Sat May 13, 2017
Do not play with the samples unless you really know what you’re doing. You have been warned!
The ransom is between $300 to $600, there is code to delete files in the virus so it’s not just a threat.
The worm loops through every
RDP session on a system to run the ransomware as that user, also installs the
DOUBLEPULSAR backdoor and it corrupts shadow volumes to make recovery harder.
If the website
ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com in the
b9318a66 version) is up the virus exits instead of infecting the host. The domains have been sinkholed, stopping the spread of the ransomware worm.
The binary blob in the PE is crypted with the pass WNcry@2ol7, you can use
7z to uncompress the files:
user@host:~$ 7z x wannacry.exe -pWNcry@2ol7 > /dev/null
The archive contains the following files:
b.wnry c17170262312f3be7027bc2ca825bf0c c.wnry ae08f79a0d800b82fcbe1b43cdbdbefc r.wnry 3e0020fc529b1c2a061016dd2469ba96 t.wnry 5dcaac857e695a65f5c3ef1441a73a8f taskdl.exe 4fef5e34143e646dbf9907c4374276f5 taskse.exe 8495400f199ac77853c53b5a3f278f3e u.wnry 7bf2b57f2a205768755c07f238fb32cc m_bulgarian.wnry 95673b0f968c0f55b32204361940d184 m_chinese (simplified).wnry 0252d45ca21c8e43c9742285c48e91ad m_chinese (traditional).wnry 2efc3690d67cd073a9406a25005f7cea m_croatian.wnry 17194003fa70ce477326ce2f6deeb270 m_czech.wnry 537efeecdfa94cc421e58fd82a58ba9e m_danish.wnry 2c5a3b81d5c4715b7bea01033367fcb5 m_dutch.wnry 7a8d499407c6a647c03c4471a67eaad7 m_english.wnry fe68c2dc0d2419b38f44d83f2fcf232e m_filipino.wnry 08b9e69b57e4c9b966664f8e1c27ab09 m_finnish.wnry 35c2f97eea8819b1caebd23fee732d8f m_german.wnry 3d59bbb5553fe03a89f817819540f469 m_greek.wnry fb4e8718fea95bb7479727fde80cb424 m_indonesian.wnry 3788f91c694dfc48e12417ce93356b0f m_italian.wnry 30a200f78498990095b36f574b6e8690 m_japanese.wnry b77e1221f7ecd0b5d696cb66cda1609e m_korean.wnry 6735cb43fe44832b061eeb3f5956b099 m_latvian.wnry c33afb4ecc04ee1bcc6975bea49abe40 m_norwegian.wnry ff70cc7c00951084175d12128ce02399 m_polish.wnry e79d7f2833a9c2e2553c7fe04a1b63f4 m_portuguese.wnry fa948f7d8dfb21ceddd6794f2d56b44f m_romanian.wnry 313e0ececd24f4fa1504118a11bc7986 m_russian.wnry 452615db2336d60af7e2057481e4cab5 m_slovak.wnry c911aba4ab1da6c28cf86338ab2ab6cc m_spanish.wnry 8d61648d34cba8ae9d1e2a219019add1 m_swedish.wnry c7a19984eb9f37198652eaf2fd1ee25c m_turkish.wnry 531ba6b1a5460fc9446946f91cc8c94b m_vietnamese.wnry 8419be28a0dcec3f55823620922b00fa
The contents are as following:
- b.wnry – Ransom desktop wallpaper.
- c.wnry – Configuration file containing C2 server addresses, BitCoin Wallet etc.
- r.wnry – Ransom note.
- s.wnry – ZIP archive containing the TOR client.
- t.wnry – The encryption part of the ransomware encrypted using a WanaCry specific format; can be decrypted using the private key embedded inside the ransomware executable.
- u.wnry – Decrypter executable.
- Taskdl.exe – Deletes all temporary files created during encryption.
- Taskse.exe – Runs given program in all user sessions.
- msg directory – Language files.
- Each infection generates a new
- The public key is exported as blob and saved to
- The private key is encrypted with the ransomware public key and saved as
- Each file is encrypted using
AES-128-CBC, with a unique AES key per file.
- The AES key is encrypted using the infection specific RSA keypair.
Malware tries initially to open
00000000.dky, if it is available, will import the key into Crypto API object. Presumably this would be decryption key from the authors of ransomware.
If cannot open
*.dky file, it will generate new RSA key pair of 2048-bits. The public key is exported as blob and saved to
00000000.pky. Private key is exported as blob and encrypted with ransomware public key before being saved to
The RSA public key used to encrypt the users RSA key pair is embedded inside the DLL. The AES-128 key generated for each file is derived from
CryptGenRandom which is cryptographically secure and is not known to have any weakness.
The AES keys are encrypted using the users public key in
*.pky. In order to decrypt, the users private key is needed, which is encrypted using a public key owned by the ransomware authors.
There are five Tor .onion addresses hardcoded in the malware:
The malware is not using HTTP to communicate to the C2 servers, but a custom protocol.
There are three addresses hardcoded into the malware:
- Microsoft Security Bulletin MS17-010
- Say Hello to ‘WannaCry’
- Customer Guidance for WannaCrypt attacks
- Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool
- How to accidentally stop a global cyber attack
- Public MalwareTech botnet tracker
- Malware samples: 1, 2 and 3
- Protecting customers and evaluating risk
- Hacker News discussions: 1, 2, 3 and 4.
- YARA rules
- New variants detected
- The largest ransom-ware infection in History