WannaCry Ransomware
Introduction
The WannaCry ransomware became known by the world in 2017, after significant organizations, for instance, Telefonica and the National Health Service, became casualties of the malware’s attacks. In the traditional approach of propagating ransomware, social media platforms play an essential role. However, WannaCry is a special type, given that a separate investigation mainly warrants its propagation. The worm spreads across targeted networks by exploiting the vulnerability present in the SMB ExternalBlue codes. Given that most of the systems affected operated under Windows Operating systems, Microsoft designed a fix to address the issue. However, some users still face a threat because they do not have the fix. This research paper will in-depth, analyze the WannaCry ransomware.
The report will use a portable executable form of a file named ‘diskpart.exe.’ Technical analysis of the ransomware will break down the various activities and traversals of the worm after it is executed to the victim. In the analysis part, the paper points out that after execution in the victim’s system, the ransomware drops other additional components and files onto different sections of the system, with each of the dropped files possessing unique roles in the attack. In the process of file enumeration, all the discovered files are then encrypted with a special encryption key that is present in a single file among the dropped ones. After encryption, the file extensions of the discovered files and modified to ‘WCRY.’ The attacker then sets a series of processes to the victim on how they might recover the encryption key. In getting the attention of the victim, the ransomware is designed to change the machine’s wallpaper to a message from the attacker. For the victim to access the decryption process, they are required to make a Bitcoin payment that is explained in the instructions on the wallpaper. Failure to adhere to the demands by the attacker, the decryption credentials are permanently deleted, and access to the encrypted files is then irreversible.
Technical Analysis
When the ransomware’s executable file is initialized in a system, its main objective is to collect relevant information about the host. The figure below illustrates the hostname of a system that the file was run on:
After recording the information about the host, the file then sets a unique registry on the targeted system. For instance:
Additional Components Extraction
After changing the registry, the file then goes ahead to conduct password extraction for the attack’s protected components that reside in the file’s resource section. An essentially hardcoded password is normally used to protect these file components. The whole process of password extraction and continued extraction of the protected components is performed by the ‘subroutine’ component that often has the extension ‘sub_401DAB’. The PE execution file then calls upon a vital function ‘FindResourceA’ in the Windows system, which is responsible for calling out the resources required.
The following are some other API functions that the PE file calls upon completion of the FindResource function.
- LoadResource
- LockResource
- SizeofResource
After the process of function, calling has been completed, the subroutine makes use of the XOR operation capabilities which plays the significant role of decoding the resource location that has just been loaded. The PE internal files are procedurally extracted, one after the other, in the form of a loop. The figures below illustrate how the extraction process takes place.
After extraction of the resource location entities, the PE files are then loaded into the affected machine.
Bitcoin Adress
When the various attack files are extracted successfully into the system, the original PE files then calls up a unique function that is specifically designed to call a subroutine that is objected to grab a set of hardcoded addresses in Bitcoin. The addresses used in this research paper will be:
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
In the figure below, a clear demonstration of the Bitcoin addresses in the affected system is shown.
After incorporating the coded addresses in the file, the PE entity then calls upon another subroutine ‘sub_401000’ with the responsibility to read contents in all the files with the extension c.wnry.
File Attribute and Encryption
The next step of the attack is for the PE file to initialize the process of changing the various file attributes with their permissions in a similar folder. Two hardcoded strings will essentialize this process, after execution from the PE file. The strings are: ‘attrib + h’ and ‘icals . /grant Everyone:F/ T/ C/ Q’
The strings that have been identified above are part of two major binary files in the windows system. The first file string is designed to change the state of the files to become hidden, while the second one grants an unlimited and global nature of access permission to all the files.
The two commands identified are run by the windows system to hide themselves from the user. After this process, the user of the attacked system is not able to view the file upon which the PE file extension was executed.
After hiding and availing the permission constraints to the files, the PE file calls another subroutine ‘sub_40170a’ that calls out ‘LoadLibrary,’ which is responsible for loading the ‘kernel132.dll’ which consequently loads another set of key API functions by using the ‘GetProcAdress’ function. Some of the API functions that are called upon include:
- WriteFile
- CreateFile
- ReadFile
- MoveFile
- MoveFileEx
- delete files
- CloseHandle
The PE file then loads another subroutine into the system, which consequently loads the ‘adavapi32.dll’ which calls upon another set of very vital API components:
- CryptAcquireContextA
- CryptImportKey
- CryptDestroyKey
- CryptEncrypt
- CryptDecrypt
- CryptGenKey
Regard to the names of the functions called, it is no doubt that they are used to initialize the RSA AES encryption scheme. It is key to note that there are other special cases where the loading of functions is performed in runtime; hence they can avoid function exposure.
The next step is all about encryption of the files, where the PE file reads all the content of the t.wnry file, which will be critical in generating the AES key used for encryption. All files that are of interest to the attacker are then encrypted where all their extensions are changed to ‘WCRY.’ The wallpaper of the user then changes. The figure below shows an example of such an infected wallpaper:
The PE file then conducts execution of another GUI file, on the affected system:
The GUI file that is executed provides the user with instructions and steps that they need to follow in order to decrypt their data after completing a payment process successfully. There are timers incorporated in the systems, and it is up to the user to beat the deadline(which is often an approximation of 6 days) before the encrypted content is then permanently deleted.
Process Tree Analysis
As mentioned earlier, the PE file ‘diskpart.exe’ drops several other components on various sections of the affected system and then commences their execution. The PE file also initializes other high profile processes in the system, for instance, hiding of data and modification of permissions.
Defense Against WannaCry
TrapX, a leading vendor in Deception technology, offers a solution for WannaCry attacks. As the name suggests, the deceptive process entails the creation of virtual servers that contain fake data. When the cryptographic processes of the ransomware are executed in the system, they are charged towards the secure servers. A self-replication alarm is initialized in the system, where the ransomware is presented with data that it can never finish. This also gives time for the organization’s security team to act accordingly and secure the real networks and assets of the organization.
References
Branch, L. E., Eller, W. S., Bias, T. K., McCawley, M. A., Myers, D. J., Gerber, B. J., & Bassler, J. R. (2018). Trends in Malware Attacks against United States Healthcare Organizations. Cyber Threats and Healthcare Organizations: A Public Health Preparedness Perspective, 1001, 29.
Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5).
Trautman, L. J., & Ormerod, P. C. (2018). WannaCry, Ransomware, and the Emerging Threat to Corporations. Tenn. L. Rev., 86, 503.