21 May 2017

* WannaCry Ransomware Spreads Across the Globe, Makes Organizations Wanna Cry About Microsoft Vulnerability

By Limor Kessem

Perhaps more than anything else, this ransomware onslaught is a resounding reminder of the importance of security basics, especially when it comes to Microsoft product patching. Those who applied critical Microsoft Windows patches released in March were protected against this attack. Another basic protection is the possession of current, offline backups of data. For ransomware attacks like this one, having a viable backup will enable a successful incident response, leaving attackers high and dry and unable to collect money for their evil doings. 

WannaCry, WanaCrypt or Wcry for short, is ransomware that works like other malware of its type, with a few intricacies that highlight the sophistication of its operators. 

First, the malware uses exploits that were supposedly leaked by a group that calls itself Shadow Brokers. The result of leaking exploits very often gives rise to malicious actors who use them for their nefarious purposes, which is what happened in this case. 

Second, the malware uses strong, asymmetric encryption, employing the RSA 2048-bit cipher to encrypt files. This method is considered relatively slow when compared to symmetric encryption, but it is very strong and virtually impossible to break. 

Third, the malware’s architecture is modular, a feature known to be used in legitimate software, but also in complex malware projects such as banking Trojans. Most ransomware is not modular, but rather simplistic, and carries out its tasks without any modularity. This means that the authors behind Wcry are more likely to be a group of people, more than just one developer, and even possibly one of the organized cybercrime gangs that distribute malware such as Dridex and Locky. 

Bottom line, we are not dealing with amateurs. This widespread attack is of high severity, and although the vulnerability should have been patched a while back, many organizations have been hit and the count keeps rising. 

Basic Technical Details 

The Wcry outbreak started showing up on May 12, 2017, but it relies on a number of elements that have been around for a while. It even offered a sneak preview a week ago when it showed up in Trojan.Win32.CryptoFF attacks in Peru

Worming Through SMB 

Wcry’s propagation method includes port scanning of potential hosts over Transmission Control Protocol (TCP) port 445, which is where the Server Message Block (SMB) network communications protocol take place. This application-layer protocol is being targeted by Wcry to help it spread like a worm. SMB is designed to enable access to shared directories, files, printers and serial ports, among other resources. 

To find its way into new endpoints and networks, the Wcry malware leverages two SMB-exploitation modes borrowed from the Shadow Brokers exploit leak. It starts by trying to get through using an existing backdoor called DoublePulsar. If that backdoor does not exist, it launches a new exploit on the target using what’s known as EternalBlue. 

Knocking on the DoublePulsar Backdoor 

DoublePulsar is a previously known, persistent backdoor that can infect endpoints to provide unauthorized access to its operators. This kernel-mode payload does not do much, but it is the basis of other exploits. It enables a remote attacker to send malware into the target endpoint and execute it without the owner’s knowledge or permission. 

DoublePulsar’s ability to open the backdoor and inject arbitrary dynamic link libraries Dynamic Link Libraries (DLLs) into the user-mode process zones relies on exploitation of the SMB protocol. It was allegedly an NSA tool that was leaked by Shadow Brokers in April 2017, and by the time it was out for about two weeks, DoublePulsar was already found on over 36,000 infected endpoints across the globe. 

Gloomy Malcode: EternalBlue and WannaCry 

EternalBlue is yet another part of the same exploitation framework that includes DoublePulsar. Within the Wcry attack context, it is an exploit designed to scan servers for the presence of DoublePulsar. If none is found, it is used as the initial exploit to compromise the system and install the Wcry ransomware. 

The malware scans the local area network, then starts spraying seemingly random external IP’s with the exploit code. 

Unknown Caller 

Once it is in, the Wcry ransomware drops and launches a Tor client on the infected machine to anonymize its communications with the attacker’s servers. Ransomware variants such as the CTB-Locker, also known as Critroni, made this trend popular among ransomware operators starting in 2014. Overall, using Tor helps the criminals hide their attack infrastructure and prevent the interception of encryption keys or bitcoin payment confirmations that the victim’s endpoint would send. 

Initiate Encryption 

The malware fetches and drops a number of different executable files on the infected endpoint. Each of those carries out a different function. The essential part is the encryption of the victim’s data, which is carried out by a file called tasksche.exe. 

The encryption encompasses 160 different file extensions to make sure that all the data is hijacked. WCry will encrypt files with the .wcry/.wncry extension. 

To make sure that the user can’t access previous copies, the malware deletes all shadow copies from the endpoint by using WMIC.exe, vssadmin.exe and cmd.exe. This action is considered common for ransomware codes

Display Ransom Note 

Unlike most ransomware that uses an image to display the ransom note to the infected users, Wcry uses an executable file. That file is not the malware; it is a simple program that displays the note to the victim. 

The image displayed to each victim depends on the IP address mapping to the country he or she is located in. The malware’s authors have adapted numerous different language formats to Wcry; those are often reported as machine translated and rather clunky in terms of syntax. 

To make sure the victim sees the ransom note immediately, it places it as the foremost window on the desktop by using SetForegroundWindow(). 


In some of the instances, X-Force researchers noticed that the malware included a tool that changes the victim’s desktop wallpaper with instructions on how to find the decrypting tool dropped by the malware. 

Current State of Affairs 

So far, Wcry is known to have hit hospitals, rail systems, telecommunications and courier services, but many other organizations and individuals have been hit as well. 

On the victims’ side, the outbreak has hit critical infrastructure in some countries such as Germany and Russia. In the U.K., the health care sector received a hard hit that goes way beyond disabling hospitals. Hospitals in the country had to turn away patients, reroute ambulances, paralyze emergency services, and reschedule surgeries and appointments, which will all take a toll on operations for some time. With the number of affected systems, incident response and remediation are unlikely to be complete for a while. 

According to reports, the geographical spread of Wcry is most prevalent in Russia at this time. Other constituents on the list of the top 10 most targeted geographies include Ukraine and India, countries where it could be more common to find older, unpatched versions of Windows in use. The Europol indicated that the attacks are of unprecedented scope

At the time of this writing, more than 130,000 systems in over than 100 countries were already compromised. If over 130,000 endpoints have been infected, and assuming that victims chose to pay up to $300 to unlock each device, the total ransom would amount to over $39 million. Keep in mind that this is the conservative case; Wcry ransom demands may start at $300, but they increase to $400 after two hours, then $500, and, finally $600, per endpoint. 

The Wcry ransom note contains a compassionate message towards those who can’t afford to pay up. The malware’s operators claim they would unlock the files for free — but only after a six-month period. 

At the time of this writing, bitcoins are trickling in to the attackers’ wallets, showing about 19 BTC, or about $34,000 dollars accumulating, but remaining untouched. Law enforcement agencies are likely closely watching the wallets and their trails to find a potential link to their criminal owners. 

Don’t Help Crime Pay 

IBM X-Force Research observed new payments keeping trickling into the bitcoin wallet payments associated with Wcry samples. It is important to note that paying the criminals funds these types of attacks, and the FBI highly discouraged victims from paying up. 

At this time, many Windows servers and workstations are still potentially vulnerable, which means that Wcry may still have ground to cover in the coming week. 

To mitigate the threat, organizations should ensure that the relevant patches are urgently deployed across their entire infrastructure where the Windows OS is used. Microsoft has issued an emergency patch that can be viewed here

In addition, security professionals should block Server Message Block (SMB) ports, particularly ports 139 and 445 from external hosts, along with User Datagram Protocol (UDP) ports 137 and 138, from the local network to the wide area network (WANO). 

Verify that outbound connections to TCP ports 139 and 445 are prohibited by running the following commands from any server with Netcat installed: 

For further control, consider disabling SMBv1 and SMBv2 and only permitting SMBv3 connections by policy on clients. 

Wcry is spreading at an alarming rate, and while it was temporarily slowed down by the accidental discovery of a kill switch, that part of its code has already been removed. 

The kill switch was based on the ransomware contacting a hardcoded domain before installing on the endpoint. That domain was not registered by the criminal, and was therefore snatched by a security researcher who found it, effectively turning it into a sinkhole. 

Consider enabling access to the sinkhole domain from your corporate endpoints. It is possible that employees who got infected over the weekend will carry in those older samples on Monday morning, and if the domain is reachable, the malware will not activate on those endpoints. The domain name is: 

www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com 

Remember that the criminals behind these attacks have already removed the kill switch, and not all samples contained it from the get-go. Make sure your environment is fully patched and expect Wcry this week. Another point about the kill switch: The domain call only works in systems that are directly connected to the internet. Hence, if the endpoint proxies its traffic, the kill switch won’t work and the ransomware will run. This could mean that the attacker’s idea was to hit corporate networks where endpoint traffic is usually proxied, and halt on those that are most likely consumer devices. 

You should seek more ample advice from your security vendor. IBM Security customers can turn to their contacts for mitigation instructions and incident response requirements. 

Ransomware Is an Ominous, Global Problem 

The ransomware threat is neither new nor novel. It is a type of malicious software that infiltrates an endpoint with the purpose of encrypting all the files on it, and then demanding a ransom payment to release them back to the rightful owner. The threat traces back to 1989, when it first emerged on floppy disks sent to unsuspecting computer owners. It has gained disproportionate momentum since 2014, along with the rise of cryptocurrencies used across the globe, which enable cybercriminals to anonymously demand payment from anyone. 

Ransomware was the most prevalent online threat in 2016, with over 40,000 attacks per day at times, and reaching well over 65 percent of all spam messages that carry malicious payloads. IBM X-Force researchers tracking spam trends noted that the rise in ransomware spam in 2016 reached an exorbitant 6,000 percent, going from 0.6 percent of spam emails in 2015 to an average of 40 percent of email spam in 2016. The situation is only worsening in 2017. 

The FBI and international law enforcement have issued alerts about this threat. The FBI estimated that ransomware is on pace to become a $1 billion source of income for cybercriminals by the end of 2016, a number that is expected to continue to rise in 2017. 

Protecting Your Organization with IBM 

For information on using your IBM products to defend your infrastructure from the Wcry threat, please browse to our special mitigation collection on X-Force Exchange. 

No comments: