Last week, we took a look at the Lazarus group and investigated the social effects of their most notorious piece of malware – WannaCry. If you missed it, check out the article here. But now we need to dig into the details. How did WannaCry work and why did it cause so much damage?
What are the Component Parts of WannaCry?
WannaCry is a ransomware that is made up of 3 distinct parts – the dropper, the encrypter, and the decrypter. The SHA256 hash values of the code:
Dropper
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Encrypter
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Decrypter
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
The ransomware attacks computers by executing the code over SMB v1, thanks to the EternalBlue exploit leak. This exploit is a buffer overflow attack which targets the memmove operation in the Srv!Srv0s2FeaToNt, which allows remote attackers to execute programmes in a system. The attack is launched by a packet which can target the SMB v1 server, causing the Srv!Srv0s2FeaToNt to allow an out-of-bounds memory allocation.
This protocol was previously unprotected on Windows systems running OSs from XP to 2016, even though Microsoft had published a patch on March 14th, 2017. As a great many of the devices which ran these OSs were not updated, the ransomware could freely move over entire networks through SMB.
Initial Infection
When a system is infected by WannaCry, the malware attempts to start a custom SMB session. This session is started by forcing the target machine to use SMBv1. The malware at this point wants to make the machine allow remote execution on the system so that 3 packets can be sent to the destination. Initially, the primary packet contains everything that starts the ransomware and locks down the machine. 2 additional packets are received by the victim that contained 2 IP addresses – 192.168.56.20 and 172.16.99.5.
How was the Malware Defended?
Strangely, very little in terms of obfuscation or counter-security measures are found in the code for the WannaCry ransomware. This includes general obfuscating methods, anti-debugging code, or VM-aware code. Combined, this means that the hacker evidently did not care if the piece of software was analysed and studied. After the first version of WannaCry was stopped, subsequent, hardened versions of the code were released to a much less degree of harm.
Connection
When the packets have infected the machine, the ransomware process begins. A connection is attempted with a then unregistered website: http://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the connection to the website fails (as it would with an unregistered website), WannaCry creates a service in the machine called mssecsvc2.0. This service then opens an Event Properties window for Event 7036, named Microsoft Security Center (2.0). From this point, the ransomware can start to work on the system, including extracting files from the encrypted payload which included the instructions to encrypt many kinds of file types.
If a connection could be made with the website, the process ends and the malware exits. The first fatal flaw of WannaCry’s code was that this website was unregistered – relying on this domain to run meant that the entire process could be brought down when it became registered. This is exactly what Marcus Hutchins, also known as MalwareTech, did – by creating a sinkhole for the malware to exit systems, he greatly slowed down the spread of WannaCry and potentially saved thousands of computer’s worth of data.
By introducing a sinkhole for the malware to exit systems, WannaCry simply passed through networks without actually executing any processes. Although this was not a fix for the attack, it did buy a great deal of time for malware researchers to work on developing strategies that could stop the ransomware.
Dropper And Execution
After Event 7036 runs, the dropper can now begin WannaCry’s main processes. This involves extracting the encrypter binary from R/1831, a resource contained within the file. R/1831 is then written to %WinDir%/tasksch.exe, which is then executed. At this point, the malware is rooted into the system and can cause substantial damage to the user.
The encrypter checks for the existence of MsWinZonesCacheCounterMutexA0 (a mutex) in the system before running. The malware stops the process if it is present, but the reason for this is still a mystery. It is suspected that this was due to software interactions on systems. WannaCry does not create the mutex, but simply searches for it in the system. This command was included in the code of WannaCry as such:
jnz short loc401F51 ; If this mutex exists, the malware exists
Unlocking the additional files contained within the WannaCry packet, a zip file containing a directory of Rich Text Format files is then inserted into the working directory. Although there is no definitive proof to this day where WannaCry came from, the msg file contained in the directory shows a number of broken translations of @[email protected] decrypter programme, including English, Spanish, and French. For this reason, it is suspected that WannaCry came from a country where none of those languages is the majority language.
From the zip file, a number of files are placed into the working directory of the computer. These files start to make changes to the way in which the system works. Examples of the files contained are:
b.wnrybitmap file, which displays to users when the ransomware starts and contains instructions for users.c.wnry, containing a number of onion browser addressestaskdl.exe, the tool for deleting the filetaskse.exe, the tool that allows remote access to the computer and executes the malware for each sessionu.wnry, the decrypter file@[email protected]
Included within the malware is the process which starts the actual encryption of the system’s files. When the files have been loaded into the computer’s working directory, the following instructions are executed:
attrib +h
icacls . /grant Everyone:F /T /C /Q
At this point, the malware could now encrypt the files contained within the computer. The number of files that WannaCry attempts to encrypt is huge – 170 types in total were included in the code of the ransomware for targeting, meaning that WannaCry could lock down everything that people would absolutely need.
To make it worse for a victim, WannaCry also writes a registry key to the directory (namely HKLM\SOFTWARE\Wow6432Node\WanaCrypt0r\wd). Now the ransomware is embedded into the system.
Launch
All this has been leading up to the infamous red screen of the ransom demands. At this point, the @WanaDecryptor@ executable (previously noted as being contained within the u.wnry file) is finally launched, which sets off three separate processes.
The WannaCry Programme
Now that the computer is completely encrypted, the ransomware programme launches. This delivers the message to the victim and presents the demands about what they have to do if they ever want to see their data again – that is, a steep payment to be made over bitcoin. The programme launches a window (Wana Decrypt0r 2.0) which shows an explanation in broken English of what the programme is doing (locking, encrypting, and ransoming the data), 2 timers, and the bitcoin address to send the ransom to. 3 addresses are hardcoded into the binary:
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb9412t9YDPgwueZ9NyMgw519p7AA8isjr6SMw115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
The two timers were on a countdown that would initially up the payment due from $300 to $600 for missing the first payment and subsequently delete the files irretrievably for missing the second. The interface was not sophisticated, but the time pressure forced many people and organisations to pay the ransom to the hackers behind WannaCry.
b.wnry
In addition to @[email protected], the malware also launches a bitmap image onto the victim’s screen. It is thought that this was included as a failsafe in case the programme didn’t launch after the malware had been written into the directory. This meant that for many victims, both the programme launched and the bitmap was overlaid on the display.
Deleting Shadow Copies
In an effort to avoid clever circumvention of the malware through forensic tools, the decrypter programme also launched a command line command to delete any shadow copies of files.
cmd[.]exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet
When these files were deleted, there was no way to obtain them without decrypting the encryption key. This has meant that many files on encrypted computers that did not pay the ransom are still encrypted to this day and are unlikely to be unlocked in the future.
