WannaCry

 

The first version of WannaCry, also known as Wcry, WNCry, WanaCrypt0r, and Wana Decrypt0r, was discovered on February 10, 2017 by a Malwarebytes researcher. Not much was known about the variant except that it targeted Windows OS and appended .wcry to encrypted file names. On March 27, 2017, another security researcher discovered an active ransomware campaign using that variant to encrypt victims' files and posted the evidence on Twitter. It reportedly dropped a ransom note named !WannaCryptor!.bmp.

The second version of WannaCry emerged the morning of May 12, 2017 in an aggressive campaign that reportedly impacted networks in at least 99 countries and across several sectors. Initial victims included Spain's former state telecommunications company, Telefonica, and several NHS hospitals throughout the UK, forcing doctors to divert emergency patients to other facilities and cancel surgeries and other appointments. Patient medical details and appointment schedules, as well as internal VoIP phone lines and email accounts were rendered inaccessible to staff.

Initial reports suggested that a malicious email or Remote Desktop Protocol (RDP) compromise could have been the attack vector used by the hacker or group behind the campaign. However, one researcher discovered that instances of WannaCry were triggering emerging threat (ET) rule 2024218, linking the attack to the recently leaked ETERNALBLUE exploit allegedly used by the US National Security Agency (NSA) against a Microsoft Server Message Block (SMB) vulnerability that provides unfettered access to any computer running a Windows operating system. The link to this exploit was later confirmed by Spain's CERT team.

After learning about the SMB vulnerability, Microsoft issued a critical patch in Windows Security Update MS17-010 on March 14, 2017 to address the issue. However, it quickly became evident that many network administrators had not applied the patch as WannaCry ripped through networks with a seemingly worm-like capability, encrypting critical data files in its path. In addition to the ransomware executable, researchers reported seeing DOUBLEPULSAR, another NSA hacking tool, dropped onto infected systems. DOUBLEPULSAR is a Windows kernel Ring-0 exploit used as a "malware downloader" to download and install other malware. It was also leaked by the Shadow Brokers and used by an unknown threat actor in late April to infect over 36,000 computers across the globe. The threat that this exploit presents can also be mitigated by applying Windows Security Update MS17-010.

How It Works:

After a system is infected by WannaCry, the installer extracts a password-protected embedded zip file into the same folder that contains the installer. The contents of the zip file are then extracted and start up tasks are performed. It extracts a localized, language-specific version of the ransom note into the msg folder. WannaCry then downloads a TOR client and extracts it into the TaskData folder. It then executes a command to elevate privileges for the files in the folders of the ransomware's location. It terminates the processes associated with database servers and mail servers to encrypt databases and mail stores. WannaCry then encrypts targeted file types and appends .WNCRY to the file names. It stores a ransom note named @Please_Read_Me@.txt along with a copy of the @WanaDecryptor@.exe in every folder containing encrypted files. Next, WannaCry deletes Shadow Volume Copies, disables Windows startup recovery, and clears the Windows Server Backup history to prevent victims from restoring their files without paying the ransom. It is important to note that these commands require administrative privileges, so WannaCry displays a UAC prompt. If the victim clicks "yes" on the prompt, the file deletion process continues. If not, it may be possible for victims to recover their files from Shadow Volume Copies as the deletion process will not have completed. Next, the Wana Decrypt0r 2.0 ransom note lock screen is displayed. The screen includes a "Check Payment" button that, if clicked, will cause the ransomware to contact its C2 server to determine if the payment has been sent. It also features a "Contact Us" form that victims can use to ask the hacker questions. WannaCry demands a ransom payment of $300 worth of Bitcoin.

UPDATE: Due to a researcher's discovery of an unregistered domain name within the ransomware's source code that acted as a kill-switch, the spread of the WannaCry infection may have been stopped. Upon discovery, the researcher registered the domain name and, by doing so, he inadvertently created a sinkhole that stopped the propagation of the malware. As WannaCry was programmed to attempt an HTTP GET request to this domain, the failure of the request resulted in the continuation of the infection process. Once the domain was registered, the HTTP GET request succeeded, thus instructing the malware to halt the infection process.

UPDATE 5/13/2017:

UPDATE 5/14/2017:

UPDATE 5/17/2017:

UPDATE 5/18/2017:

UPDATE 5/19/2017:

UPDATE 6/29/2017:

UPDATE 7/4/2017:

UPDATE 4/10/2019:

This threat profile will be updated as new information becomes available.

Extensions appended to encrypted file names:
.wcry, .WNCRY, WANACRY!

Ransom note file names:
!WannaCryptor!.bmp, @Please_Read_Me@.txt

SHA256 hash:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Bitcoin addresses associated with this variant:
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Media Reporting:

  • Dozens of Countries Hit by Huge Cyberextortion Attack (AP)

  • UK Prime Minister: Ransomware Attack Has Gone Global (CNN)

  • Massive Ransomware Infection Hits Computers in 99 Countries (BBC)

  • 'Ransomware' Cyberattack Cripples Hospitals Across England (ABC)

  • "Massive Disturbances" in German Rail System Due to Ransomware Attack (ZeroHedge)

  • Leaked NSA Malware Is Helping Hijack Computers Around the World (The Intercept)

  • Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak (Bleeping Computer)

  • Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage (Bleeping Computer)

  • Ransomware That Infected Telefonica and NHS Hospitals Is Spreading Aggressively with over 50,000 Attacks So Far, Today (Avast)

  • Statement on Reported NHS Cyber Attack (NHS)

  • Hacking Attack Has Security Experts Scrambling to Contain Fallout (New York Times)

  • Organizations Hit by Global Cyberattack (Yahoo Tech)

  • Round Two: WannaCry Ransomware that Struck the Globe Is Back (Motherboard)

  • Victims Call Hackers' Bluff as Ransomware Deadline Nears (New York Times)

Additional Information about the Leaked Exploits:

  • The Shadow Brokers Leaked Exploits Explained (Rapid 7)

  • Shadow Brokers Release New Files Revealing Windows Exploits, SWIFT Attacks (Bleeping Computer)

Additional Technical Resources:

 

Ransomware VariantsNJCCICWannaCry, WCry, WNCry, WanaCrypt0r, Wana Decrypt0r