The “WannaCry” Ransomware & IoT Zombies

By now you’ve probably heard about a distributed ransomware (malware that demands a ransom) known as “WannaCry”, but if not, this is a good article to catch you up to speed.

In short, WannaCry was intentionally released into the wild beginning in Asia, and it spread to other systems rapidly. The spreading mechanism takes advantage of an exploit that can execute remote code by attacking a flaw in unpatched versions of the Windows SMB service. The flaw is corrected by Microsoft Security Bulletin MS17-010 released in March 2017. The SMB service is used by Windows computers to share files and printers across LANs. When one computer becomes infected, it searches for other machines to infect. The infection occurs without user interaction after the initial infection occurs.

The malware activates a payload that encrypts multiple data file types on the affected computer and adds the file extension “.WCRY”. After encrypting files on the computer, the ransomware then displays an alert that indicates you’ve been infected and your files have been encrypted. The alert displays a countdown timer that suggests the requested ransom will increase 3 days after infection, and another timer indicates files will be “lost” 7 days after infection. After 7 days, the malware deletes encrypted files.

You can see how this would be detrimental and quite damaging if left unattended. The malware infected over 200K pcs in 150 countries. The hardest hit sectors appear to have been hospitals of the National Health Service (NHS) in the UK, as well as 70K devices including MRI scanners, and other Windows embedded systems.

Possible Links to North Korea

Several research firms speculate that the malware code shares similarities with other attack code that was linked to hackers based in NK. Yet other cybersecurity researchers are skeptical that North Korea was involved.

There are other reasons that it is not likely to be a state-sponsored attack:

  • The amount of similar code was limited to a small section of code
  • Attacks were not limited to a single country
  • The attackers appear to have cooperated with victims that pay ransom by decrypting data
  • A hacking group named 0xSpamTech has claimed responsibility
  • The malware contains segments of code borrowed from other malware

Our very own Scott Wu spoke with the Wall Street Journal about WannaCry:

If this was a desperate move by North Korea to get money, something’s not clicking in terms of motivation,” said Scott Wu, chief executive of NewSky Security, of Redmond, Wash., who used to work at Microsoft’s Malware Protection Center (MMPC). “It was a very lousy business model for the bad guy, and it wasn’t even a sophisticated malware.

Killswitch Engaged

A researcher checking into the malware discovered that it was checking for the existence of a random-appearing domain name – if the domain was live, the malware would stop spreading.

In the first variant of WannaCry, it contained a “killswitch”:

WannaCry with "kill switch" domain
WannaCry with “kill switch” domain

The researcher registered the domain and the malware was halted.

IoT Zombies Helping Spread WannaCry

Soon after, two things were noted. A variant emerged that did not have the killswitch:

WannaCry variant without killswitch
WannaCry variant without killswitch

Another thing that happened was that the Mirai botnet was used to attack the killswitch domain by sending HTTP flood packets as noted by a tweet from the Twitter account “@MiraiAttacks”:

Mirai used to attack killswitch domain
Mirai used to attack killswitch domain

Copycat Malware and Fake Decryptors

We received samples that appear to borrow the concept of WannaCry but display a much different alert window:

WannaCry copycat
WannaCry copycat

The copycat variant also displays its alert in Thai:

WannaCry copycat - Thai
WannaCry copycat – Thai

According to a Forbes article, infected users searching online for WannaCry ransomware removers may stumble upon “pay-to-remove” fake tools don’t actually decrypt anything.

Vaccination Against WannaCry?

One interesting aspect of this malware is that it checks for the presence of two specific mutexes:

MsWinZonesCacheCounterMutexA
MsWinZonesCacheCounterMutexA0

If these mutexes are present, the malware logic instructs WannaCry to avoid infecting the system. Therefore it is technically possible that a vaccine executable could be written to run with these two mutex names present and avoid becoming a victim of this specific malware. Minerva labs did just this and have made one free to the public here: https://github.com/MinervaLabsResearch/Vaccinator.

In addition, a service exists to help those that have been affected by the WannaCry ransomware called “No More Ransom!” at the website  https://www.nomoreransom.org/.

Ultimately, we at NetSky Security recommend applying the available patch for Windows to prevent further spreading of this weaponized ransomware. We also heavily stress the importance of maintaining backup copies of important data files.

Leave a Reply

Your email address will not be published. Required fields are marked *