WannaCry Ransomware Research And Analysis
Ransomware is a malware that encrypts contents on infected systems and demands payment in bitcoins.
How is it Spreading?
- WannaCry / WannaCrypt encrypts the files on infected Windows systems.
- There are two key components – a worm and a ransomware package
- It spreads laterally between computers on the same LAN by using a vulnerability in implementations of Server Message Block (SMB) in Windows systems.
- It also spreads through malicious email attachments.
- This exploit is named as ETERNALBLUE.
- Initial ransom was of $300 USD but the group is increasing the ransom demands upto $600 in Bitcoin.
The file extensions ransomware is targeting certain clusters of file formats :
- Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
- Less common and nation-specific office formats (.sxw, .odt, .hwp).
- Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
- Emails and email databases (.eml, .msg, .ost, .pst, .edb).
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
- Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
- Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
- Virtual machine files (.vmx, .vmdk, .vdi).
Indicators of compromise (IoC):
Ransomware is writing itself into a random character folder in the 'ProgramData' folder with the file name of "tasksche.exe" or in 'C:\Windows\' folder with the filename "mssecsvc.exe" and "tasksche.exe".
Ransomware is granting full access to all files by using the command:
Icacls . /grant Everyone:F /T /C /Q
Using a batch script in the video's description for operations
Please find the video explanation here
Reversion stuff (How application works):
Step 1: The malware contains the hardcoded password “[email protected]”
Step 2: The malware drops a encrypted zip file from a source named “XIA”
Step 3: Extract the resource with the help of CFF Explorer
Step 4: Open the exe file with WinZip or WinRAR you will get below files
Step 5: Unzip the file name s.wnry
Step 6: Wanadecryptor process starts here
Countermeasure for avoid ransomware:
If you want to stay safe from this, patching is really one option
The patch has been available since march
. If you can’t patch (If you are on windows server 2003),Consider network segmentation
Restrict port 445 traffic to where it is absolutely needed using router ACLs
Use private VLANs if your edge switches support this feature
Use host based firewalls to limit communication on TCP 445,especially between workstations.
> Apply patches to windows systems as mentioned in Microsoft Security Bulletin MS17-010
> Microsoft patch for unsupported versions such as windows XP,Vista,Server 2003,Server 2008 etc.
> To prevent data loss Users @ Organizations are advised to take backup of critical data
> Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137,138, and TCP 139,445] or Disable SMBv1
- Deploy antivirus protection
- Block all the spams
- Perform regular backups of all information’s and it should stored offline
- Don’t open any attachments from email
- Disable macros in Microsoft office products
For Organizations:Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
Deploy Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
This article is sent by Vinod Senthil who is the founder of Security Company Infysec.