Technical Analysis and Overview of Wannacry Ransomware
A recent ransomware outbreak occurred termed as “WannaCry”, a different kind of ransomware as compared to the usual traditional ransomwares. This ransomware possesses worm like features, uses Eternalblue exploit which exploits the Microsoft Windows SMB Server vulnerability (MS 17-010). It scans for the vulnerable computers over the network and then performs the attack rather than the usual ransomware scenario which uses phishing mails, drive-by-download URLs for performing the infection. The important part to note is that the ransomware encrypts the initially infected system and spreads to the network exploiting the SMB vulnerability.
Malware propagation and execution flow
Components of the Malware
WannaCry Ransomware comes in a package of 4 different components
- Carrier/dropper worm which can reach the victim machine either through regular method of phishing, infected hyperlinks or other infected systems. This consists of the kill switch, and second stage dropper and the spreading mechanism to exploit the SMB vulnerability. More details are given below
- Ransomware dropper which runs as a service either by the worm or by itself, and containing a password protected archive named as XIA in the resource section.
- Decryptor which is dropped from the mentioned resource showing end-user message and demands payment.
- Ransomware (t.wnry) is the encrypted blob as part of the archive, decrypted by the dropper and executes the payload
Ransomware componentFigure 3
It was observed that the sample first checks for the kill switch domains “hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” and “ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com” if found active the sample doesn’t execute it’s malicious behaviour.
The malware also checks for the mutex (MsWinZonesCacheCounterMutex) and if found it may not perform the infection on the same machine the second time. This also avoids multiple infections and in turn multiple generations of private key.
The malware consists of the Bitcoin addresses shown below and displays any one of those Bitcoins address randomly for the specific machines at the time of infection
The file then extracts its contents using the password “WNcry2ol7”, and then it drops all files with hidden attributes and grants access to all the files with “icacls_grant_everyone” command as shown below:
The content of the archive details as below
As shown below from our lab, the process tree for the execution of the sample till full encryption and user warning message shown
Though WannaCry has had more outreach than any other ransomware in terms of infection and global penetration, still it is noteworthy to mention the actual profit generated by the ransomware is pretty “low” compared to its much less known predecessors like Sage. As of 23 May 2017 following Bitcoin transactions have been traced to the wallets used by the ransomware
As of today, the revenue generated is $106343.63 through the wallets used by the ransomware. Which raises a question whether this piece of malware really had the sole intention of earning quick revenue or, more importantly, is this the tip of iceberg with much more virulent variants to come. As of now the relative immaturity in the code combined with a simple kill switch and almost no obfuscation points to a quickly put together malware to cash in on the EternalBlue exploit.