FANDOM


Wannacry 03

Infection distribution throughout different regions.

WannaCry, originally named WanaCrypt, also known as Wana Crypt0r and Wana Decrypt0r, is a famous ransomware worm on Microsoft Windows. It uses two NSA-leaked exploits and has wreaked havoc in airports, banks, universities, hospitals and many other facilities. It has spread to some 150 countries worldwide, mainly Russia, Ukraine, the US, and India. It is part of the Wcry family.

The encryption engine is not vulnerable to bruteforce attacks or dictionary attacks as it uses RSA-2048 with random hexadecimal strings; thus, the only way to retrieve files is by backup or directly paying with Bitcoin equivalent to $300 USD. Required payment increases to the Bitcoin equivalent of $600 USD after 72 hours. 7 days after the victim's infection, the malware will start deleting the encrypted files.

In late June 2018, an email scam called WannaSpam emerged. Hundreds of computer users reported being sent an email from someone (or multiple people), claiming to be the developers of WannaCry. The email threatened to destroy the victims' data unless they sent 0.1 BTC to the Bitcoin address of the "hackers". This was a hoax, as emails cannot directly encrypt files, nor was there any report of anyone who received the email having their files encrypted.

In the report, it found that in August 2019 alone, the security company had detected more than 4.3 million attempts to spread a variant of WannaCry to customer machines.

Behavior

Infection

Infection occurs in various ways, including Trojan-style and Worm-style attack vectors. When a computer becomes infected with WannaCry, the executable will extract an embedded file into the same folder as said executable is in. This embedded resource is a password-protected zip folder that contains a variety of files that are used by WannaCry.

WannaCry will then download a TOR client from https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip and extract it into the TaskData folder. This TOR client is used to communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.

In order to prep the computer so that it can encrypt as many files as possible, WannaCry will run "icacls . /grant Everyone:F /T /C /Q" in order to give every user on the system full permissions to the files located in the folder and subfolders under where the ransomware was executed.  It then terminates processes associated with database servers and mail servers so it can encrypt databases and mail stores as well.

The commands that are executed to terminate the database and exchange server processes are:

taskkill.exe /f /im mysqld.exe
taskkill.exe /f /im sqlwriter.exe
taskkill.exe /f /im sqlserver.exe
taskkill.exe /f /im MSExchange*
taskkill.exe /f /im Microsoft.Exchange.*

When run, the ransomware will very quickly encrypt the files on the computer. It also has the ability to attack mounted network drives as well.

When encrypting files, WannaCry will scan all drives and mapped network drives for files that have one of the following extensions:

.der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

When encrypting a file it will add the WANACRY! magic string to the beginning of the encrypted file. It will then append the .WNCRY extension to the original filename to denote that the file has been encrypted. For example, a file called test.jpg would be encrypted and have a new name of test.jpg.WNCRY.

When encrypting files, it will also store a @Please_Read_Me@.txt ransom note and a copy of the @WanaDecryptor@.exe decryptor in every folder that has at least one encrypted file. Finally, WannaCry will issue some commands that delete all Shadow Volumes, disable Windows startup recovery, and clear Windows Server Backup history. The commands that are issued are:

C:\Windows\SysWOW64\cmd.exe /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

As these commands require Administrative privileges, victims may see a UAC prompt.

Finally, the installer will execute a copy of the @WanaDecryptor@.exe program so that the "Wana Decryptor 2.0" lock screen will be displayed. This screen contains further information as to how the ransom can be paid and allows the user to select one of the languages.

When the user clicks on the Check Payment button, the ransomware connects back to the TOR C2 servers to see if a payment has been made. If a payment can be verified, the ransomware will automatically decrypt the user's files.

WannaCry will also configure the user's Desktop wallpaper to display another ransom note. A copy of this ransom note will be left on the desktop that contains more information and answers to frequently asked questions.

From version 2.0 and above of this ransomware, instead of using attachments to spam emails, spoofed links or hijacked advertisements as means of transfer, it behaves like a worm. With the help of remote malicious code, it actively attacks every vulnerable computer on the infected computer's network.

It scans for TCP and UDP ports 139 and 445 (SMB) from all computers on the local network. If a computer is found to be listening on these ports and the host is found to be vulnerable to this attack, it will download itself onto the host and execute the dropped file via PsExec.

Exploits

Wannacry 01

Exploit used by WannaCry

This ransomware uses the EternalBlue exploit kit leaked by The Shadow Brokers, which was patched by Microsoft on March 14. However, many companies and organizations have not installed this patch. Due to the damage that the ransomware caused, Microsoft launched a patch for Windows XP, Windows Server 2003, and Windows 8, which all were no longer supported at the time.
What is WanaCrypt0r 2

What is WanaCrypt0r 2.0 -WannaCry Ransomware-?

Many antivirus vendors and computer security companies have also created programs to "immunize" computers against the EternalBlue exploit.
WannaCry Virus- Just The Beginning! What's Next?

WannaCry Virus- Just The Beginning! What's Next?

Kill Switch and Decryption

On May 14, a British network engineer named Darien Huss found that the ransomware checks if a then-unregistered domain consisting of random letters and numbers exists. If the website is registered, the ransomware kills its process immediately before beginning the first-run ransomware routine. Darien shared this find with a man nicknamed MalwareTech. They bought the domain to stop the ransomware. This ultimately significantly slowed the spread of WannaCry to a near-standstill. Eventually, the developer updated the ransomware to remove this "kill switch"
Wannacry 08-1024x372

Properties of malware files used by WannaCry

Decryption tool released

Adrien Guinet, a French security researcher from Quarkslab, found that the ransomware did not remove the prime numbers used to generate the encryption keys from memory after encrypting the files, meaning that the user can use these numbers to generate the decryption keys.

Before generating a pair of RSA encryption keys, the system will need to choose two prime numbers. After generation of these keys, the numbers should be kept secret to prevent other users (such as hackers) to use them to regenerate the private key.

The WanaKiwi decryptor tries to find the prime numbers left in memory by the ransomware and generate the private key, so that the user might not need to pay the ransom for decryption. However, there are some limits, and the decryption tool may not be able to help decrypt the files in the following cases:

  1. The infected machine cannot have been restarted.
  2. Since the memory location for these prime numbers are freed for use by other programs, the block of memory could be erased or in use by other processes, so the decryption tool should be started as soon as possible in order to find the numbers.

Other Languages

WannaCrypt Map

WannaCrypt Map

WannaCry Ransomware in Action - NSA Exploit based

WannaCry Ransomware in Action - NSA Exploit based

Video by The PC Security Channel.

Killing WannaCry Ransomware - Explained in depth

Killing WannaCry Ransomware - Explained in depth

Wannacry 06

The ransom note in Chinese.

WannaCry has translations for these langauges:
  • Bulgarian
  • Chinese (Simplified)
  • Chinese (Traditional)
  • Croatian
  • Czech
  • Danish
  • Dutch
  • English
  • Filipino
  • Finnish
  • French
  • German
  • Greek
  • Indonesian
  • Italian
  • Japanese
  • Korean
  • Latvian
  • Norwegian
  • Polish
  • Portuguese
  • Romanian
  • Russian
  • Slovak
  • Spanish
  • Swedish
  • Turkish
  • Vietnamese

Affected Organizations (according to Wikipedia)

  • São Paulo Court of Justice (Brazil)
  • Aristotle University of Thessaloniki (Greece)
  • Vivo (Telefônica Brasil) (Brazil)
  • Lakeridge Health (Canada)
  • PetroChina (China)
  • Public Security Bureaus (China)
  • Sun Yat-sen University (China)
  • Instituto Nacional de Salud (Colombia)
  • Renault (France)
  • Deutsche Bahn (Germany)
  • Telenor Hungary (Hungary)
  • Andhra Pradesh Police (India)
  • Dharmais Hospital (Indonesia)
  • Harapan Kita Hospital (Indonesia)
  • University of Milano-Bicocca (Italy)
  • Q-Park (Netherlands)
  • Portugal Telecom (Portugal)
  • Automobile Dacia (Romania)
  • Ministry of Foreign Affairs (Romania)
  • MegaFon (Russia)
  • Ministry of Internal Affairs (Russia)
  • Russian Railways (Russia)
  • Banco Bilbao Vizcaya Argentaria (Spain)
  • Telefónica (Spain)
  • Sandvik (Sweden)
  • Garena Blade and Soul (Thailand)
  • National Health Service (United Kingdom)
  • Nissan UK (United Kingdom)
  • FedEx (United States)
  • STC (Saudi Arabia)
  • Boeing (United States)
  • Cambrian College (Canada)
  • Chinese public security bureau (China)
  • CJ CGV (South Korea)
  • Dalian Maritime University (China)
  • Faculty Hospital (Slovakia)
  • Guilin University Of Aerospace Technology (China)
  • Guilin University Of Electronic Technology (China)
  • Hezhou University (China)
  • Hitachi (Japan)
  • Honda (Japan)
  • LATAM Airlines Group (Chile)
  • NHS Scotland (Scotland)
  • O2 (Germany)
  • Petrobrás (Brazil)
  • Pulse FM (Australia)
  • Sberbank (Russia)
  • Shandong University (China)
  • Government of Gujarat (India
  • Government of Kerala (India)
  • Government of Maharashtra (India)
  • Government of West Bengal (India)
  • Suzhou Vehicle Administration (China)
  • Telkom (South Africa)
  • Timrå Municipality (Sweden)
  • TSMC (Taiwan)
  • Universitas Jember (Indonesia)
  • University of Montreal (Canada)
Wannacry-timeline

Timeline of key events relating to the WannaCry ransomware, made by Symantec.

Variants

Including the very first version, there are 5 known versions:

  • Version 1.0 - April 25, 2017
  • Version 2.0 - May 13, 2017
  • Version 2.1 - May 14, 2017
  • Version 2.2 - May 15, 2017
  • Version 3.0 - June 12, 2017

Patches

References

Community content is available under CC-BY-SA unless otherwise noted.