The WannaCry Ransomware (CVE-2017-0144)

Table of Contents

What is the WannaCry ransomware?

What is ransomware?

ransomware is a type of malicious program that when run, takes control of the victim’s computer in some way (blocking access to the user, encrypting files, retrieving files), and demands payment (a ransom) from the victim to restore the system back to normal behaviour. These programs usually get into a computer via tricking the user to open an executable file that appears to be harmless (eg: email attachments, files downloaded via phishing links). In rare cases, they may also get in and start executing without user interaction by exploiting various system vulnerabilities, as was the case with WannaCry.

The WannaCry ransomware

WannaCry (also known as WannaCrypt) was a ransomware program that started to appear in computers in Europe and parts of Asia on 12 May 2017. The initial point of infection is not conclusively known, but it is suspected that it came through email pishing, which tricked users to run the program executable. WannaCry is a type of encrypting ransomware, and the following diagram illustrates how an encrypting ransomware works.

ransomware

Figure 1: Sequence diagram illustrating how an encrypting ransomware works

For most ransomware, the end of the diagram above marks the end of the story (the program works on one victim). However, WannaCry is a self-propagating program. This means that in addition to encrypting files on one computer, it copies itself into other Windows computers in the network and executes itself without any user interaction. For this purpose, WannaCry exploits a particular vulnerability in the Server Message Block (SMB) protocol (details given in the section: Details of the exploit: CVE-2017-0144).

Due to this self-propagating nature, the WannaCry ransomware attack infected over 200,000 computers in 150 countries in May 2017. Among the high-profile victims were Nisan UK, Honda, Renault, FedEx, banks in Spain, India police and NHS hospitals in the UK. Some of these organizations had to stop their work in order to prevent further spread of the ransomware. The following heat map shows which parts of the world were attacked by the WannaCry ransomware.

heat_map

Figure 2: Computers in the world infected with WannaCry 2 days into the attack

heat_map

Figure 3: The message displayed after WannaCry has taken control of your computer

Origins of the exploit and timeline of relevant events

The origin of the WannaCry attack itself and its developers are currently unknown. However, the vulnerability in the Windows SMB protocol that was exploited in the ransomware had been discovered by the National Security Agency (NSA) of the United States some time back (possibly years). Instead of revealing it to Microsoft, the NSA developed an exploit using this exploit, dubbed EternalBlue.

On 14 April 2017, a hacker group called Shadow Brokers hacked into NSA computers and gained access to this exploit, along with several others. The group released the exploit on the internet. It was this exploit that the WannaCry developers had used in making their malicious program self-propagating.

Independently, Microsoft had discovered this vulnerability and released updates for their operating systems with the patch to fix it in March 2017. The users who had not installed these updates until May 2017 were potential targets of the WannaCry ransomware.

The timeline of these events is summarized as below.

  • Before 2017: NSA discovers SMB vulnerability, develops the EternalBlue exploit and keeps it a secret
  • March 2017: Microsoft discovers the SMB vulnerability, patches it and releases a Windows update
  • 14 April 2017 Shadow Brokers hack NSA computers and release the EternalBlue exploit
  • 14 April - 12 May: WannaCry developers develop the WannaCry ransomware using the EternalBlue exploit
  • 12 May: Unpatched computers get infected (first by tricking via email, then it self-propagates via the network to unpatched computers)

Details of the exploit:

Server Message Block (SMB) is a transport protocol used by Windows PCs to provide shared access to files, printer sharing, etc. SMB uses the TCP ports 139 and 445.

The vulnerability CVE-2017-0144 exists because the SMB version 1 (SMBv1) in several Microsoft Windows systems mishandles crafted packets allowing remote attackers to execute arbitrary code.

attack_process

This malware variant contains code designed to exploit the vulnerability patched by Microsoft on March 14, described in security bulletin MS17-010 and known as ETERNALBLUE. WannaCry scans both the internal and external network of target organizations, connecting to port 445 (SMB) and searching for unpatched computers in order to infect them (similarly to a computer worm). To do this, it uses a variant of the DOUBLEPULSAR backdoor.

The first component to run is the network worm, which attempts to connect to the following URL:http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If the domain is active, the worm doesn’t take any additional actions and stops running.

However, if it can’t establish a connection, it continues to run, registers itself as a service on the target computer and launches the service mssecsvc2.0 (Microsoft Security Center 2.0 Service) which contains the EternalBlue exploit.

EternalBlue exploits (MS17-010) CVE-2017-0144

The exploit code starts a buffer overflow caused by a memmove operation (used to copy a block of memory from a location to another) on a target computer, which leads to a mathematical error, where a DWORD is being cast to a WORD. It uses non-standard SMB packet segments to make the allocated memory persistent on hardware abstraction layer (HAL) memory space.

EternalBlue

On Windows 7, which is the system that the exploit targets, the HAL region is mapped as readable, writable, and executable. On newer systems the HAL region is no longer executable, meaning that the CPU would fault when trying to execute the shellcode. Furthermore, the HAL region and other kernel regions (such as page tables) have been randomized on the latest 64-bit versions of Windows 10, breaking assumptions of the 64-bit version in the ETERNALBLUE exploit.

The vulnerability exists at SMB_COM_TRANSACTION2_SECONDARY (0x33) request using the malformed fields: Parameters Offset, Data Count and Parameter count. These allow the exploit to inject the DoublePulsar backdoor into the target machine.

Using the above, DoublePulsar backdoor is delivered to the target machine encoded in base64. Once installed, the backdoor provides a basic communication interface based on the SMB_COM_TRANSACTION2 (0x32) command using the TRANS2_SESSION_SETUP (0x000E) subcommand.

The DoublePulsar tool bypasses the authentication measures of a system and creates a backdoor to allow remote access. This means that without any user intervention, DoublePulsar successfully transfers the control of your system in the hands of the hacker.

DoublePulsar establishes a connection which allows the attacker to install any malicious code they choose—like WannaCry—on the exploited system.

Payload delivery

To start uploading its main package, WannaCry sends multiple ping packets to the target, testing if its server hook (DoublePulsar) has been installed. The response to the ping packet contains the randomly generated XOR master key to be used for communication between the client and the targeted server.

payload_delivery

In addition to installing itself as a service, WannaCry extracts the ‘R’ resource, which corresponds to the ransomware’s PE executable file that encrypts the user’s data (MD5: 84c82835a5d21bbcf75a61706d8ab549), and copies it to:

C:\WINDOWS\taskche.exe

Then, it runs it with the following parameters: Command line:

C:\WINDOWS\tasksche.exe /i

Finally, it creates the following entry in the Windows registry to make sure it runs every time the computer is restarted by means of the following command:

reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “mzaiifkxcyb819” /t REG_ SZ /d “\”C:\WINDOWS\tasksche.exe\”” /f

Once the ransomware component (tasksche.exe) is run, it copies itself to a folder with a random name in the COMMON_APPDATA directory of the affected computer. It then tries to go memory persistent by adding itself to the computer’s autorun feature:

reg.exe add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “RANDOM_CHARS” /t REG_ SZ /d ‘\’C:\ProgramData\FOLDER\tasksche.exe\’’ /f

Next, the ransomware takes the following actions:

  • Uses Windows’ “icacls” command to have full access to all files on the target system
  • Deletes all backup copies (shadow copies) it finds on the system.
  • Prevents the computer from being booted in Safe Mode:
  • Deletes all backup catalogs:
  • Creates an entry in the Windows registry pointing to the folder that contains the ransomware.
  • Hides the recycle bin.
  • Using cmd and the echo command, it creates a VBS script to generate a .lnk file pointing to the file decrypter.
  • Finally, WannaCry attempts to kill many database processes in order to be able to access and encrypt database files.

Vulnerable systems

  • Windows Vista
  • Windows Server 2008
  • Windows 7
  • Windows Server 2008 R2
  • Windows 8.1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows RT 8.1
  • Windows 10
  • Windows Server 2016

Some interesting facts about WannaCry

When investigating the WannaCry ransomware, researchers discovered that the program first tries to connect to a non-existent URL, and only proceeds if the connection fails (exits the program otherwise: a kill switch). It is believed that the purpose of this behaviour was to derail or slow down research efforts. Researchers usually test these programs in isolated sandbox environments, where DNS requests on any URL usually return a valid response. Therefore, the kill-switch behaviour would prevent the program from running on researchers’ environments.

Taking advantage of this kill-switch, one researcher registered the domain for this URL. This meant that DNS requests on this URL made by WannaCry programs running around the world exited after the DNS check (due to a valid DNS response on the now existent URL). It is believed that this significantly hindered the spread of the program and prevented many computers from being encrypted.

However, the malware developers then released (sent out emails) a version that had the kill switch disabled, and the attack continued.

Lessons

On the wake of the WannaCry attack, the question of who was at fault was debated. Was it the fault of the NSA who did not reveal the vulnerability in the SMB protocol to the vendor so that they could patch it? Was it Microsoft’s fault for making buggy software (remember, all software have bugs). Was it the end users (individuals and organizations) who did not keep their systems upto date by installing the updates released by Microsoft?

Blame game aside, there are lessons to be drawn from the WannaCry ransomware insident, and steps we can take to keep our computers secure.

  • Do not open/ execute suspicious files (don’t get tricked!). Your default mode of thinking should be to suspect everything, and only open files from trusted sources.
  • Always keep your software upto date (especially the OS). Do not ignore update notifications by the software vendors
  • Do not use legacy software that has no support (software that has reached end-of-life such as Microsoft XP, Vista).

References