Home » Articles » Wannacrypt0r (WannaCry) ransomware

Wannacrypt0r (WannaCry) ransomware

Sat May 13, 2017

Do not play with the samples unless you really know what you’re doing. You have been warned!

All Windows versions before Windows 10 are vulnerable to the WannaCry (WannaCrypt, WannaCry, WanaCrypt0r, WCrypt or WCRY) ransomware if not patched for MS-17-010.

The ransom is between $300 to $600, there is code to delete files in the virus so it’s not just a threat.

The worm loops through every RDP session on a system to run the ransomware as that user, also installs the DOUBLEPULSAR backdoor and it corrupts shadow volumes to make recovery harder.

If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com in the b9318a66 version) is up the virus exits instead of infecting the host. The domains have been sinkholed, stopping the spread of the ransomware worm.

It uses the ETERNALBLUE MS-17-010 vulnerability to propagate, vulnerability developed by the Equation Group (closely-tied to the NSA) and leaked by the Shadow Brokers.

The binary blob in the PE is crypted with the pass WNcry@2ol7, you can use 7z to uncompress the files:

user@host:~$ 7z x wannacry.exe -pWNcry@2ol7 > /dev/null

The archive contains the following files:

b.wnry                          c17170262312f3be7027bc2ca825bf0c    
c.wnry                          ae08f79a0d800b82fcbe1b43cdbdbefc    
r.wnry                          3e0020fc529b1c2a061016dd2469ba96    
t.wnry                          5dcaac857e695a65f5c3ef1441a73a8f    
taskdl.exe                      4fef5e34143e646dbf9907c4374276f5    
taskse.exe                      8495400f199ac77853c53b5a3f278f3e    
u.wnry                          7bf2b57f2a205768755c07f238fb32cc    
m_bulgarian.wnry                95673b0f968c0f55b32204361940d184    
m_chinese (simplified).wnry     0252d45ca21c8e43c9742285c48e91ad    
m_chinese (traditional).wnry    2efc3690d67cd073a9406a25005f7cea    
m_croatian.wnry                 17194003fa70ce477326ce2f6deeb270    
m_czech.wnry                    537efeecdfa94cc421e58fd82a58ba9e    
m_danish.wnry                   2c5a3b81d5c4715b7bea01033367fcb5    
m_dutch.wnry                    7a8d499407c6a647c03c4471a67eaad7    
m_english.wnry                  fe68c2dc0d2419b38f44d83f2fcf232e    
m_filipino.wnry                 08b9e69b57e4c9b966664f8e1c27ab09    
m_finnish.wnry                  35c2f97eea8819b1caebd23fee732d8f    
m_german.wnry                   3d59bbb5553fe03a89f817819540f469    
m_greek.wnry                    fb4e8718fea95bb7479727fde80cb424    
m_indonesian.wnry               3788f91c694dfc48e12417ce93356b0f    
m_italian.wnry                  30a200f78498990095b36f574b6e8690    
m_japanese.wnry                 b77e1221f7ecd0b5d696cb66cda1609e    
m_korean.wnry                   6735cb43fe44832b061eeb3f5956b099    
m_latvian.wnry                  c33afb4ecc04ee1bcc6975bea49abe40    
m_norwegian.wnry                ff70cc7c00951084175d12128ce02399    
m_polish.wnry                   e79d7f2833a9c2e2553c7fe04a1b63f4    
m_portuguese.wnry               fa948f7d8dfb21ceddd6794f2d56b44f    
m_romanian.wnry                 313e0ececd24f4fa1504118a11bc7986    
m_russian.wnry                  452615db2336d60af7e2057481e4cab5    
m_slovak.wnry                   c911aba4ab1da6c28cf86338ab2ab6cc    
m_spanish.wnry                  8d61648d34cba8ae9d1e2a219019add1    
m_swedish.wnry                  c7a19984eb9f37198652eaf2fd1ee25c    
m_turkish.wnry                  531ba6b1a5460fc9446946f91cc8c94b    
m_vietnamese.wnry               8419be28a0dcec3f55823620922b00fa

The contents are as following:

  • b.wnry – Ransom desktop wallpaper.
  • c.wnry – Configuration file containing C2 server addresses, BitCoin Wallet etc.
  • r.wnry – Ransom note.
  • s.wnry – ZIP archive containing the TOR client.
  • t.wnry – The encryption part of the ransomware encrypted using a WanaCry specific format; can be decrypted using the private key embedded inside the ransomware executable.
  • u.wnry – Decrypter executable.
  • Taskdl.exe – Deletes all temporary files created during encryption.
  • Taskse.exe – Runs given program in all user sessions.
  • msg directory – Language files.

Cryptography

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky.
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky.
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • The AES key is encrypted using the infection specific RSA keypair.

Malware tries initially to open 00000000.dky, if it is available, will import the key into Crypto API object. Presumably this would be decryption key from the authors of ransomware.

If cannot open *.dky file, it will generate new RSA key pair of 2048-bits. The public key is exported as blob and saved to 00000000.pky. Private key is exported as blob and encrypted with ransomware public key before being saved to 00000000.eky.

The RSA public key used to encrypt the users RSA key pair is embedded inside the DLL. The AES-128 key generated for each file is derived from CryptGenRandom which is cryptographically secure and is not known to have any weakness.

The AES keys are encrypted using the users public key in *.pky. In order to decrypt, the users private key is needed, which is encrypted using a public key owned by the ransomware authors.

Command Centers

There are five Tor .onion addresses hardcoded in the malware:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

The malware is not using HTTP to communicate to the C2 servers, but a custom protocol.

Bitcoin addresses

There are three addresses hardcoded into the malware:

Variants

  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
  • 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06

  « Previous: Next: »