The last few days WanaCry (Also known as WCry, WannaCry, WannaCrypt and WanaCrypt0r) has spread across the world infecting thousands of systems across 150 countries. What made this ransomware so special and why was it able to spread so fast?
A lot of blogs have already posted very detailed information about the technical aspects of WanaCry. Therefor I won’t go into the technical details of WanaCry.
In the beginning, there was a lot of debate about how systems became infected. We now know that WanaCry was composed out of 2 components. A ransomware component and a Worm component. The worm component used the Ethernalblue NSA-exploit exposed by the Shadowbrokers on 14-04-2017. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. Microsoft released a Security bulletin regarding this vulnerability on 14-03-2017 MS17-010 and released patches not long after.
Over 2 months later WanaCry showed that many systems remained unpatched, within hours of the first infection the worm started infecting other vulnerable systems. A lot of systems running the vulnerable (unpatched) SMB1 protocol got infected.
After the infection
As soon as a system gets infected the ransomware tries to find other systems on the network and on the internet and it will try to infect these systems using the exploit. After the infection of these systems has been completed, the worm component is done and the Payload is activated.
The payload is the most destructive part of this malware. It’s a classic case of Ransomware. The Ransomware encrypts several file types (176 according to Symantec) and the encrypted files will get the .wcry extension. After encryption it displays a window complete with countdown and a ransomware note:
|Q: What’s wrong with my files?|
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Next, please find an application file named “@WanaDecryptor@.exe”. It is the decrypt software.
Q: How can I trust?
A: Don’t worry about decryption.
* If you need our assistance, send a message by clicking on Contact Us the decryptor window.
What Happened to My Computer?
Can I Recover My Files?
How Do I Pay?
We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!
The ransom amount seems to be set at $300, to be paid in BitCoin as we are used to these days. One thing that stands out is that WanaCry doesn’t seem to randomly generate BitCoint addresses, but seems to be using three fixed addresses:
As usual, I highly suggest you don’t pay any kind of ransom. You will be funding criminal activities and you don’t have any guarantees you will get your files back.
At the moment it seems there is no easy way to decrypt your files. If you get infected by WanaCry, and you don’t have a backup, I recommend you capture your ram and store it with your hard drive in case new information becomes available or a decryption tool surfaces.
WanaCry has shown us again that ransomware is big business. Looking at its workings it seems that WanaCry wasn’t “done”, and looks more like a WIP than a finished product. It gets its job done, but the ransomware part has some strange design choices. Maybe the POC escaped the development environment. Maybe the creators were afraid too many systems were patched and thought they had to release it now. Or maybe the ransomware part is just for show, and the main objective was to disrupt computer systems like in a cyber attack.
It’s all too soon to draw conclusions. But if it’s one of the latter, we will be seeing more attacks like this in the near future. More refined, more disruptive.