/Wanacry analysed

Wanacry analysed

The last few days WanaCry (Also known as WCry, WannaCry, WannaCrypt and WanaCrypt0r) has spread across the world infecting thousands of systems across 150 countries. What made this ransomware so special and why was it able to spread so fast?

A lot of blogs have already posted very detailed information about the technical aspects of WanaCry. Therefor I won’t go into the technical details of WanaCry.

Initial infection

In the beginning, there was a lot of debate about how systems became infected. We now know that WanaCry was composed out of 2 components. A ransomware component and a Worm component. The worm component used the Ethernalblue NSA-exploit exposed by the Shadowbrokers on 14-04-2017. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. Microsoft released a Security bulletin regarding this vulnerability on 14-03-2017 MS17-010 and released patches not long after.

Over 2 months later WanaCry showed that many systems remained unpatched, within hours of the first infection the worm started infecting other vulnerable systems. A lot of systems running the vulnerable (unpatched) SMB1 protocol got infected.

After the infection

As soon as a system gets infected the ransomware tries to find other systems on the network and on the internet and it will try to infect these systems using the exploit. After the infection of these systems has been completed, the worm component is done and the Payload is activated.

Payload

The payload is the most destructive part of this malware. It’s a classic case of Ransomware. The Ransomware encrypts several file types (176 according to Symantec) and the encrypted files will get the .wcry extension. After encryption it displays a window complete with countdown and a ransomware note:

Q: What’s wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let’s start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address:

Next, please find an application file named “@[email protected]”. It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don’t worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.

* If you need our assistance, send a message by clicking on Contact Us the decryptor window.

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don’t pay in 7 days, you won’t be able to recover your files forever.
We will have free events for users who are so poor that they couldn’t pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am – 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

Contact
If you need our assistance, send a message by clicking contact Us.

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!

The ransom amount seems to be set at $300, to be paid in BitCoin as we are used to these days. One thing that stands out is that WanaCry doesn’t seem to randomly generate BitCoint addresses, but seems to be using three fixed addresses:

  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

As usual, I highly suggest you don’t pay any kind of ransom. You will be funding criminal activities and you don’t have any guarantees you will get your files back.

At the moment it seems there is no easy way to decrypt your files. If you get infected by WanaCry, and you don’t have a backup, I recommend you capture your ram and store it with your hard drive in case new information becomes available or a decryption tool surfaces.

Conclusion

WanaCry has shown us again that ransomware is big business. Looking at its workings it seems that WanaCry wasn’t “done”, and looks more like a WIP than a finished product. It gets its job done, but the ransomware part has some strange design choices. Maybe the POC escaped the development environment. Maybe the creators were afraid too many systems were patched and thought they had to release it now. Or maybe the ransomware part is just for show, and the main objective was to disrupt computer systems like in a cyber attack.

It’s all too soon to draw conclusions. But if it’s one of the latter, we will be seeing more attacks like this in the near future. More refined, more disruptive.