WannaCry Ransomware

By now, on the net, on TV and around the world, there is nothing but talk about WannaCrypt: ransomware, or malware that can encrypt all the files on one’s computer and demand a ransom for unlocking them.

It has infected between 500,000 and 600,000 computers in more than half the world. Attacked hospitals, businesses, in short general panic. You probably already know the story, that’s all people are talking about. However, this is not meant to be a post with journalistic overtones, but one that tells the truth about Wannacrypt and many of the thoughts that emerge from analyzing it.

The most shocking fact is that in order to spread, Wannacry (or WannaCrypt) does not resort to the technique of social engineering (i.e., coaxing users with a link or an infected file), but exploits one of the (many) vulnerabilities in the Windows operating system, developed by Microsoft. The problem (CVE-2017-0145) involves the Service Message Block (SMB), a protocol used to share files, printers, and serial ports.

Usually, most bugs are fixed in a short time, and after debugging the bug is finished, Microsoft releases the patch. But that was not the case this time: in January 2017, some NSA technicians found the bug and exploited it to create a powerful exploit. The exploit was supposed to remain between the doors of the U.S. agency, but due to a series of errors, the malicious program (and its source) became publicly accessible. Microsoft had already made a patch in March that corrected this bug, but many users had not installed the usual security updates. The result was soon said: thousands of infected users.

This was my first technical analysis of a malware; done still when I did not know the art of reverse engineering. This article contains many errors, but for historicity I have not removed it. If you have any suggestions or have noticed any misprints, please report them to me.

Technical Analysis

As many acquaintances asked, I proceeded to analyze the virus. Here’s how it went: first, I “installed” the ransomware on a Windows XP virtual machine. As we expected, the first screen that comes up is, “Your files have been encrypted, to unlock them pay the ransom.”

I got the exe and disassembled it on linux (otherwise on Windows it would start automatically for me, better not to risk it). Moving on past seemingly meaningless characters, we find an interesting thing: a set of data that are most likely the functions used by the program.

Among the most important ones are:

  • GetWindowsDirectory: finds the directory where Windows is installed, useful for the program which will obviously never encrypt the folder where the system files are located
  • GetLogicalDevices: finds all devices connected to the computer, useful for infecting any thumb drives and/or modems
  • GetSecurityInfo: finds security info, useful for figuring out whether or not you have installed any security updates, will most likely invoke other exploits in case you have not updated your software.
  • SystemParametersInfo: collects as much information as possible about the operating system.
  • CryptGetRandom: creates the private key to encrypt files (this also uses the rand function that generates a very complex random string)
  • CryptExportKey: exports the key most likely to a file.
  • Fopen, fread, fwrite, fclose : in order functions open, read, write and close the “connection” with the file, in a nutshell: wannacry opens each file and overwrites each data with an encrypted string
  • DeleteFile: deletes the files it wants using the user’s permissions, if the user is admin, it will most likely delete any obstructing software such as firewall, antivirus etc..
  • TerminateProcess: terminates some processes (e.g. antivirus that did not detect the file as ransomware)
  • CreateThread: basically creates separate “threads”, Wannacry uses this function to spread faster by self-installing itself in the victim’s computer

How file encryption works

The ransomware first attempts to upload a public key installed at the time of infection. If the upload fails, a 2048-bit RSA key pair is generated using the CryptGenKey function. The private key is further encrypted with the ransomware’s public key.

At this point, a random 128-bit AES key is generated in CBC mode-through the CryptoGenRandom function-for each file, and each file is encrypted. The AES key is in turn encrypted with the public key previously generated and included in the file itself. The original private key of the malware developer is then needed to decrypt the files.

Microsoft Enhanced RSA and AES Cryptographic Provider 
TESTDATA CryptGenKey CryptDecrypt CryptEncrypt CryptDestroyKey 
CryptImportKey CryptAcquireContextA

Extensions:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, 
.rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm,
.dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx,
.ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx,
.gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso,
.vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u,
.mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla,
.swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip,
.pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf,
.mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3,
.asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk,
.dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, 
.p12, .csr, .crt, .key, .pfx, .der

The program then goes looking for files that have this extension, ignoring some folders that it should not encrypt otherwise the system would become unstable:

  • “Content.IE5”
  • “Temporary Internet Files”
  • “\Local Settings\Temp”
  • “\AppData\Local\Temp”
  • “\Program Files (x86)”
  • “\Program Files”
  • “\WINDOWS”
  • “\ProgramData”
  • “\Intel”
  • “$”

Although probably, these scripts are not complete, I note that Wannacry uses the Command Prompt to go in and modify registry keys. Specifically, the keys found in HKCU\SOFTWARE\Windows\CurrentVersion\Run\, registry keys that include the software that Windows automatically runs on every startup, are modified. Then the ransomware automatically adds itself to the list of software that Windows must run and also adds a shortcut on the victim’s desktop.

Another string that can be found within WannaCry (executed from the command prompt) is the following:

/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit
/set {default} bootstatuspolicy ignoreallfailures & bcdedit 
/set {default} recoveryenabled no & wbadmin delete catalog -quiet

The script deletes all shadows copies, that is, all those backup copies that allow files to be recovered in their original state. Again, this highlights the extent of WannaCry in extending damage to backup copies as well.

Having finished the analysis, I realized that this software is very complex and definitely not developed by incompetent people. The malware has many obfuscation techniques, both in terms of code and behavior-there are some features of this software that are still unknown to me. I urge you to keep your operating systems up-to-date, always applying the official patches, and I recommend NOT paying any ransom.