On 12 May 2017, the cryptoworm WanaCrypt0r 2.0, also known as WannaCry, infected hundreds of thousands of computers around the world. Our investigation into this ransomware reveals some worrying trends.
(Re)read part 2: WannaCry seen from the perspective of an SMB server
A cryptoworm with a kick
WannaCry is a computer worm – a self-replicating program that can spread across networks and penetrate operating systems without requiring a host (a physical or logical medium such as a hard drive or file).(1) After infecting its first victim, the worm self-propagates to other machines outside its own network without the user’s knowledge. Most worms are spread via email: they retrieve addresses from victims’ address books and send copies of themselves to all those listed. Typically, the initial infection occurs after users click on a malicious hyperlink or attachment in a phishing email. However, according to Sophos Lab,(2) there is no evidence that WannaCry started with a compromised email. All indicators currently point to an unprotected SMB port as the worm’s starting point.
Computer worms often have payloads. WannaCry’s payload was ransomware: a software program which, once installed, encrypted users’ documents, making them impossible to read without a decryption key. Users were asked to pay a ransom to receive the key that would unlock their files. With WannaCry, this amount was relatively low: between €250 and €500 (depending on whether the user paid up quickly enough – decryption keys are often deleted after a certain period of time has passed).
The tools used to build WannaCry were sophisticated, and included EternalBlue, an exploit targeting Microsoft’s SMB file-sharing protocol leaked by the Shadow Brokers, and DoublePulsar, an NSA tool to install backdoors to infected computers allowing hackers to return at any time.
WannaCry was unique because it started by checking whether a specific domain name was accessible. This was the famous kill switch. If the domain name was accessible, the worm stopped functioning. If not, the worm downloaded its malicious payload, which encrypted files via a Command&Control server from which it received instructions. While encrypting files, it generated a random list of IP addresses to which it sent malicious packets, seeking new remote hosts that were vulnerable to the EternalBlue exploit. It then infected new machines, spreading to new computer networks and recommencing the cycle.
A complex sequence of events
The recent ransomware attack was the first time many people had heard about WannaCry. However, the computer worm was in the making for some time – ever since tools stolen from the NSA were leaked to the public. More malware exploiting these tools is likely to be developed in the future. For now, let us take a look at the events surrounding WannaCry.
On 13 August 2016, the hacking group the Shadow Brokers released its first data dump and announced it on Twitter.(3) This release contained 0day type vulnerabilities, hacking tools and confidential documents from intelligence services, which could be freely downloaded from Pastebin. This data leak was small and controlled – its purpose was to advertise a much larger data auction taking place at a later date. According to the Shadow Brokers, the data was stolen from the Equation Group, another hacking group rumoured to have been paid by the NSA to identify vulnerabilities and develop exploits. The stolen data was therefore part of the NSA’s arsenal of cyber warfare tools. The hackers’ identities are unknown, but most hypotheses favour either someone inside the NSA (possibly a whistleblower) or a group connected to the Russian government. Neither of these hypotheses has been proven to date.
According to an article by the Washington Post,(4) when the vulnerabilities discovered by the NSA were first leaked by the Shadow Brothers, the intelligence agency decided to alert affected vendors and publishers so they could take action.
On 16 August 2016, the Russian cybersecurity agency Kaspersky Lab published a press release confirming the authenticity of the stolen data. It used knowledge gained during a prior investigation into the Equation Group to identify similarities between their tools and those revealed by the Shadow Brokers.(5)
In February 2017, Microsoft developed a series of security patches to correct the vulnerability exploited by EternalBlue.(6) Some of these patches were for operating systems that Microsoft no longer supported. Patches for Windows XP, Windows 8 and Windows Server 2003, for example, were created on 11, 13 and 17 February 2017. However, these patches were only released after the attack – two months after those for operating systems still supported by Microsoft, and three months after their creation.
On 14 March 2017, Microsoft issued its Patch Tuesday (Security Bulletin MS17-010), considered “critical.”(7) This bulletin included an update to correct vulnerabilities that “could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” However, the update was only available to software versions or editions that were not “past their support life cycle” – in other words, operating systems that Microsoft agreed to supply patches for. Non-patched operating systems included all versions of Windows XP, Windows 8 and Windows Server 2003.
On 14 April 2017, the Shadow Brokers published a tweet linking to a Steemie story.(8) This story contained a message and another link. The link directed users to a file containing another set of hacked documents. The freely accessible files included details on the SMB protocol vulnerability, the EternalBlue hacking tool and the DoublePulsar backdoor installed by EternalBlue. This was the arsenal used to develop WannaCry.
On 21 April 2017, Binary Edge, a cybersecurity and data science company, stated that nearly 429,000 machines had been infected by DoublePulsar, the backdoor revealed two weeks earlier.(9)
In late April, the first attacks using the EternalBlue exploit were recorded. According to the security specialist Secdo, there were at least three types of attack, all of which were more sophisticated but less widespread than WannaCry.(10)
The first EternalRocks malware sample has been dated back to 3 May 2017. This malware uses seven of the NSA’s tools – WannaCry only uses two. However, EternalRocks remained undetected until the end of the month.
On 12 May 2017 at 7:44 a.m. (UTC), WannaCry infected its first victims in Asia.(2) The worm quickly spread to more than 200,000 machines. According to Sophos Lab, the infection vector appeared to be an open SMB port rather than a phishing email, which was unusual for these kinds of attacks. Around 2:30 p.m., an IT security researcher, MalwareTech, registered the domain name in the kill switch, causing the worm’s rate of infection to fall sharply.(11) During the day, Microsoft published links to corrective patches for non-supported operating systems (Windows XP, Windows 8 and Windows Server 2003) as part of emergency measures taken to stop the worm from spreading.(12) These steps helped check WannaCry’s progress.
On 13 May 2017 new versions of the worm began to circulate. These either had no kill switches or had kill switches with new domain names.(13)
On 14 May 2017, French researcher Matthieu Suiche confirmed the existence of another version of WannaCry and registered the domain name in the new kill switch.(13)
On the same day, Microsoft published an article criticising the policy adopted by the NSA.(14) Claiming the intelligence agency should take its share of responsibility for the attack, it called for a “Digital Geneva Convention”. The investigative website The Register, which specialises in new technologies, retrieved the metadata for the patches published by Microsoft and discovered that security updates for non-supported operating systems had been developed in February but were not published until after the attack.(6)
On 19 May 2017, three French IT experts announced they had developed the WannaKiwi software program to recover decryption keys using different methods.(15) Europol currently recommends this software as the most effective solution to WannaCry.
On the same day, Miroslav Stampar, a Croatian security expert for the country’s Computer Emergency Response Team (CERT), published the results of a study on EternalRocks.(16) This malware is considered to have more potential for damage than WannaCry, as it integrates seven NSA tools, almost all of which involve SMB vulnerabilities. EternalRocks is more complex and difficult to detect than WannaCry, but does not have a malicious payload.(17)
On 22 May 2017, the cybersecurity specialist Symantec published an article on the links between WannaCry and Lazarus, a hacking group connected to North Korea. According to the organisation, the worm’s tools and infrastructure were similar to those used in attacks by the North Korean group.(18)
On 24 May 2017, the developer of EternalRocks posted messages on the worm’s server explaining that the program was not malware but an attempt to “play some games” with NSA tools before firewalling open SMB ports. The developer seems to have since taken steps to shut down operations.(19)
On 25 May 2017, cybersecurity expert Flashpoint published a blog article suggesting the worm was of Chinese origin.(20) To prove this theory, it analysed the linguistic content of ransom messages, showing that syntax errors in various languages were probably due to machine translation. Only the English and Chinese messages appeared to have been written by humans. However, the English message contained several grammatical errors indicating that the author was not a native speaker.
Since then, multiple analyses have been by performed by cybersecurity experts seeking to prove, once and for all, who was behind the WannaCry attack. But one key question remains unanswered: who did the worm benefit?