Where did WannaCry go after its original execution?
I’m not sure, but it had to have
ran somewhere ransomware!
In all seriousness, I’ve buried myself deep in WannaCry research for the past couple of weeks. The entire story is very interesting. I wanted to know who started it, what it did, how it infected other systems, how it spread, the encryption and algorithms of it; everything. It didn’t hit America too hard, and I never got any personal experience with it, but it was a fascinating story to follow nonetheless.
What is WannaCry & why is it so scary?
WannaCry was a cyberattack, which infected hundreds of thousands, some even say millions, of computers world-wide. It is so unique because it is ransomware and a worm. Therefore, this made it easier to spread easily through networks.
Usually, users trigger ransomware by clicking links or downloading malicious content. WannaCry wormed its way through networks using an SMB (Server Message Block) vulnerability on outdated Microsoft Windows versions. The NSA discovered this weakness and even created a secret exploit instead of reporting it to Microsoft, but a hacker group called the Shadow Brokers leaked this information. Microsoft then quickly released a security patch for susceptible systems in March 2017.
Originally, we thought a hacker group called Lazarus in North Korea were the puppet masters of this attack. However, we have recently found more ties to Southern China, Taiwan, Hong Kong, and Singapore. It seems as though people have written the English and Chinese messages, whereas programs such as Google Translate have written the rest.
How does WannaCry work?
Before we dive in, I’d like to issue a disclaimer: I am not, nor do I claim to be, a WannaCry expert. This is just information I’ve gathered and have stitched together to try to better my own understanding of the cyberattack.
Cool. Alright. Let’s continue.
When initialized, WannaCry sends out its initial beacon. It tries to access a couple of very obscure domains. If there is no response, it continues. MalwareTech accidentally figured out this would also be a kill switch – he purchased one of the domains, and created a sinkhole, halting the spread of the ransomware for a while.
Anyway, with no response, the program executes a dropper EXE. This branches off into two sections: creating a new service (tasksche.exe) and setting up SMB connections. The latter exploit tests for MS17-10, prepares the payload, and makes sure all conditions are met. The program then executes. It is programmed to terminate after 24 hours of SMB scanning, which slows infection rate down quite a bit.
Tasksche, however, creates a password protected zip file, TOR access, and loads the Bitcoin wallets. It then establishes some accessibility and permission rules, and prepares for some encryption. A public key decrypts the actual program’s AES key. The AES key decrypts the WannaCry DLL.
WannaCry uses a couple of APIs, including CryptGenKey, and Microsoft Crypto. The system creates an RSA key pair (2048-bits) and stores them in separate .pky (public key) and .eky (private key) files. As an added measure of security, CryptEncrypt encrypts the private key a second time before storage. The disk file encryption DLL embeds the master public key within itself.
- encrypted via AES
- AES key generated with CSPRNG
- AES key encrypted by RSA
A thread begins to encrypt the files on the infected system. CryptGenRandom creates a 16-byte value to encrypt the data with AES-128 in CBC mode for each file encrypted. The user’s public key encrypts the AES key and stores it alongside the AES ciphertext. A second thread writes the newly encrypted .WNCRYT files. A third thread runs taskdl.exe, which basically makes it more difficult to detect and remove the viruses.
The encrypted DLL also checks for tokens and runs other commands in the background. Firstly, it runs the TOR client. Then it creates a backup of the virus. Finally, it displays the infamous warning page.
You have to recover and decrypt the master private key, so you can recover and decrypt the AES key, so you can recover and decrypt your encrypted files.
One way to recover the master private key is to pay the ransom. However, this is not advised, because there is no guarantee that you will receive your data after you pay. Luckily, gentilkiwi created a program that can decrypt infected files.
What Can We Learn From This?
Most importantly: keep your systems updated! The infected systems were all running on unsupported versions of Microsoft. Companies try to update security features as soon as possible. This is especially relevant since researchers are discovering more exploits and vulnerabilities on other platforms. The attack also emphasizes the security of firewall rules and open ports.