WannaCry ransomware attack: a technical analysis

Overview
On Friday, May 12, several thousand computers were infected with a new ransomware variant called WannaCry. Using a traditional delivery method, it nonetheless made a huge impact by automatically and quickly infecting multiple servers within each organization it attacked.

  • The malware is delivered via phishing email.
  • Successful execution of the email initiates the download of a dropper.
  • The dropper scans the local network for vulnerabilities to CVE–2017–0147/MS17–010 exploit, AKA EternalBlue.
    • EternalBlue appeared as part of the data leaked by Shadow Brokers, who allegedly have access to NSA exploits.
  • Hosts vulnerable to the exploit are instructed to run the WannaCry ransomware without downloading it, as it comes within the exploit.
    • WannaCry gets its name from a string within the binary, WNcry@2o17.
  • The malware then initiates a TOR connection where the Command & Control resides.
    • Note: WannaCry does not need a network connection to begin encryption, but it continues to make attempts.

Why is this different: Thanks to the the unpatched exploit, this malware can spread extremely quickly without requiring a massive phishing campaign. The SMB exploit is a virtually unstoppable way of spreading.
How to prevent and detect:

  • As always, keep all machines patched and updated.
  • Use backups and ensure they are isolated.
  • Use proper firewall configuration: workstations shouldn’t have SMB open; servers typically shouldn’t be allowed unrestricted SMB access.
  • Utilize monitoring tools to detect this and future attacks before they cause significant damage.
    For example, you can detect WannaCry by looking at new connections made by infected machines vs. uninfected.

Recommendations:

Like any malware, WannaCry leaves marks of its behavior in multiple places. Demanding ransom is a highly noisy and brute way to make money, and hence captured significant media attention and response. If the goal were different, this would have been a much more secretive attack, with multiple organizations discovering many months from now that significant chunks of their information was exfiltrated without their knowledge. We must not forget that the EternalBlue exploit, which has existed for many, many months, was likely developed for a completely different and more devastating reason.

Technical Summary:
Delivery:
Direct:
A phishing email, either with PDF attachment or just HTML content, lures the victim to download a binary from a specific URL.
hxxp://www.rentasyventas[.]com/incluir/rk/imagenes.html?retencion=081525418
hxxp://graficagbin[.]com.br/loja/q.hta
Next the binary is downloaded, e.g.:
hxxp://parafazeracontecer[.]com.br/blog/taskhost.exe
Exploit:
It scans the network for hosts vulnerable to MS17–010 and executes the malware on those machines directly, causing a very fast and wide spread of the ransomware.

Comments are closed.