vSOC SPOT Report – WCrypt (WanaCrypt0r 2.0) – Ransomware Attack

Latest Updates

2017-05-14 10:08 EDT

Researchers are reporting that a new variant of the WannaCrypt malware has been observed in the wild notably missing the kill switch check for the www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain that @MalwareTechLab registered to stop the first variant from propagating as fast. It has been speculated that the kill switch was actually a poorly implemented check to see if the malware was running in a sandbox. Even variants with the kill switch can continue to propagate and infect vulnerable networks through phishing emails or other lateral movement capabilities.

It is imperative that all Windows systems be patched. Microsoft released an out-of-band patch for deprecated operating systems to include Windows XP and Server 2003 Saturday to help thwart this campaign. vSOC will remain diligent in monitoring all client environments for signs of compromise or infection.

GuidePoint recommends disabling SMBv1 using a GPO or PowerShell script:

Via GPO

To enable or disable SMBv1 on the SMB server, configure the following registry key (a reboot is required):

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
To enable or disable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Via PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 -Force

2017-05-12 22:28 EDT

A UK malware researcher whose Twitter handle is @MalwareTechLab “accidentally” stopped one wide-spread variant of the ransomware from propagating further by registering a domain discovered while analyzing the code. The domain, Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is a kill switch that the code sends a GET request for. If the domain is not found, the code continues and infects the host. If the domain is found the code exits and the host is not infected. As long as the domain does not get revoked or taken down, this particular variant will cease infecting new machines. New variants are likely to spring up in the coming days and weeks without this kill switch feature, so due diligence is highly recommended along with patching all vulnerable systems and disabling SMB v1.

Based on this latest information, GuidePoint recommends our original mitigation steps:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Latest Indicators of Compromise

2017-05-12 22:36 EDT

File Names

  • mssecsvc.exe
  • @wanadecryptor@.exe
  • taskdl.exe
  • taskse.exe
  • tasksche.exe
  • tor.exe
  • @Please_Read_me@.txt

File Extensions

  • .wcry
  • .wncry
  • .wncryt
  • .wncy

Windows Service Name

  • mssecsvc2.0
  • Microsoft Security Center (2.0) Service

File Strings

  • Wanna Decryptor 1.0
  • Wana DecryptOr
  • Wana Decrypt0r
  • WANNACRY
  • WanaCryptOr
  • WanaCrypt0r
  • WANACRY!
  • WNcry@2o17

File Hash Values

  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

Command and Control IP’s:

  • 188.166.23.127:443
  • 193.23.244.244:443
  • 2.3.69.209:9001
  • 50.7.161.218:9001
  • 217.79.179.77
  • 128.31.0.39
  • 213.61.66.116
  • 212.47.232.237
  • 81.30.158.223
  • 79.172.193.32
  • 89.45.235.21
  • 38.229.72.16
  • 188.138.33.220
  • 146.0.32.144:9001
  • 188.166.23.127:443
  • 193.23.244.244:443

Sender IPs:

  • 205.186.153.200
  • 96.127.190.2
  • 184.154.48.172
  • 200.58.103.166
  • 216.145.112.183
  • 162.220.58.39
  • 192.237.153.208
  • 146.0.32.144
  • 188.166.23.127
  • 50.7.161.218
  • 2.3.69.209
  • 74.125.104.145
  • 75.126.5.21

Tor Onion URL’s:

  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • gx7ekbenv2riucmf.onion
  • sqjolphimrr7jqw6.onion
  • Xxlvbrloxvriy2c5.onion

Mutex:

  • ShimCacheMutex
  • Global\MsWinZonesCacheCounterMutexA0
  • MsWinZonesCacheCounterMutexA

Domains:

  • R12.sn-h0j7sn7s.gvt1.com
  • Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Email Sender:

  • alertatnb@serviciobancomer.com

Kill Switch Domain:

  • www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Snort Signatures:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray”; flow:to_server,established; content:”|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00|”; offset:4; depth:25; content:”|08 ff fe 00 08 41 00 09 00 00 00 10|”; within:12; fast_pattern; content:”|00 00 00 00 00 00 00 10|”; within:8; content:”|00 00 00 10|”; distance:4; within:4; pcre:”/^[a-zA-Z0-9+/]{1000,}/R”; threshold: type threshold, track by_src, count 12, seconds 1; classtype:trojan-activity; sid:2024217; rev:1;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
http://docs.emergingthreats.net/bin/view/Main/2024218

The ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

attrib +h .
icacls . /grant Everyone:F /T /C /Q
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
@WanaDecryptor@.exe fi
300921484251324.bat
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Files:

  • [Installed_Folder]\00000000.eky
  • [Installed_Folder]\00000000.pky
  • [Installed_Folder]\00000000.res
  • [Installed_Folder]\@WanaDecryptor@.exe
  • [Installed_Folder]\@WanaDecryptor@.exe.lnk
  • [Installed_Folder]\b.wnry
  • [Installed_Folder]\c.wnry
  • [Installed_Folder]\f.wnry
  • [Installed_Folder]\msg\
  • [Installed_Folder]\msg\m_bulgarian.wnry
  • [Installed_Folder]\msg\m_chinese (simplified).wnry
  • [Installed_Folder]\msg\m_chinese (traditional).wnry
  • [Installed_Folder]\msg\m_croatian.wnry
  • [Installed_Folder]\msg\m_czech.wnry
  • [Installed_Folder]\msg\m_danish.wnry
  • [Installed_Folder]\msg\m_dutch.wnry
  • [Installed_Folder]\msg\m_english.wnry
  • [Installed_Folder]\msg\m_filipino.wnry
  • [Installed_Folder]\msg\m_finnish.wnry
  • [Installed_Folder]\msg\m_french.wnry
  • [Installed_Folder]\msg\m_german.wnry
  • [Installed_Folder]\msg\m_greek.wnry
  • [Installed_Folder]\msg\m_indonesian.wnry
  • [Installed_Folder]\msg\m_italian.wnry
  • [Installed_Folder]\msg\m_japanese.wnry
  • [Installed_Folder]\msg\m_korean.wnry
  • [Installed_Folder]\msg\m_latvian.wnry
  • [Installed_Folder]\msg\m_norwegian.wnry
  • [Installed_Folder]\msg\m_polish.wnry
  • [Installed_Folder]\msg\m_portuguese.wnry
  • [Installed_Folder]\msg\m_romanian.wnry
  • [Installed_Folder]\msg\m_russian.wnry
  • [Installed_Folder]\msg\m_slovak.wnry
  • [Installed_Folder]\msg\m_spanish.wnry
  • [Installed_Folder]\msg\m_swedish.wnry
  • [Installed_Folder]\msg\m_turkish.wnry
  • [Installed_Folder]\msg\m_vietnamese.wnry
  • [Installed_Folder]\r.wnry
  • [Installed_Folder]\s.wnry
  • [Installed_Folder]\t.wnry
  • [Installed_Folder]\TaskData\
  • [Installed_Folder]\TaskData\Data\
  • [Installed_Folder]\TaskData\Data\Tor\
  • [Installed_Folder]\TaskData\Tor\
  • [Installed_Folder]\TaskData\Tor\libeay32.dll
  • [Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
  • [Installed_Folder]\TaskData\Tor\libssp-0.dll
  • [Installed_Folder]\TaskData\Tor\ssleay32.dll
  • [Installed_Folder]\TaskData\Tor\taskhsvc.exe
  • [Installed_Folder]\TaskData\Tor\tor.exe
  • [Installed_Folder]\TaskData\Tor\zlib1.dll
  • [Installed_Folder]\taskdl.exe
  • [Installed_Folder]\taskse.exe
  • [Installed_Folder]\u.wnry
  • [Installed_Folder]\wcry.exe

Registry Entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] “[Installed_Folder]\tasksche.exe
  • HKCU\Software\WanaCrypt0r\
  • HKCU\Software\WanaCrypt0r\wd [Installed_Folder]
  • HKCU\Control Panel\Desktop\Wallpaper “[Installed_Folder]\Desktop\@WanaDecryptor@.bmp”

Email Subjects:

  • FILE_<5 numbers>
  • SCAN_<5 numbers>
  • PDF_<4 or 5 numbers>

Email Attachment:

  • nm.pdf

Surricata SIgnatures (https://github.com/xNymia/Suricata-Signatures/blob/master/EquationGroup.rules):

# EternalBlue Signature matching potential NEW installation of SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible Successful ETERNALBLUE Installation SMB MultiplexID = 82 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|52 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000072; rev:1;)

# EternalBlue Signature matching return signature for connection to pre-installed SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Successful ETERNALBLUE Connection SMB MultiplexID = 81 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|51 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000073; rev:1;)

# Signature to identify what appears to be initial setup trigger for SMBv1 – MultiplexID 64 is another unusual valuealert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 1/2 – Tree Connect AndX MultiplexID = 64 – MS17-010″; flow:to_server,established; content:”|FF|SMB|75 00 00 00 00|”; offset:4; depth:9; content:”|40 00|”; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-activity; sid:5000074; rev:1;)

# Signature triggers on Trans2 Setup Request with MultiplexID – 65 – Another unusual MID – Only triggers if 64 was seen previously. alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 2/2 – Trans2 SUCCESS MultiplexID = 65 – MS17-010″; flow:to_server,established; content:”|FF|SMB|32 00 00 00 00|”; offset:4; depth:9;

Overview

On Friday, May 12th, an attack being made against the United Kingdom National Health Service (NHS) and the Spain- based telecommunications company, Telefonica, was made public. Reports now show that both companies have been hit with the WCrypt (WanaCrypt0r 2.0) crypto-ransomware. This attack is being perpetrated through the use of the recently leaked Eternal Blue exploit, belonging to the exploit kits released by the ShadowBrokers dump from the compromise of the National Security Agency (NSA). This exploit has been weaponized as a worm using a previously unpatched SMB vulnerability. This exploit has verified infections in the US as well. While data is still filtering in, early reports indicate FedEx is among the first US businesses compromised.

WCrypt Data

WCrypt is a standard crypto-ransomware which, once on the user’s system, encrypts the user’s files with the threat of deletion of the encryption keys if the user does not pay the ransom within seven days. With this variant, the ransom is demanded within 3 days or the ransom amount doubles, and within 7 days if the ransom isn’t paid, the encryption keys are deleted rendering all encrypted data unrecoverable.

Recognizing WCrypt Infections

The infection stems from a file named: wannacry.exe. The Hashes are located below:

SHA256:

  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA1:

  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
  • 51e4307093f8ca8854359c0ac882ddca427a813c

MD5:

  • 509c41ec97bb81b0567b059aa2f50fe8
  • 7bf2b57f2a205768755c07f238fb32cc
  • 7f7ccaa16fb15eb1c7399d422f8363e8

Once a system is infected with the ransomware, a screen similar to the following image appears informing the user of the infection as well as the ransom price and bitcoin address where the payment can be made.

WCrypt

The infection also typically spawns a large number of processes which are the result of the encryption process as well as the desktop theme changes and the decryptor listener.

Infection Vector: Eternal Blue

In the latest dump of the ShadowBroker’s exploits, Eternal Blue was considered especially dangerous due to its use of SMB v1 as the attack vector. This vulnerability was assigned the designation CVE-2017-0143, 0144, 0145, 0146, and 0147, it contains multiple avenues of attack and most Windows operating systems are vulnerable. This has been determined to be the method of infection from multiple sources, including Matthew Hickey, aka HackerFantastic, a reknown malware and security researcher. Of particular note is the presence of worm characteristics in the delivery. Once infected, the system becomes a part of the botnet for pushing the malware out.

Identifying Eternal Blue and the WCrypt Attack

A recently released screenshot, from malware researcher Kafiene, displays the traffic patterns for the Eternal Blue exploit.

Wcrypt Logs

As is evidenced in the image, most traffic is seen using port 445, whch is the standard port used by SMB v1 and v2. Network monitoring is essential to identify threats as they appear.

Mitigation

In order to mitigate this attack, it is recommended that:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Matthew Hickey of Hacker House discovered the decryption binary in a zip file in the PE resources which is encrypted with the password of WNcry@2ol7. This can be used to potentially decrypt the files which were affected by the malware.

Final Analysis

The infections which have been occurring lead vSOC to believe these are not necessarily targeted attacks, rather the infection vectors are exploited automatically by the Eternal Blue exploit kit against vulnerable systems within the enterprise.

References: