intricacies that highlight the sophistication of its operators.
First, the malware uses exploits that were supposedly leaked by a group that calls itself “ShadowBrokers.” The result of leaking exploits very often gives rise to malicious actors who use them for their nefarious purposes – which is what happened in this case.
Second, the malware uses strong, asymmetric encryption, employing the RSA 2048-bit cipher to encrypt files. Using this method is considered relatively slow when compared to symmetric encryption, but it is very strong and virtually impossible to break.
Third, the malware’s architecture is modular; a feature known to be used in legitimate software, but also in complex malware projects like banking Trojans. Most ransomware is not modular, but rather simplistic, and carries out its tasks without any modularity. What this means is that the authors behind Wcry are more likely to be a group of people, more than just one developer, and even possibly one of the organized cybercrime gangs that distribute malware like Dridex and Locky.
Bottom line, we are not dealing with amateurs. This widespread attack is of high severity, and although the vulnerability being exploited by the attackers should have been patched a while back, many organizations have been hit and the count keeps rising.
Basic Technical Details
The Wcry outbreak started showing up on May 12, 2017, but in reality, it relies on a number of elements that have been around for a while, and even gave a sneak preview a week ago when it showed up in Trojan.Win32.CryptoFF attacks in Peru.
One of the ways by which WCry mass-spreads to unsuspecting users is through indiscriminating email spam. The messages may use common ploys such as fake invoices, delivery notices, or some alarming note urging the recipient to open a .zip file attached to the message. When the recipient launches the file, the Wcry infection deployment begins.
Worming Through SMB
Wcry’s propagation method includes port scanning of potential hosts over TCP port 445, which is where the Server Message Block (SMB) network communications protocol take place. This application-layer protocol is being targeted by Wcry to help it spread like a worm. SMB is designed to enable access to shared directories, files, printers, and serial ports, among other resources.
To find its way into new endpoints and networks, the Wcry malware leverages two SMB-exploitation modes borrowed from the ShadowBrokers exploit leak. It starts by trying to get through using an existing backdoor called DoublePulsar. If that backdoor does not exist, it launches a new exploit on the target using what’s known as EternalBlue.
Knocking on the DoublePulsar Backdoor
A backdoor dubbed “DoublePulsar” is a previously known, persistent backdoor that can infect endpoints to provide unauthorized access to its operators. This kernel-mode payload does not “do” much, but it is the basis of other exploits. It enables a remote attacker to send malware into the target endpoint, and execute it without the owner’s knowledge or permission.
DoublePulsar’s ability to open the backdoor and inject arbitrary DLLs into the user-mode process zones relies on exploitation of the SMB protocol. It was allegedly an NSA tool that was leaked by ShadowBrokers in April 2017, and by the time it was out for about two weeks, DoublePulsar was already found on over 36,000 infected endpoints across the globe.
Gloomy Malcode: EternalBlue and WannaCry
EternalBlue is yet another part of the same exploitation framework that includes DoublePulsar. Within the Wcry attack context, it is an exploit designed to scan servers for the presence of DoublePulsar, and if none is found, it is used as the initial exploit to compromise the system and install the Wcry ransomware.
The malware scans the local area network, then starts spraying seemingly random external IP’s with the exploit code.
Once it is in, the Wcry ransomware drops and launches a Tor client on the infected machine to anonymize its communications with the attacker’s servers. Ransomware variants like the CTB-Locker, aka Critroni, made this trend popular among ransomware operators starting in 2014. Overall, using Tor helps the criminals hide their attack infrastructure, and prevent the interception of encryption keys or Bitcoin payment confirmations that the victim’s endpoint would send.
The malware fetches and drops a number of different executable files on the infected endpoint. Each of those carries out a different function. The essential part is the encryption of the victim’s data, which is carried out by a file called tasksche.exe.
The encryption encompasses 160 different file extensions to make sure that all the data is hijacked. WCry will encrypt files with the .wcry/.wncry extension.
To make sure that the user can’t access previous copies, the malware deletes all shadow copies from the endpoint by using WMIC.exe, vssadmin.exe and cmd.exe. This action is considered common for ransomware codes.
Display Ransom Note
Unlike most ransomware that uses an image to display the ransom note to the infected users, Wcry uses an executable file. That file is not the malware, it is a simple program that displays the note to the victim.
The image displayed to each victim depends on their IP address mapping to the country they are located in. The malware’s authors have adapted numerous different language formats to Wcry; those are often reported as machine translated and rather clunky in terms of syntax.
To make sure the victim sees the ransom note immediately, it places it as the foremost window on the desktop by using SetForegroundWindow().
In some of the instances, X-Force researchers noticed that the malware included a tool that changes the victim’s desktop wallpaper with instructions on how to find the decrypting tool dropped by the malware.
Current State of Affairs
So far, Wcry is known to have hit hospitals, rail systems, telecommunications, and courier services, but many other organizations and individuals have been hit as well.
On the victims’ side, the outbreak has hit critical infrastructure in some countries, like Germany and Russia, and in the UK, the healthcare sector received a hard hit that goes way beyond disabling hospitals. Hospitals in the country had to turn away patients, reroute ambulances, paralyze emergency services, reschedule surgeries and appointments, which will all take a toll on operations for some time. With the number of affected systems, incident response and remediation are unlikely to be complete for a while.
According to reports, the geographical spread of Wcry at this time is most prevalent in Russia. Other constituents on the top ten list of the targeted geographies are the Ukraine and India – countries where it could be more common to find older, unpatched versions of Windows in use. The Europol has indicated that the attacks is of unprecedented scope.
At the time of this writing, more than 130,000 systems in over than 100 countries were already compromised. If over 130k endpoints have been reported as infected, and victims chose to pay up at $300 to unlock each device, the ransom would amount to over $39M. Keep in mind this is the conservative case. Wcry ransom demands may start at $300, but they increase to $400 after two hours, then $500, and then $600 per endpoint.
The Wcry ransom note contains a compassionate message towards those who can’t afford to pay up. The malware’s operators claim they would unlock the files for free – after a six-month period!
At the time of this writing, Bitcoins trickle in to the attacker’s wallets, showing about 19 BTC or about $34,000 dollars accumulating, but remaining untouched. It is likely law enforcement agencies are closely watching the wallets and their trail in order to find a potential link to their criminal owners.
Don’t Help Crime Pay
IBM X-Force research can see that the Bitcoin wallet payments associated with Wcry samples keep seeing new payments trickle in.
It is important to note that paying the criminals funds these types of attacks, and victims are highly discouraged from paying.
At this time, many Windows servers and workstations are still potentially vulnerable, which means that Wcry may still have ground to cover in the coming week.
To mitigate the threat, organizations should ensure that the relevant patches are urgently deployed across their entire infrastructure where the Windows OS is used. Microsoft has issued an emergency patch that can be viewed here.
In addition, it is recommended to block SMB ports, particularly ports 139 and 445 from external hosts along with UDP ports 137 and 138, from the local network to the WAN.
Verify that outbound connections to TCP ports 139 and 445 are prohibited by running the following commands from any server with Netcat installed:
- nc smbcheck.rsec.us 139
- nc smbcheck.rsec.us 445
For further control, consider disabling SMBv1 and SMBv2 and only permitting SMBv3 connections by policy on clients.
Wcry’s ‘Kill Switch’ Was Removed
Wcry is spreading at an alarming rate, and while it was temporarily slowed down by the accidental discovery of a kill switch, that part of its code has already been removed.
The kill switch was based on the ransomware contacting a hardcoded domain before installing on the endpoint. That domain was not registered by the criminal, and was therefore snatched by a security researcher who found it, effectively turning it into a sinkhole.
Consider enabling access to the sinkhole domain from your corporate endpoints. It is possible that employees who got infected over the weekend will carry in those older samples on Monday morning, and if the domain is reachable, the malware will not activate on those endpoints. The domain name is:
Remember that the criminals behind these attacks have already removed the kill switch and not all samples contained it from the get-go. Make sure your environment is fully patched and expect Wcry this week. Another point about the kill switch, keep in mind the domain call only works in systems that are directly connected to the Internet. Hence, if the endpoint proxies its traffic, the kill switch won’t work and the ransomware will run. This could mean that the attacker’s idea was to hit corporate networks where endpoint traffic is usually proxied, and halt on those that are most likely consumer devices.
More ample advice should be sought from your security vendor. IBM Security customers can turn to their contacts for mitigation instructions or incident response requirements.
Ransomware is an Ominous Global Problem
The ransomware threat is not new, nor novel. It is a type of malicious software that infiltrates an endpoint with the purpose of encrypting all the files on it, and then demanding a ransom payment to release them back to their rightful owner. The threat traces back to 1989 when it first emerged on floppy disks sent to unsuspecting computer owners. It has gained disproportionate momentum since 2014 along with the rise of cryptocurrencies used across the globe, which lend cybercriminals the way to both demand payment from anyone, and keep themselves anonymous.
Ransomware was the most prevalent online threat in 2016, with over 40,000 attacks per day at times, and reaching well over 65% of all spam messages that carry malicious payloads. IBM X-Force researchers tracking spam trends noted that the rise in ransomware spam in 2016 reached an exorbitant 6000%, going from 0.6% of spam emails in 2015, to an average of 40% of email spam in 2016. The situation is 2017 is only worsening.
The FBI and international law enforcement have been issuing alerts about this threat. The FBI estimated that ransomware is on pace to become a $1 billion source of income for cybercriminals by the end of 2016, a number that is expected to continue to rise in 2017.
Protecting Your Organization with IBM
For information on using your IBM products to defend your infrastructure from the Wcry threat, please browse to our special mitigation collection on X-Force Exchange.