All You Need To Know About The WannaCry Ransomware

What is a Ransomware ?


Ransomware is a malicious computer software which encripts the victim's data thereby blocking access to it. The ransomware will demand an amount (Ransom) which is to be payed
via Bitcoin or anyother such cryptocurrencies inorder to get our files decoded . The first documented case appeared in 2005 in the United States, but quickly spread around the world.

How it works?


Steps:
1) The attacker will create a pair of keys and will place the public key in the malware while keeping the private key with themself.
2) They will spread the ransomware via Email or via any Social Engineering techniques, Malvertising (Malware-Advertising)
3) When the victim installs the malicious software, the software will generate a
   a random symmetric key which is encripted using the the public key in the malware and it then encrypts the victims data with it.
4) It creates a asymmetric ciphertext and a symmetric ciphertext
5) The victim will now send the asymmetric key and payment. Upon recieveing the payment
   the hackers will decypher the asymmetric key using the attackers private key and will send the
   symmetric key to the victim. The victim can now decode the data by using the symmetric keys.

What is WannaCry ?


WannaCry is a ransomware which is attacking the cyber world since friday.WannaCry exploits a security flaw
in the older version of Microsoft Windows, which was discovered by NSA (National Security Agency) and leaked by Shadow Brokers (A Hacking Group)
to spread accross networks. The attackers used BotNets which was sending millons of Emails to spread this ransomware.
For your system to become infected you have click on the attachment. Once infected it will lock all your files and will ask for a Ransom (300$-600$)which we have to pay via BitCoins, and upon paying the ransom they claim that they will give us the key to decrypt our data.
The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder.

Vulnerable Windows Versions are,

    Microsoft Windows Vista SP2
    Microsoft Windows Server 2008 SP2 and R2 SP1
    Microsoft Windows 7
    Microsoft Windows 10
    Microsoft Windows 8.1
    Microsoft Windows RT 8.1
    Microsoft Windows Server 2012 și R2
    Microsoft Windows Server 2016
    Microsoft Windows XP
    Microsoft Windows Server 2003.

The Story !


On 14th April 2017 a hacker group named The Shadow Brokers published several leaks contaning hacking tools and exploits from the National Security Agency.
The dump was having potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.
The dump made an exploit dubbed as EternalBlue public. It exploits a remote code-execution bug in the older versions of windows.
The tools that they leaked are,

    ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
    ENTERNALCHAMPION, ETERNALSYSTEM — Remote exploit up to Windows 8 and 2012
    ETERNALBLUE — Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
    EXPLODINGCAN — Remote IIS 6.0 exploit for Windows 2003
    EWORKFRENZY — Lotus Domino 6.5.4 and 7.0.2 exploit
    ETERNALSYNERGY — Windows 8 and Windows Server 2012
    FUZZBUNCH — Exploit Framework (Similar to Metasploit) for the exploits.

 Of which the exploit ETERNALBLUE was used to carryout the WannCry Ransomware attack.

What is EternalBLue ?


EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol.
This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog.
The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

The standard Windows security update on 14 March 2017 resolved the issue via security update MS17-010, for all Windows versions that were currently supported at that time,
these being Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
 

How it is spreading ?


Just like other ransomware campaings 'WannaCry' also uses random generated emails to send the malware. Eset claimed that WannaCry botnets are sending around a million plus emails per hour with the Ransomware attached as an Attachment.
Downloading and opening the ransomware will result in getting our computer infected.
As it exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol it can spread over a LAN too. That means it is not just a Ransomware it is also a worm.
Lets call it a ' Wromsomware '

Cryptography details


    Each infection generates a new RSA-2048 keypair.
    The public key is exported as blob and saved to 00000000.pky
    The private key is encrypted with the ransomware public key and saved as 00000000.eky
    Each file is encrypted using AES-128-CBC, with a unique AES key per file.
    Each AES key is generated CryptGenRandom.
    The AES key is encrypted using the infection specific RSA keypair. (Source:GitHub Wannacrypt0r FactSheet)

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

Kill Switch ?


There was a big nonsensical domain placed in the code as a 'Kill Switch' so that the one who coded WannaCry could halt the cyber attack by simply registering the domain.
The malware before  infecting the computer will ping the domain name and if the domain is not live the ransomware will start to encrypt the files.  So if the domain is live the attack stops it spread.
A 23 year old Researcher from UK discoverd this and he blocked the spreading of this malware by registering that domain.
If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied

Who is behind this attack ?


 Researchers at Kaspersky Lab, a Russian cybersecurity firm, published a post on Monday detailing a section of code that shared usage with an
early WannaCry variant from February 2017 and a February 2015 sample from a backdoor program called Contopee,
which has been attributed to the notorious Lazarus group.

Lazarus Group is a cybercrime group made up of an unknown number of individuals. While not much is known about the Lazarus Group, researchers have attributed many cyber attacks to them over the last decade.
The earliest known attack that the group is responsible for is known as "Operation Troy", which took place from 2009–2012.
This was a cyber-espionage campaign that utilized unsophisticated DDoS techniques to target the South Korean government in Seoul.
It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea.

This commonality was first discoverd by a Google Security Researcher Neel Mehta, He shared his findings via Twitter.This method has been found in previously known North Korean cyberattacks, including the Sony hack in 2014 blamed on North Korea.
But it’s possible the code was simply copied from the Lazarus malware without any other direct connection.

How to defend aganist Wannacry


  1. Install software updates. This case desperately calls for all Windows users to install the MS17-010 system security update. Microsoft even released it for systems that are no longer officially supported, such as Windows XP or Windows 2003.
  2. Create file backups on a regular basis and store the copies on storage devices that are not constantly connected to the computer.
  3. Make sure closed 445/137/138/139 port on Windows
  4. Configure the firewall
This method is not shut itself down port 445, but in order to block access to the external port 445 connected to the machine.
Firewall Advanced Settings – Inbound rules – Right-click New Rule – Select UDP, the port number in the dialog box to write 445.
     
    5.Disable SMB v1

Open Windows Powershell with Admin Privileges
Type the following Command

Set - ItemProperty -Path
HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1
- Value 0 –Force

    6.Avoid opening attachments from Spam/Unwanted E-mails.


References : Wikipedia.com , cnn.com , blog.kaspersky.com , Wannacrypt0r Fact Sheet
Suggetions ? Please PM me on Facebook

Hemanth Joseph

.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.