WannaCry / Wcry / WannaCrypt Attack Profile

WannaCrypt 2.0 (WannaCry, WannaCrypt0r) is the worm used in the most recent, widespread ransomware campaign. The malware’s infections were first reported on May 12, 2017 in association with a phishing email, encouraging users to download and execute a malicious file. Post-execution, WannaCrypt encrypts 166 file types on the victim’s computer and posts a message demanding Bitcoin payment in exchange for decryption.

Once settled on the host, the malware tries to propagate, mainly by using an exploit to abuse the Server Message Block (SMB) protocol to infect new hosts in a network. This exploit is based on a tool called “EternalBlue” that was exposed in the Shadow Brokers’ dump.  The malware scans hundreds of thousands of addresses on ports 135 and 445 and attempts to execute the exploit. A successful run will result in a new infected host. For newer versions of Windows (Win7 and above), Microsoft patched the vulnerability used in this exploit  on March 14 in Microsoft Security Bulletin MS17-010. Microsoft also released a patch for older operating systems on May 12, covering Windows XP, Windows 8 and Windows Server 2003. The only machines still vulnerable to this attack are unpatched systems.

Campaign preparation

The initial campaign (if indeed perpetrated by the same attacker) in which the first version WannaCryptor was used began in early March and used spear-phishing to spread but had no autonomous propagation mechanism. The new “super” weaponized variant relies on an exploit that was made public on April 14, which means the threat actor had less than one month to do the following:

• Leverage the propagation exploit used by the ransomware. This worm can be divided into three main code components: the Ransomware payload, the exploit and the code in charge of the propagation.  The payload seems not very different from the original variant detected in March of this year. The exploit seems to be used in its original form, as downloaded from the Shadow Brokers’ dump. The majority of the prep time likely went towards stitching these modules together into a working framework. The fact that the patch was not actively pushed for supported Windows systems, combined with the number of unsupported systems still operating globally, made this exploit and work especially harmful.
• Form a target list. The initial spear-phishing campaign that allowed the attacker to infiltrate victims and the resounding success within networks of high-profile organizations worldwide implies that the campaign started based on a target list. This list may have been “manually” assembled based on broad scanning or may have been extracted out of previous analysis made by security analyst regarding machine susceptible to DoublePulsar.
• Concocte campaign strategy. The advantage and power of this campaign relies on its ability to spread broadly and independently (and not on the initial intrusion). The attacker understood the power of this strategy -- get a foothold in a vulnerable organization and start spraying around. An organization with a number of infected machines is more prone to pay, and the odds to strike gold (machines with critical, valuable data in the network) rise as the infection count in the network rises. Among those targeted, major organizations with critical production services and for whom business continuity is essential were likely targeted due to a higher likelihood of paying the ransom (such as telecommunication, health, shipping, and transportation).
• Delimit the boundaries of the campaign. The suspected target list and the hardcoded kill switch in the ransomware (possibly designed to allow the attacker to “control” the rate and spread of infections) allows the attacker to have a means of control in case it escalated out of control.
• Create the payment backend. There are currently three known Bitcoin wallets linked to this campaign. The 1.0 variant had only a single account. These accounts were created on the day of the outbreak and are still stockpiling funds from victims.

These steps point to how rapidly this campaign was planned and executed. The last month was most likely devoted to assembling this campaign. A glance at the number of infections and the public hysteria indicate that the campaign was successful from an operational threat perspective. It is still unknown how successful the overall campaign will be since most of the infected victims have yet to pay the ransom and the ultimate motives of the actor are unknown at this time.

Damage & AFTERMATH

Victims

Victims of this campaign are spread across more than 100 countries, hitting more than 200,000 systems, including major health organizations, energy companies and a Spanish telecommunication provider. The British National Health Service (NHS) was particularly impacted with 40 of its hospitals and subsidiaries infected.

The 28 different languages supported in the UI do not fully correlate with the infected nations, i.e  Iran and other Islamic countries suffered infections in the campaign, yet Arabic or Farsi are not supported. This may point to the attackers’ original target audience. Perhaps certain countries or regions were flagged by the attacker as victims that rarely pay and hence are not “worth” the effort, or might have been reachable with English if they accidentally became targets-of-opportunity. Alternatively, the supported languages may have been selected by the attacker due to political views, revenge or statistical analysis of susceptible system per country.

As of Monday mid-day, the amount of money collected by the actors was equivalent to $59,000 in Bitcoins (BTC), suggesting that few victims actually paid the ransom. We predict more victims will pay as the clock ticks closer to decryption day (D-day) when files will actually be lost.  

Attack motives and profiling

The motive in this case is likely financial. A successful, large-scale attack can easily yield millions of dollars in BTC. It is our estimation that this attack was carried out by a cybercrime threat actor, with little experience in other large-scale campaigns. This is based on the following:

• Using only 3 BTC wallets to support hundreds of thousands of possible transactions
• The kill-switch implementation
• Weird choice of languages
• The few changes in UI from the older version (that didn’t not yield prosperously)
• Using somebody else’s code to gain “superpowers”

The main challenge for the attacker is the cash out process. Though BTC is an anonymous method, there are many eyes watching for the wallet; and large fund movement is conspicuous. Also, in case the attacker successfully amasses millions of dollars, the money-laundering and legitimizing process of these funds will be challenging since converting large amounts of BTC into cash is quite hectic and requires many resources.

What’s next?

Since the kill switch domain discovery, there’s been a temporary lull in infections,  but this will not last long. Here’s what the near future will likely have in store:

• A large cash influx on or just before D-day. Currently there is no successful way to decrypt your files without paying. The “incentives” given to the victims will probably make most of them pay before the initial three days have passed. However, large organizations with a decent backup policy will probably not pay.
• New variant with no kill switch or a more sophisticated and less obvious kill switch. This has been predicted by many experts and some samples have been spotted in the wild that can already override the kill switch mechanism. A new variant means a new wave of attacks (probably of smaller effect since many organization have now patched and secured their networks).
• Appearance of new malware/ransomware that leverages other vulnerabilities, exploits or tools that were used by other nation states and were leaked. The proliferation of new “super weapons,” especially delivery mechanisms that likewise present a window of opportunity, such as those discussed in our blog post on Vault 7.