WannaCry is a large-scale malware that appeared in May 2017, primarily attacking computers running with the operating system Windows 7 and Windows XP. The malware works as ransomware. It encrypts the data of the affected computer and asks the user for a ransom for decryption. A special feature of WannaCry is the second functionality of a computer worm, which allowed the sudden spread in almost 100 countries.
Background: In the morning of May 12, 2017(9:22 clock world time), a massive infection of Windows computers by a novel malware occurred. Within one day, more than 230,000 computers were affected worldwide. In addition to many private computers running Windows 7 or Windows XP operating systems, it also affected industrial equipment, critical infrastructures, and government agencies. The ransomware is commonly referred to as WannaCry, but is also known under the name Wcrypt, WCRY, WannaCrypt or Wana Decrypt0r 2.0.
Special features of the malware WannaCry
Ransomware is no news in the field of cybercrime. WannaCry stands out from previous cyber attacks, however, due to its aggressive retransmission. In addition to the pure ransomware function, WannaCry also uses the function of a worm virus. This specifically uses the Windows exploit code called EternalBlue and the backdoor tool DoublePulsar.
So far, it has not been conclusively clarified how the initial infection took place. Typically, ransomware is spatially limited and takes a relatively cumbersome path from phishing emails to infected files or broken links. However, because of the worm function, WannaCry probably needed only a small number of seed machines to spread quickly.
Construction of WannaCry
WannaCry uses two exploits for vulnerabilities in Windows operating systems:
- EternalBlue: The vulnerability in the Windows Server Message Block (SMB) protocol - specifically the SMBv1 interface in Windows operating systems, which is required for printer and file sharing - allows remote access to computers.
- DoublePulsar: The tool developed by the National Security Agency (NSA) allows hackers to install a backdoor on a machine and gain administrator privileges. The execs command subsequently implements the installation and execution of arbitrary software packages. The WannaCry Malware package exploits existing DoublePulsar infections on computers or creates them independently.
WannaCry consists of two components, which are introduced by means of a dropper in the form of a Trojan in the system
- Component to exploit the EternalBlue vulnerability for worm function
- WannaCry Ransomware
How WannaCry works
After an initial check for a connection to the Killswitch URL (if they are blocked by the system or the domain is not yet active, the dropper becomes active), the malware creates a service called mssecsvc2.0. The service receives the display name Microsoft Security Center (2.0) Service. This scans both the local network and the Internet for other potential computers with EternalBlue vulnerability and infects them. This feature ensures fast retransmission.
The dropper then extracts the WannaCry Ransomware (tasksche.exe) and executes it. Also, the ransomware checks for the time being on a Killswitch in the form of an exclusion software called "MsWinZonesCacheCounterMutexA0" and only goes to the next step, if it is not found in the system.
Subsequently, WannaCry sets all attributes of the files to "hidden" and gives full access to files in the current folder and the folders below it. As a next step, all files are encrypted and given the extension ".WNCRY". Each folder will create a "@ Please_Read_Me @ .txt" text file containing the instructions for the ransom payment.
In addition, a registry key is created which points to the location of the .exe and deletes all backups and system states after encryption has been completed.
Finally, the malware replaces the current desktop wallpaper with a notification and starts a .exe with the ransom note, a timer and instructions for payment and decryption.
Spread of the malware
In fact, WannaCry's May campaign was the third wave and second version of the malware.
- February 10, 2017: Identification of a first version of the ransomware WannaCry on individual computers.
- March 14, 2017: Microsoft is responding with security patch CVE-2017-0144 for the currently supported Windows systems (without XP).
- March 27, 2017: Second WannaCry wave without worm function. Metadata analysis indicates that it was a predecessor of the May campaign and that the same author is behind both campaigns (March and May).
- April 8, 2017: Shadow Brokers release the exploit code for the EternalBlue and DoublePulsar vulnerabilities that enable the worm feature. The exploits were probably stolen from the servers of the NSA. The NSA is said to have known about the vulnerability for a long time and used it for its own activities.
- May 12, 2017, 12:22 pm UTC: A new version of WannaCry is being identified in Palo Alto for the first time. 9:22 clock UTC it comes to a mass wave of infection, in the course of which more than 230,000 computers in over 100 countries are infected.
- May 13, 2017: Microsoft releases security patch for CVE-2017-0144 for Windows XP. However, the spread is mainly prevented by the identification of a Killswitch URL by the 22-year-old British Marcus Hutchins. Hutchins discovers the URL in an initial analysis of the malware without knowing what its function is. He registers the domain to track malware functionality, unknowingly triggering the kill switch.
- May 14, 2017: The author of the malware releases another version of the malware with a modified killswitch URL. This is also identified and activated on the same day. A short time later, another variation emerges without killswitch called Uiwix. However, this variant is faulty and therefore has no great impact.
- May 19, 2017: Hackers attempt to kill the Killswitch domain via a variant of the Mirai botnet using a DDoS attack. This could be prevented by redirecting to a "cached" version of the page, which has a much higher capacity.
According to current status the worm affected breakdowns and disorders at many companies and institutions. Amongst others:
- NHS (parts)
- Nissan in the UK
- Deutsche Bahn and Schenker
- Banco Bilbao Vizcaya Argentaria (Spanish Bank)
- Vivo (Brazilian telecommunications company)
- Sandvik (Sweden)
- Romanian Ministry of Foreign Affairs
- Russian Ministry of Interior and Ministry of Emergency Situations
- MegaFon (Russia)
Modifications of WannaCry
Since the May campaign, there have been many variations of the WannaCry malware, which were implemented by other authors (copycats). Thus, the WannaCry version without Killswitch imitators is already attributed. Other interesting modifications are:
- SLocker: At the beginning of June 2017, a new version of the mobile ransomware SLocker appeared. SLocker is one of the oldest ransomware families, which blocks the screens of mobile devices and releases them only for a ransom. The cover letters are imitated by law enforcement authorities, who ask users to pay their fines. The new version of SLocker took advantage of the WannaCry GUI and for the first time was able to encrypt data on mobile devices. The damage of the campaign was limited, since decryption programs for Android were released shortly after detection. Five days later, the suspected author of the malware was arrested.
- EternalPetya: On 27 June, there was a new wave of ransomware infections in Ukraine. Affected were only computers on which accounting software of the Ukrainian company M.E.Doc ran. As a result, the outbreak was limited primarily to Ukraine. The malware named EternalPetya (also known as NotPetya, Expetr) is based on the well-known Petya Ransomware family, but uses the DoublePulsar and EternalBlue exploits for infection and dissemination.
Origin of WannaCry
Metadata analysis of the RFT files indicates that the author of the malware had set English and Korean as the default language on his machine. The creator of the files is called "Messi", probably based on the Italian football player. The timestamps of the last edits and compilation of the files suggest that the author sits in one of the time zones UT + 3 (altitude Sudan, Turkey, Ukraine, Russia) to UT + 12 (altitude North Korea, New Zealand). Parts of the code for the first WannaCry version were assigned to the Lazarus group, which is said to be associated with the North Korean government. Actual evidence is not available.
The interpretation of this metadata is so far disputed. Thus, the Korean ransom demand shows the worst quality of all language versions. The processing times extracted from the metadata also indicate that the author first edited the English language file before opening any further ones. It is also interesting to note that WannaCry 1.0, the first wave malware in March 2017, was delivered in English only. Only with the May campaign another 27 languages were added. Most of the time, the author spent editing the simplified Chinese file, while only needed one minute for the traditional Chinese file.
However, all of these clues could be deliberate tracks to avoid real attribution. So far, there is no reliable indication of who the author was or where it came from.
Why did IT security technologies fail at WannaCry?
WannaCry was able to spread so rapidly for two reasons:
- The infected machines had not installed the March 2017 security patch from Microsoft. The operators of the computers had failed or delayed the update in this case. In public authorities and companies in particular, updates are often not made at all or only summed up (several updates in one) to avoid possible incompatibilities with existing network configurations and software functions.
- The common security solutions such as virus scanners, firewalls and intrusion detection systems were not aware of the malware and its functionalities. As a result, they have not been recognized as malware and left in the system.
In addition, the malware within the system could probably operate undetected, because IT security technologies only monitored the "gates" to and from the system. However, they lack the relevant insight into the system.
Could the malware have been detected?
A solution with real-time anomaly detection based on Deep Packet Inspection technology would have detected and reported the attack early.
The anomaly detection would have detected the cyberattack at the first steps as a new, unusual communication in the network and reported to the network administrator. Presumably, the primary infection would not have been averted, but proliferation via the early detection and blocking of new communication would have been severely limited and slowed down.