 |
| wanacry ransom-ware |
our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.
Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.
Unfortunately, it appears that many organizations have not yet installed the patch.
Source: https://support.kaspersky.com/shadowbrokers
A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.
The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine, and India.
It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.
CCN-CERT alert (in Spanish)
Analysis of the attack
Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.
Geographical target distribution according to our telemetry for the first few hours of the attack
The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.
The tool was designed to address users of multiple countries, with translated messages in different languages.
Language list that the malware supports
Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.
To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.
An image used to replace user’s wallpaper
Malware samples contain no reference to any specific culture or codepage other than universal English and Latin codepage CP1252. The files contain version info stolen from random Microsoft Windows 7 system tools:
Properties of malware files used by WannaCry
For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any additional info:
One of the Bitcoin wallets used by the attackers: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
One of the attacker wallets received 0.88 BTC during the last hours
Another Bitcoin wallets included in the attackers’ “readme.txt” from the samples are:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 0.16 BTC
1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY
1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY
For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network:
A list of dropped files related to Tor service
In terms of targeted files, the ransomware encrypts files with the following extensions:
.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc
The file extensions that the malware is targeting contain certain clusters of formats including:
- Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
- Less common and nation-specific office formats (.sxw, .odt, .hwp).
- Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
- Emails and email databases (.eml, .msg, .ost, .pst, .edb).
- Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
- Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
- Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
- Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
- Virtual machine files (.vmx, .vmdk, .vdi).
The WannaCry dropper drops multiple “user manuals” on different languages:
Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese
The example of a “user manual” in English:
What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption service.Can I Recover My Files?Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.You can decrypt some of your files for free. Try now by clicking .But if you want to decrypt all your files, you need to pay.You only have 3 days to submit the payment. After that the price will be doubled.Also, if you don't pay in 7 days, you won't be able to recover your files forever.We will have free events for users who are so poor that they couldn't pay in 6 months.
How Do I Pay?Payment is accepted in Bitcoin only. For more information, click .Please check the current price of Bitcoin and buy some bitcoins. For more information, click .And send the correct amount to the address specified in this window.After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.Once the payment is checked, you can start decrypting your files immediately.
Contact
If you need our assistance, send a message by clicking .
We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!
It also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).
Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to disk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:
Q: What's wrong with my files?A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking on the decryptor window.
Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:
- attrib +h .
- icacls . /grant Everyone:F /T /C /Q
- C:\Users\xxx\AppData\Local\Temp\taskdl.exe
- @WanaDecryptor@.exe fi
- 300921484251324.bat
- C:\Users\xxx\AppData\Local\Temp\taskdl.exe
- C:\Users\xxx\AppData\Local\Temp\taskdl.exe
The malware checks the mutexes “Global\MsWinZonesCacheCounterMutexA” and “Global\MsWinZonesCacheCounterMutexA0” (Update: Thanks Didier Stevens for the correction on the extra mutex name!) to determine if a system is already infected. It also runs the command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
This results in an UAC popup that user may notice.
UAC popup to disable Volume Shadow Service (System Restore)
The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- Xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52maqm7.onion
- sqjolphimrr7jqw6.onion
Mitigation and detection information
Quite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses. This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the disk.
System Watcher blocking the WannaCry attacks
Mitigation recommendations:
- Make sure that all hosts are running and have enabled endpoint security solutions.
- Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
- Ensure that Kaspersky Lab products have the System Watcher component enabled.
- Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.
Samples observed in attacks so far:
4fef5e34143e646dbf9907c4374276f5
5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240
5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240
Kaspersky Lab detection names:
Trojan-Ransom.Win32.Gen.djd
Trojan-Ransom.Win32.Scatter.tr
Trojan-Ransom.Win32.Wanna.b
Trojan-Ransom.Win32.Wanna.c
Trojan-Ransom.Win32.Wanna.d
Trojan-Ransom.Win32.Wanna.f
Trojan-Ransom.Win32.Zapchast.i
PDM:Trojan.Win32.Generic
Trojan-Ransom.Win32.Scatter.tr
Trojan-Ransom.Win32.Wanna.b
Trojan-Ransom.Win32.Wanna.c
Trojan-Ransom.Win32.Wanna.d
Trojan-Ransom.Win32.Wanna.f
Trojan-Ransom.Win32.Zapchast.i
PDM:Trojan.Win32.Generic
Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims. We will provide an update when a tool is available.
Appendix
Batch file
@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")>> m.vbs
echo om.TargetPath = “C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe”>> m.vbs
echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
del /a %0
cscript.exe //nologo m.vbs
del m.vbs
del /a %0
m.vbs
SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")
om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe"
om.Save
article from:Securlist.com
*Raed also this all security reports and analytics about wanacry ransom-ware
*sophos*
*Microsoft reply*
*Fortinet*
*Symantec*
*Kaspersky*
*Mcafee*
*Krebsonsecurity*
