2017-05-15 - MY TAKE ON WANNACRY RANSOMWARE

NOTICE:

==========

2017-05-23 UPDATE - I received some helpful information from @sec_panda:

SHA256 hash b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06, the binary with a killswitch, is a worm component.

SHA256 hash ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa is an encryptor sample.  It has no worm or propagation behavior, and it doesn't check any for any killswitch domain.  This sample will not work to simulate the propagation.

That explains why I wasn't able to generate any propagation traffic for this blog post.

==========

Here's an email from one of the Korean readers who follows this blog:

Sent: Monday, May 15, 2017 06:45 UTC
To: brad@malware-traffic-analysis[.]net
Subject: Please...

Can you do some research about the Wannacry ransomware? It's
targeting our country now, it's on the front news (Korea).

 

So here are my personal thoughts on the recent outbreak of WannaCry ransomware...

Whenever I hear about a ransomware outbreak, my very first thought is, "What was the initial vector for the first infection?"

Some sources state the infection vector is EternalBlue, an exploit leaked by the Shadow Brokers group last month in April 2017 based on CVE-2017-0144 for Microsoft's SMB protocol.  So far, I've been under the impression that EternalBlue is how the ransomware propagates itself after an initial infection.  Once a Windows host is infected, it uses EternalBlue to spread throughout that organization's network, assuming the organization's Windows servers are not properly patched or up-to-date.

So how did that organization's first Windows host get infected?

Other sources state the initial infection vector might be a phishing email or malicious spam (malspam).  I doubt it's malspam, or someone would've posted an example by now.  WannaCry certainly isn't in any of the malspam campaigns I've been tracking.

UPDATE:  According to this Proofpoint article, a different attack using the EternalBlue exploit was launched from several virtual private servers which have been massively scanning the Internet on TCP port 445 for potential targets.  So it looks like Windows servers vulnerable to EternalBlue are probably an initial infection vector after all.

 

FINDING SAMPLES

Even without knowing the initial infection vector, it's easy to find WannaCry samples through VirusTotal.  I searched on the #wcry tag and found 44 comments on 43 files in the past 3 days or so.  41 of those files are executable binaries.  Those results are from Monday afternoon in the US central timezone.


Shown above:  Searching VirusTotal for #wcry.

 


Shown above:  #wcry search results in VirusTotal.

 


Shown above:  44 comments tagged #wcry when I checked.

 

Below are the SHA256 hashes for the WannaCry executables I found on Virus Total.  Most (maybe all) have also been submitted to Hybrid Analysis.  You can obtain these WannaCry samples from hybrid-analysis.com by registering for a free account.

 

TRAFFIC

I tried one of the samples from Monday May 15th, 2017: SHA256 hash: b9318a66fa7f50f2f3ecaca02a96268ad2c63db7554ea3acbde43bf517328d06.  Unfortunately (for me), it didn't work because the "kill switch" domain was active.  A good write-up on those kill switch domains is here.  To summarize that article, if the kill switch domain for a particular WannaCry sample is active, and the infected Windows host can contact the domain, that WannaCry sample shuts down before it encrypts any files.


Shown above:  The only activity I saw from the above sample.

 

After my first unsuccessful attempt, I tried a different sample from Friday May 12th, SHA256 hash: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.  That particular WannaCry sample did not call out to a kill switch domain, and it did infect a host in my home lab.


Shown above:  Desktop of an infected host running an unpatched installation of Windows 7 Home Edition.

 


Shown above:  Encrypted files on an infected Windows host.

 

MY FAILED ATTEMPT AT SOMETHING INTERESTING

The media has hyped the worm-style SMB propagation of WannaCry ransomware.  Several posts on Twitter have even used the hashtag #ransomworm to describe WannaCry.  I tried to replicate WannaCry's propagation in my home lab.  Unfortunately, my attempt did not work.

I've never been a Windows administrator, so I only set up two Windows 7 clients in my home lab, and I used the quickest method to share files between them.  These physical hosts were connected through a physical switch, so they were effectively an isolated LAN consisting of two Windows computers with a gateway to the Internet. [2025 note: This was before I was able to test malware with an Active Directory environment with a domain controller]


Shown above:  My physical setup used to investigate those two WannaCry samples.

 

One PC was host name Simspon-PC with an admin account named Gregory.Simpson.  The other was was host name Clarkson-PC with an admin account named Margorie.Clarkson.

I used homegroup to share files between the two Windows computers.  There wasn't a server in this environment, and there was no SMB traffic.  I only saw Tor traffic along with the associated tor files dropped somewhere under the same Desktop directory I executed the WannaCry in.


Shown above:  Tor traffic noted from the infected Windows host.

 


Shown above:  Associated Tor files on the infected Windows host.

 

So yes, I infected Simspon-PC with WannaCry.  And files on Clarkson-PC were easily accessible from the infected Simspon-PC.  However, nothing happened to Clarkson-PC.  It was never infected.


Shown above:  Unencrypted files on Clarkson-PC easily accessed from the infected Simspon-PC.

 


Shown above:  Even though I could alter the files on Clarkson-PC from the infected Simspon-PC, they were not encrypted by WannaCry.

 

So WannaCry's method of propagation doesn't work through homegroup sharing.  That's good news, I guess, for home users that don't connect to any Windows servers through SMB.  WannaCry seems like a business-oriented ransomware anyway.

 

Click here to return to the main page.