Ransomware attacks cost organizations billions of dollars each year with no indication of stopping.
Overview
Ransomware attacks are primarily spread through social engineering tactics that trick users into believing that malicious emails came from a legitimate organization or person. These emails will contain a trojan or worm disguised as a legitimate file. Once infected, the malicious code travels through the infected device and even through the network to encrypt files. Ransomware attacks can create headaches for the general public but can also cost organizations and businesses millions of dollars and days of down time to recover.
The goal of a ransomware attack is to create enough damage to a system that it would be more economically beneficial for the victim to pay the hackers to decrypt the files versus recovering from backups. The United States government does not recommend victims of ransomware attacks to pay the attackers, since that will only embolden them. However, in the case of the WannaCry outbreak of 2017, many health and governmental organizations felt like they had no other choice but to pay the hackers in order to re-gain access to their mission critical data.
This blog will primarily focus on the WannaCry ransomware attack that hit systems worldwide. The WannaCry attack caused major political and economic turmoil throughout the world and set the stage for organizations to create sweeping changes to their cybersecurity implementations.
The Beginnings of WannaCry
The WannaCry worm was developed through tools stolen and leaked from the National Security Agency (NSA). The NSA found a vulnerability in the Microsoft Windows Server Message Block protocol and instead of disclosing the vulnerability, they used it to their offensive advantage. The NSA created tools called EternalBlue and DoublePulsar to make use of this vulnerability. These tools were ultimately stolen and leaked by a group called the Shadow Brokers.
EternalBlue, allowed hackers to perform remote code execution by sending a specially crafted message to a device running Microsoft SMB version 1.0 server. The SMB vulnerability was present on all devices running Microsoft Windows XP through Windows 7 and Windows Server 2003 through Windows Server 2008 that were not up to date on security patches or have reached the end of support. EternalBlue, used a technique called HeapSpray, which placed shellcode onto the heap in order to be executed by the attacking software.
EternalBlue was used in conjunction with DoublePulsar, a backdoor exploit tool developed and stolen from the NSA that runs in kernel mode and executed the WannaCry worm on the newly infected device. DoublePulsar worked by injecting a DLL into the user mode process of isass.exe. Once injected, DoublePulsar ran malicious shell code to create a connection through SMB port 445 and/or RDP port 3389. This opened connection allowed the hackers to install and run the WannaCry ransomware.
WannaCry Infection and Execution
The WannaCry worm would first check if the target has the DoublePulsar backdoor already installed. If the backdoor is not already installed, the hackers will attempt to compromise the system with the EternalBlue SMB exploit. Once access has been gained to the target machine, the worm delivered itself as a DLL payload. The DLL is then executed with an export function called PlayGame. The function writes a copy of the worm to C:\Windows\mssecsvc.exe and then executes that file. The worm then drops another payload containing the ransom from its resource to C:\Windows\tasksche.exe.
The initial payload contains a password protected zip file that when ran is unpacked to the infected computer. The files contained in the zip are as follows:
- b.wnry - Bitmap image used as desktop wallpaper.
- c.wnry - Configuration containing Tor command and control addresses, Bitcoin addresses, and other data.
- r.wnry - Ransome demand text.
- s.wrny - ZIP archive containing Tor software to be installed on the victims computer; saved in TaskData directory.
- t.wnry - Encrypted DLL containing file encryption functionality.
- u.wnry - Main module of the WannaCry ransomware decryptor.
- taskdl.exe - Temporary file clean up function.
- taskse.exe - Program that displays decryptor window to RDP sessions.
- msg – Directory containing Rich Text Format ransom demands in multiple languages.
Once installed, WannaCry creates the following files:
- 00000000.pky - Microsoft PUBLICKEYBLOB containing the RSA-2048 public key.
- 00000000.res - Data for C2 communication.
- 00000000.eky - Victim unique RSA private key encrypted with embedded RSA public key.
- 00000000.dky - Decrypted RSA private key transmitted to victim after ransom payment.
- f.wnry - A list of randomly chosen files encrypted with an embedded RSA private key that allows WannaCry to demonstrate decryption to victims.
- WanaDecryptor.exe - identical to u.wnry
- PLEASE_READ_ME.txt - Ransom demand text, identical to r.wnry.
During execution, the WannaCry worm elevates its privileges with a runas command and starts shutting down data store services such as mysqld.exe, sqlwriter.exe, sqlserver.exe, MSExchange, and Microsoft.Exchange so it can begin encrypting those files. WannaCry, skips files whose pathname contains the following directories shown in the table below.
WannaCry will search out for files containing the following path names to encrypt.
To encrypt the files, WannaCry stores an RSA-2048 key pair to the local disk with a .eky extension and encrypts that with a RSA public key. The newly generated RSA public key is then used to encrypt the randomly generated AES-128 key which is then used to encrypt the files. Each file is opened, read, encrypted into memory, and then written to in the worms working directory. After encryption, the worm renames the file back to its original name and then saves it back into its original directory with a custom header.
The user will then be prompted with the following desktop background and message demanding a ransom be paid to re-access their files.
Defense Against WannaCry
Microsoft released patches to cover the running of elevated privileges and the SMB vulnerability with patch MS17-017. Any device that was up to date on patches or running a newer version of Windows was protected. However, the bulk of infections were caused by organizations running out of date patches or end of life software that was no longer supported such as Windows XP. The scale of the attack forced Microsoft to create a patch for Windows XP, even though support for XP had already ended.
A kill switch to WannaCry was found by security researcher Marcus Hutchins. Hutchins found that WannaCry was attempting to contact a domain for a response and that domain was hard coded in the application. The kill switch activated when it received a response from that specified domain. Researchers believe the kill switch was added to prevent security researchers from studying the malware in a sandbox. A sandbox is a controlled environment that is set up to respond to all the malwares network queries with a dummy server. In this case, Hutchins discovered and registered the kill switch domain. Since WannaCry was able to get a response from the domain, it thought it was being analyzed in a sandbox and shut down. The registration of the domain stopped the spread of the worm and gave researchers more time to come up with a permanent fix.
Worldwide Impact
Within a few days the WannaCry worm was able to infect over 200,000 computers in 150 different countries. The countries that were most impacted were Russia, Ukraine, India, and Taiwan. However, many major organizations around the world were impacted by the worm. One of the most notable was the United Kingdom's National Health Services(NHS) hospitals in England and Scotland. It is estimated that 70,000 of their devices including computers, MRI scanners, blood storage refrigerators, and theater equipment all fell victim to the worm. The NHS was hit so bad that they had to turn non-emergency patients away and even divert ambulances.
In the few short days that WannaCry was active some experts believe that it cost up to $4 billion dollars of economic loss. Bitcoin wallets alone show that 327 payments were made to the hackers totaling $130,634.77. The economic cost to recover from WannaCry created economic turmoil throughout the world. There was in-fighting within English parliament accusing each other of not properly funding the NHS to defend against cyber threats. The United States, United Kingdom and Australia formally blamed North Korea for the attack, and Russia blamed the United States intelligence services for creating the attack to begin with.
Sources
Comments
Post a Comment