How-To Guides

This Is How You Can Protect Yourself From The WannaCry RansomWare

A recent report by Microsoft has revealed the arrival of a new ransomware; WannaCry. Also known as WannaCrypt, WCry, or WannaCryptor, this malware has been attacking computers of different organizations from 12th May 12 2017. Windows XP, Windows 8 and Windows Server 2003 have been among the platforms that received the greatest number of malware attacks. In order to ensure safety of users, Microsoft is rolling out an update for these platforms. It is pertinent to mention that Windows 10 users have not been affected by the malware.

Microsoft rolled out an update which in turn gave rise to vulnerabilities that the malware started to exploit. Users, who did not apply the patch for these vulnerabilities, were the ones who got attacked by the malware. Microsoft, through its advanced integrated security systems, found the cause of the malware and protected most of its up-to-date systems. However, it is strictly recommended that users should install MS17-010 update if they haven’t done it already.

Also Read: Google comes clean at concerns regarding privacy

How do I secure my system from a ransomware attack?

Here are some of the useful steps one should take to avoid the malware:

  • The easiest way to protect your system is by installing Windows 10. It already has all the required security updates to keep you protected from such malwares.
  • If Windows 10 is not an option, you must install the MS17-010 update in order to apply the patch for the malware.
  • Disable SMBv1 with the help of steps mentioned here and reboot your system once.
  • Add a firewall rule to block all incoming SMB traffic through port 445.
  • Windows Defender Antivirus is Microsoft’s latest antivirus with all the updated virus database definitions. Consider installing the antivirus on your system. The 1.243.297.0 update of the antivirus detects the malware as Ransom:Win32/WannaCrypt.
  • Different emails carrying the ransomware have been reported. Download Microsoft Office 365 Advanced Threat Protection in order to protect yourself from such emails.
  • To secure your network from such malwares, use Windows Defender Advanced Threat Protection. This defender tracks any unusual activity on the network and reports it directly to operations teams that investigate and eradicate such malwares.
  • You can also use Device Guard if you are running an enterprise in order to directly encrypt your files and your system. This provides the highest level of security allowing only trusted users to run applications on the system and hence, providing security from malwares.

Read More: Ransomware hits 75 countries

Attack Mechanism

Ransomwares usually don’t spread so rapidly. Ransomwares like WannaCrypt use social engineering and emails to lure users into downloading harmful packets which in turn exploit vulnerabilities in their system. However, in this case the hackers have used the publicly-available exploit code for the patched SMB EternalBlue vulnerability, CVE-2017-0145. This can be triggered easily by sending a specialized packet to the required SMBv1 server.

WannaCrypt is using this mechanism of employing SMB exploits and have thus, created a malware with the functionality of entering systems that are still unpatched even though the fix is already available through an update. As Windows 10 is the latest Microsoft Windows, it is not vulnerable to such malwares.

The exact initial vector for the ransomware has not been found right now, but according to security researchers there are two specific conditions responsible for the entry of this malware into computer systems:

  • Social engineering emails used as a bait to lure users into downloading and running the malware
  • Infection through recognition of unpatched systems using SBM exploits

Quick Read: Gooligan malware hacks 1 million Google accounts

Dropper

A dropper is a virus installer and a dropper in case of this virus comes in two different parts:

  • The first part aims to exploit the SBM EternalBlue vulnerability in unpatched computers
  • The second part comes in the form of the WannaCrypt ransomware

Using the API InternetOpenUrlA(), the dropper tries to connect to the following domain:

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If the connection to the server is successful, the ransomware stops right there. However, if the connection fails, the dropper starts to drop the ransomware and infects the system.

It can be concluded from the above statement that blocking the mentioned domain with firewall at any level will result in the installation of ransomware on that particular machine.

A service under the name of mssecsvc2.0, is created which starts to exploit the SBM vulnerability in other computers through the infected computer. Here are the details of the service started by the ransomware.

Service Name: mssecsvc2.0

Service Description: (Microsoft Security Center (2.0) Service)

Service Parameters: “-m security”

Also Read: MalwareTech – In $10 only, the security researcher accidentally halted global ransomware

Mechanism of the Ransomware

The second component of the dropper is the ransomware itself, which contains a password protected archive in which the encrypted files are stored. Other than that, the decryption tool, support tool and ransom message are also stored in the archive. After the analysis of the archive it was seen that the password for the file is:

[email protected]″.

When it is first run, following registry keys are created by WannaCrypt:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ = “<malware working directory>\tasksche.exe”

  • HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>”

This changes the wallpaper of the system to the ransom message through the following registry key:

  • HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@WanaDecryptor@.bmp”

In the malware’s working directory, following files are created:

  • eky
  • pky
  • res
  • bat
  • @Please_Read_Me@.txt
  • @WanaDecryptor@.bmp
  • @WanaDecryptor@.exe
  • wnry
  • wnry
  • wnry
  • vbs
  • msg\m_bulgarian.wnry
  • msg\m_chinese (simplified).wnry
  • msg\m_chinese (traditional).wnry
  • msg\m_croatian.wnry
  • msg\m_czech.wnry
  • msg\m_danish.wnry
  • msg\m_dutch.wnry
  • msg\m_english.wnry
  • msg\m_filipino.wnry
  • msg\m_finnish.wnry
  • msg\m_french.wnry
  • msg\m_german.wnry
  • msg\m_greek.wnry
  • msg\m_indonesian.wnry
  • msg\m_italian.wnry
  • msg\m_japanese.wnry
  • msg\m_korean.wnry
  • msg\m_latvian.wnry
  • msg\m_norwegian.wnry
  • msg\m_polish.wnry
  • msg\m_portuguese.wnry
  • msg\m_romanian.wnry
  • msg\m_russian.wnry
  • msg\m_slovak.wnry
  • msg\m_spanish.wnry
  • msg\m_swedish.wnry
  • msg\m_turkish.wnry
  • msg\m_vietnamese.wnry
  • wnry
  • wnry
  • wnry
  • TaskData\Tor\libeay32.dll
  • TaskData\Tor\libevent-2-0-5.dl
  • TaskData\Tor\libevent_core-2-0-5.dll
  • TaskData\Tor\libevent_extra-2-0-5.dll
  • TaskData\Tor\libgcc_s_sjlj-1.dll
  • TaskData\Tor\libssp-0.dll
  • TaskData\Tor\ssleay32.dll
  • TaskData\Tor\taskhsvc.exe
  • TaskData\Tor\tor.exe
  • TaskData\Tor\zlib1.dll
  • exe
  • exe
  • wnry

The ransomware might create the following files:

  • %SystemRoot%\tasksche.exe
  • %SystemDrive%\intel\<random directory name>\tasksche.exe
  • %ProgramData%\<random directory name>\tasksche.exe

A random service with the following ImagePath might also be created:

“cmd.exe /c “<malware working directory>\tasksche.exe”

After this, the whole computer is searched for files with the following extensions:

.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw

All of these files are then renamed with a .WNCRY at their end. For example, if a file is named “picture.jpg”, the ransomware encrypts and renames to “picture.jpg.WNCRY”.

A readme file with the name [email protected]_Read_Me@.txt” is created in every folder which contains the same ransom message as that of the wallpaper.

After the completion of the encryption process, malware runs the following command to delete the volume shadow copies of the files.

 cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet

The desktop is then replaced with an image asking for ransom.

An executable file is also run which displays the same message asking for an initial $300 ransom and a timer. In order to ensure the decryption capability of the executable, a few files are decrypted for free after which money is requested from the user to decrypt further data.

Read More: Ransomware attacks – Indo-Pak cyber warfare reaches new heights

Spreading capacity

After infecting a single computer, the malware rapidly starts to search for different IP addresses of unpatched systems in order to infect them through the host computer. This results in high SMB activity from the host system which can be easily observed and investigated by SecOps personnel.

This scanning of IP addresses results in the formation of octets to from IPv4 addresses which in turn target unpatched IPs to exploit the CVE-2017-0145 vulnerability. In order to skip local loopback interfaces, the worm automatically skips IPs whose octets start with 127 or those IPs whose firsts octet values are equal or greater than 224. As soon as an unpatched system is detected, it is infected with the worm and the searching of other unpatched computers is started through the newly infected system.

When a system is successfully infected, a kernel-level shell code is executed by the malware which is expected to be copied from the public backdoor known by the name of DOUBLEPULSAR. However, the code is adjusted a little bit to drop and execute the infected payload for both x86 and x64 systems.

Quick Read: iOS developers can now build apps directly in Windows 10

Detection and removal tools

In order to protect yourself from this malware, use the following tools:

Windows Defender

Microsoft Safety Scanner

Click to comment

Leave a Reply

Your email address will not be published.

To Top