WCry (WannaCry) Ransomware Analysis (2024)

Summary

In May 2017, SecureWorks® Counter Threat Unit® (CTU) researchers investigated a widespread and opportunistic WCry (also known as WanaCry, WanaCrypt, and Wana Decrypt0r) ransomware campaign that impacted many systems around the world. Some affected systems have national importance. CTU® researchers link the rapid spread of the ransomware to use of a separate worm component that exploited vulnerabilities in the Windows Server Message Block (SMB) v1 protocol. Microsoft addressed the SMBv1 vulnerabilities in March 2017 with Security Bulletin MS17-010.

Delivery

The campaign’s use of an SMB worm to distribute WCry contributed to the ransomware’s virulence. As of this publication, the specific delivery method for the SMB worm is unclear. Upon starting, the worm attempts an HTTP connection to www . iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea . com. If the connection is successful, then the worm stops running and exits. The threat actors may have added this HTTP connection test to prevent automated sandboxes from running and analyzing the malware.

The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April. The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems. If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit. Propagation relies on two process threads. After the first thread determines the local network subnet, the SMB worm scans local addresses beginning at the start of the netblock and increasing by one to the end of the netblock. The second thread scans randomly chosen external IP addresses.

The SMB worm delivers itself to the compromised system as a DLL file payload. After the DLL is executed with a single exported function named PlayGame, it writes a copy of the original SMB worm to C:\Windows\mssecsvc.exe and then executes this file. The SMB worm then drops a secondary payload from its resources section to C:\Windows\tasksche.exe and executes this file. In the samples analyzed by CTU researchers, this secondary payload is the WCry ransomware.

Infection

After encrypting the file system, WCry displays the ransom demand shown in Figure 1.

Figure 1. WCry (also known as Wana Decrypt0r) ransom demand interface. (Source: SecureWorks)

The malware continually monitors this window to ensure it remains in focus, reopening it if it is closed. WCry also launches a small program named taskse.exe that enumerates active RDP sessions and ensures the remote user can see the window. Additionally, the malware changes the desktop wallpaper to the image in Figure 2.

Figure 2. Desktop wallpaper set by WCry ransomware. (Source: SecureWorks)

WCry is distributed as an executable file that contains a password-protected ZIP archive in its resources section. When executed, this archive is unpacked (using the password “WNcry@2ol7”) in the current directory and contains the following files:

• b.wnry — Bitmap image used as desktop wallpaper (shown in Figure 2)
• c.wnry — Configuration containing Tor command and control (C2) addresses, Bitcoin addresses, and other data
• r.wnry — Ransom demand text
• s.wnry — ZIP archive containing Tor software to be installed on the victim’s system; saved in TaskData directory
• t.wnry — Encrypted DLL containing file-encryption functionality
• u.wnry — Main module of the WCry ransomware “decryptor”
• taskdl.exe — WNCRYT temporary file cleanup program
• taskse.exe — Program that displays decryptor window to RDP sessions
• msg — Directory containing Rich Text Format (RTF) ransom demands in multiple languages

WCry creates additional files during the infection:

• 00000000.pky — Microsoft PUBLICKEYBLOB containing the RSA-2048 public key (The WCry threat actors presumably hold the private key.)
• 00000000.res — Data for C2 communication
• 00000000.eky — Victim-unique RSA private key encrypted with embedded RSA public key
• 00000000.dky — Decrypted RSA private key transmitted to victim after ransom payment
• f.wnry — A list of randomly chosen files encrypted with an embedded RSA private key that allows WCry to “demonstrate” decryption to victims
• @[emailprotected] — Main module of the WCry ransomware “decryptor,” identical to u.wnry
• @[emailprotected] — Ransom demand text, identical to r.wnry

When started, WCry executes two commands:

• attrib +h .
• icacls . /grant Everyone:F /T /C /Q

WCry executes the following single command (formatted for readability) to complicate system and data recovery. If the malware is not running with elevated privileges, WCry executes this with the “runas” command.

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures &bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet 

WCry terminates several services so that their data stores can be encrypted:

• taskkill.exe /f /im mysqld.exe
• taskkill.exe /f /im sqlwriter.exe
• taskkill.exe /f /im sqlserver.exe
• taskkill.exe /f /im MSExchange*
• taskkill.exe /f /im Microsoft.Exchange.*

WCry creates a batch file using a randomly generated large integer (e.g., 46631494859358.bat, 37061494619317.bat) that creates a shortcut to the malware executable (see Figure 3).

Figure 3. Batch file executed by WCry ransomware. (Source: SecureWorks)

The malware’s current working directory is saved to the “wd” registry value under the \SOFTWARE\WanaCrypt0r key (see Figure 4). If WCry is running with elevated privileges, the key is created in the HKLM registry hive; otherwise, it is created in the HKCU hive.

Figure 4. Metadata stored in registry by WCry ransomware. (Source: SecureWorks)

WCry creates a registry Run key value (see Figure 5) to ensure the ransomware GUI is displayed when victims log in or restart the computer.

Figure 5. Run key created by WCry ransomware. (Source: SecureWorks)

Encryption

WCry uses a combination of the RSA and AES algorithms to encrypt files. It uses the Windows Crypto API for RSA encryption and random key generation; however, a third-party implementation of AES is statically linked within the malware. CTU researchers did not identify any flaws in the cryptographic implementation, so file recovery through decryption is likely not possible without a decrypted private key from the ransomware operators.

Prior to encryption, WCry enumerates all available disks on the system. This enumeration includes local drives (e.g., hard disks), removable drives (e.g., USB thumb drives), and network drives (e.g., a remote file share mapped to a drive letter). The malware does not contain functionality to search the local network for unmapped file shares. WCry also searches for the presence of the Global\MsWinZonesCacheCounterMutexA mutex prior to file encryption and exits if the mutex exists.

WCry targets file extensions associated with productivity and database applications, compressed archives, and multimedia formats (see Figure 6). The encryption process skips files whose pathnames contain the directory names and language listed in Table 1.

Figure 6. File extensions targeted by WCry ransomware. (Source: SecureWorks)

Table 1. Whitelisted directory name components.

WCry generates a private RSA-2048 key pair specific to each infection and stores it on the local disk with an .eky extension (e.g., 00000000.eky) after encrypting it with an embedded RSA public key. This generated RSA key is used to encrypt the random AES-128 key generated for each encrypted file.

Each targeted file is opened, read, encrypted in memory, and then written to a new file in the malware’s working directory using the filename format <random number>.WNCRYT. The files are then renamed to their original filename followed by the .WINCRY extension and moved to their original directory. The taskdl.exe process launched by the malware periodically deletes the remaining WINCRYT temporary files. The encryption process does not directly overwrite file data, so forensic recovery of file contents may be possible depending on the environment. The entire contents of the file are encrypted and saved with a custom header (see Figure 7).

Figure 7. WCry file header prepended to encrypted file (encrypted AES key highlighted). (Source: SecureWorks)

The header follows the pattern shown in Figure 8, which allows the malware to identify previously encrypted files and reliably decrypt them.

Figure 8. WCry encrypted file header. (Source: SecureWorks)

Payment

After infecting a system, WCry displays a timer that counts down to the dates when the ransom amount increases (four days) and when files will be irrecoverable (seven days). WCry can be configured to demand different ransom amounts in dollars or bitcoins. CTU researchers observed WCry variants demanding Bitcoin payments equivalent to $300 and $600. The Bitcoin address is provided in the c.wnry configuration file and can vary across samples. If no configuration file is present, the malware uses a hard-coded Bitcoin address. CTU researchers have identified the following Bitcoin addresses associated with the WCry ransomware:

• 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
• 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
• 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 (hard-coded)

CTU researchers have no evidence that the WCry threat actors have the capability or intent to decrypt files for paying victims. Many ransomware families assign each victim a unique Bitcoin address so the threat actors can attribute a payment directly to an infection and associated decryption key. WCry does not include this feature, so the threat actor must rely on communication with the victim to make the connection.

Command and control (C2) traffic

WCry installs the Tor network anonymity software on the infected system in the TaskData folder within the malware’s working directory. The local Tor server is renamed and executed as taskhsvc.exe. Tor establishes a SOCKS5 proxy server on the loopback interface (127.0.0.1) that listens on TCP port 9050. WCry connects to this proxy and attempts to contact the configured C2 hidden services:

• gx7ekbenv2riucmf . onion
• 57g7spgrzlojinas . onion
• xxlvbrloxvriy2c5 . onion
• 76jdd2ir2embyv47 . onion
• cwwnhwhlz52maqm7 . onion

After connecting to a C2 server, the malware uses a custom encrypted protocol over TCP port 80 through the Tor circuit to transmit encryption keys, to allow victims to communicate with the operators, and to check payment status. WCry does not exfiltrate documents, steal stored credentials, or receive and execute additional files.

Conclusion

WCry is an opportunistic ransomware family whose propagation methods allow it to spread quickly. CTU researchers recommend that clients implement the following best practices to mitigate the threat:

• Apply the Microsoft security updates for MS17-010, including the updates for the Windows XP and Windows Server 2003 legacy operating systems.
• Disable SMBv1 on systems where it is not necessary (e.g., hosts that do not need to communicate with Windows XP and Windows 2000 systems). Carefully evaluate the need for allowing SMBv1-capable systems on interconnected networks compared to the associated risks.
• Segment networks to isolate hosts that cannot be patched, and block SMBv1 from traversing those networks.
• Scan networks for the presence of the DoublePulsar backdoor using plugins for tools such as Nmap.
• Use network auditing tools to scan networks for hosts that are vulnerable to the vulnerabilities described in MS17-010.
• Filter emails containing potentially dangerous file types such as executables, scripts, or macro-enabled documents.
• Implement a backup strategy that includes storing data using offline backup media. Backups to locally connected, network-attached, or cloud-based storage are often insufficient because ransomware frequently accesses and encrypts files stored on these systems.

Threat indicators

The threat indicators in Table 2 can be used to detect activity related to WCry and associated delivery mechanisms. The domains may contain malicious content, so consider the risks before opening them in a browser.

Table 2. Threat indicators for WCry.