Ready to Start Your Career?

Wanna-Cry Ransomware

By: Aman2406

December 9, 2017

Wanna-Cry Ransomware: The cyber attack the world is not ready for

Introduction:

The world we live in is moving towards digitization, where every data is now stored digitally, and that information can be accessed any moment of time making lives much easier as before. Many people can even access that data at a very cheap rate, making everything available to them just in one click. Digitalisation has improved the lifestyle of computers users at a fast rate, but as we know it’s a double edge sword. Digitalisation has really helped in controlling crimes in terms of getting things easily done and managing documentation, but it's creating a lot of security problems for an individual private or professional information. These days there is a lot of the increase in cyber theft and attacks in which these criminals use malicious programs or scripts like spyware, malware, trojan, fishing attack and ransomware. Ransomware is a kind of an attack or technique in which attacker slips out a malicious code into a user's vulnerable system, and it is programmed in a way that it runs in the background of the system, making it difficult for the user or the security measures of the system to intercept the execution of that code. When a ransomware is successfully executed, it targets all the files that are available in that system storage with extensions like [Dot] docs, [Dot] XLs, [Dot] pdf, [Dot] mp3 and much more via a symmetric-key algorithm using two key combination: Public and Private key and encrypts all the data unable for the user to access. Then the user has only two options left either he pays the demanded ransom, which does not provide that the attacker would decrypt the users' data or the user can format his system and lose all his precious data.On 12th May, the day when wanna cry made its loud and bold entry to this digitized world, creating a havoc among all the users who were targeted. That ransomware brought down hospital systems in the United Kingdom, universities in China, rail-systems in Germany and auto-plants in Japan. This attack nearly pulverized around 23 thousand workstations in near about 150 known countries. This ransomware was spread through documents via emails and through a secondary infection that system who were already affected by a virus in order to provide a backdoor to accomplish any future attacks. The main objective of the ransomware was to execute itself into a system in the background without alerting the operating user and any security protocol. After a successful execution, the ransomware was designed to encrypt all the available files, which are difficult to decrypt or access by the user without the designed decrypter by the hacker. So in terms of getting those data back, the user has to pay a ransom of 300 USD in the form of a famous cryptocurrency Bitcoin.The first ransomware was called AIDS trojan which emerged in 1989, but its primitive now. It was spread through using a floppy disk, and the victims were asked to send an amount of $189 to a postal address of Panama as the ransom. From all the ransomware released so far, wanna cry proved to be the most disastrous virus in the history because of its ability to spread through organizations server very fast through a window operating vulnerability, which was patched by Microsoft this year in March. The vulnerability, which was discovered was called eternal blue, which was released by an unknown hacking group calling themselves Shadow group who was responsible for a cyber attack on NSA and copying their cyber weapons/tools which were rumored to be designed by an infamous Equation group, an elite cyber squad working for NSA. NSA found about that vulnerability long ago, but they choose to keep it as a vulnerability to spying on individuals instead of getting it patched.Wanna Cry has a module that lets it scan intensely over a TCP port 445, spreading in the same manner like a worm, which is enough to compromise a system, encrypting all the available files and hen asking ransom for these file decryption. This ransomware was designed in such a way, that it does not act as a threat that scans the ranges of the network to find which system to spread in, but instead it scans for the type of vulnerabilities and then spread in that system in that manner.Microsoft took the responsibility for the vulnerability and released a patch for the older version of the operating systems on the day of the occurrence. The widespread of this attack was on a level of gruesome, many attackers have already used the vulnerability as their trump card which was patched later but by the time many organizations had already faced the consequences.

Affect of Wanna Cry:

The harsh truth is that Wanna Cry just not only affected the lives of average people but put them into a gruesome risk by targeting healthcare industries and the patients in it. In fact, in total around 16 healthcare centers were targeted by the ransomware in the United Kingdom. In Germany, Deutsche Bahn has been targeted whereas one of their spokespeople later declared that the situation was under control only some of the passenger's information was inoperative and some ticket vending machines malfunctioned. Many global renowned companies were also affected like FedEx and Nissan in which Nissan clearly stated that they were able to withstand the attack and there was no impact on their business, whereas FedEx went through some serious windows system malfunction and was desperately trying hard to fix the issue. In China, many universities were targeted and an alert was also released by a security firm Qihoo360. Many gas stations were also affected, all the digital payment systems were compromised, which made customers to make payment via cash instead of plastic money. In Russia, many places were targeted, including Russian central bank, railways, interior ministry and Megafon. This ransomware attack on Russia turns out to be a failure thanks to the response team in that corporation, they were able to defend against the attack easily. The Russian central bank spokesperson told that their server received off a tremendous amount of emails comprising of that malicious code, but they were able to withstand the attack and no data was compromised. In Russian railways, the virus did abrupt some of the IT system, where they were able to fend off the attack in a quick time. The interior ministry office was targeted and around 1 percent of the systems were compromised and thanks to emergency procedure all the systems were fixed in no time. The multinational corporation Megafon spokesperson also declared that due to the virus their call center was compromised, but their internal network was all safe. In Spain, it was announced that Telefonica telecommunication was the biggest target, but it was a relief that their response team was also able to withstand the attack and in the end, it was declared that all the information was saved from a leak. In Japan, Hitachi was the biggest corporation which was targeted, but it was released that their system was compromised, they declared that their systems were facing issues from a week, including in not sending and receiving any kind of emails, but it was a relief that the attack was not able to harm their business activities.India was one the countries on that hit list, but as per the other countries, it was not that lucky as it was a massive attack on the country. As per the report provided by the eScan antivirus, many parts of India faced the attack directly like Madhya Pradesh was the biggest state that faced around 32 percent of the ransomware attacks. The other state was Maharashtra that took around 18 percent of that attack and then Delhi, which took around 8 percent of the attacks. Many famous telecom companies like Bharti Airtel and Vodafone also faced this issue and were most affected.

Process:

Mostly all the ransomware is designed and concealed in a documented file a PDF or a word documents or sometimes using an affected system which was already infected which offers to use a backdoor for the intrusion. When the ransomware executes itself than it contacts the central server for the information to activate and then uses that information to encrypt the available files. As after so much research it was later released how Wanna cry worked in compromising a system. As we know about the NSA hack and the dump released by the hacking group Shadow Broker, thanks to that and the binary files and captured packets we can find out the functioning of Wanna cry from the beginning of the final phase. Through NSA dump, a new vulnerability was known called as EternalBlue for Windows operating systems, which was exploited by NSA for eavesdropping and tracking. The vulnerability EternalBlue is a service message block (SMB) which was found from Windows XP to 7 and some of the windows server editions like 2003 to 2008.The technique used for this vulnerability is called HeapSparying, in which malicious code is injected via shellcode to exploit the system. The code was used to target the vulnerable systems through their IP addresses via the port SMB port 445. The EternalBLue vulnerability is related to the known backdoor DoublePulsar and it even checks the backdoor is present and active in the system. When EternalBLue is executed, it sends an SMB echo request to the machine which is targeted. After the request is initialized, its set up the exploit for the targeted machine. Then it performs an SMB fingerprinting and after its completion its attempts for the exploit. If the exploitation process turns to be successful, then the attacker gains access to the victim's system and exploit pings the backdoor for an SMB reply. If the backdoor is not installed, then the exploit starts its work. The capability of the code is to beacon out the probable SMB targets, in order to permit the proliferation of malicious code into the exposed machines on the connected network. This ability turns Wanna Cry ransomware in such a disastrous tool, as it can easily circulate and self-promulgate causing extensive infection without any user collaboration.DoublePulsar is the back door which was used by EternalBLue for the exploitation which makes them closely related. This malware uses Asynchronous Procedure Call (APC), in order to inject a DLL file into a user mode of lsass.exe, which stands for Local Security Authority Subsystem Service used by windows directory. Once the DLL file is injected into the system, an exploit shellcode is installed in order to maintain the persistence of the victim's workstations. After verifying that the whole procedure was successful, the backdoor is removed from the system. DoublePulsar malware is used to set up a connection that allows an attacker to extract the data or can also install some other malware into the system discreetly. This connection enables the attacker to establish a connection a Ring 0 level connection through protocols via SMB using its TCP port 445 or via RDP using its TCP port 3389.

Technical Analysis of attack:

When the system gets infected by Wanna Decryptor, the installer will extract an entrenched file in the same folder in which installer is stored. The extracted file is a password protected zip folder contains a variety of files that are used and executed by Wanna Decryptor. The Decryptor loader will extract content files from the zip into the same folder and will execute startup tasks. It will then extract localized version the ransom notes into the msg folder. The Wanna decryptor supports many languages like Bulgarian, Cantonese, Mandarin, Croatian, Dutch, Filipino, English, Korean, Latvian, French, Greek, German, Finnish, Italian, Japanese, Norwegian, Portuguese, Polish, Russian, Romanian, Spanish, Solval, Turkish, Vietnamese. After this task, the decryptor will access the website using the URL(“https//:dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip”) to download a TOR client and extract it to the TaskData folder. The extracted files from the TOR client will be used for beginning a communication with ransomware servers like:

“x7ekbenv2riucmf.onion”
”7g7spgrzlojinas.onion”
”xxlvbrloxvriy2c5.onion”
”76jdd2ir2embyv47.onion”
”cwwnhwhlz52maqm7.onion”

In order to prepare the system to encode all the data as conceivable, encryptor will run the command “icacls. /grant Everyone:F /T /C /Q” to modify the given permission to full permission (CHMOD 777) to all files that are stored in the folder and their subfolders from where the ransomware was implemented. The encryptor also terminates all the processes that are related to communication between the database server and mail servers so it can encrypt it also. The commands that are executed to terminate mail and database server processes are:

“taskkill.exe/f/immysqld.exe”
“taskkill.exe/f/imsqlwriter.exe”
“taskkill.exe/f/imsqlserver.exe”
“taskkill.exe/f/imMSExchange*”
“taskkill.exe /f /im Microsoft.Exchange.”

After all this, the Wanna Decryptor is all set to begin the encryption of the files stored in the system. At the time of encryption, the decryptor will map the storage devices and look for all the types of files with the following extensions:

[Dot]der, [Dot]pfx, [Dot]key, [Dot]crt, [Dot]csr, [Dot]pem, [Dot]odt, [Dot]ott, [Dot]sxw, [Dot]stw, [Dot]uot, [Dot]max, [Dot]ods, [Dot]ots, [Dot]sxc, [Dot]stc, [Dot]dif,[Dot]slk,[Dot]odp,[Dot]otp,[Dot]sxd,[Dot]std,[Dot]uop,[Dot]odg,[Dot]otg, [Dot]sxm, [Dot]mml, [Dot]lay, [Dot]lay6, [Dot]asc, [Dot]sqlite3, [Dot]sqlitedb, [Dot]sql,[Dot]accdb,[Dot]mdb,[Dot]dbf,[Dot]odb,[Dot]frm,[Dot]myd,[Dot]myi,[Dot]ibd,[Dot]mdf, [Dot]ldf, [Dot]sln, [Dot]suo, [Dot]cpp, [Dot]pas, [Dot]asm, [Dot]cmd, [Dot]bat, [Dot]vbs, [Dot]dip, [Dot]dch, [Dot]sch, [Dot]brd, [Dot]jsp, [Dot]php, [Dot]asp, [Dot]java, [Dot]jar, [Dot]class, [Dot]wav, [Dot]swf,[Dot]fla, [Dot]wmv, [Dot]mpg, [Dot]vob, [Dot]mpeg, [Dot]asf, [Dot]avi,[Dot]mov, [Dot]mkv, [Dot]flv, [Dot]wma, [Dot]mid, [Dot]djvu, [Dot]svg, [Dot]psd,[Dot]nef, [Dot]tiff,[Dot]tif,[Dot]cgm,[Dot]raw,[Dot]gif,[Dot]png, [Dot]bmp, [Dot]jpg, [Dot]jpeg, [Dot]vcd, [Dot]iso, [Dot]backup, [Dot]zip, [Dot]rar, [Dot]tgz, [Dot]tar, [Dot]bak,[Dot]tbk,[Dot]PAQ,[Dot]ARC,[Dot]aes,[Dot]gpg,[Dot]vmx,[Dot]vmdk,[Dot]vdi,[Dot]sldm, [Dot]sldx, [Dot]sti, [Dot]sxi, [Dot]hwp, [Dot]snt, [Dot]onetoc2, [Dot]dwg, [Dot]pdf, [Dot]wks, [Dot]rtf, [Dot]csv, [Dot]txt, [Dot]vsdx, [Dot]vsd, [Dot]edb,[Dot]eml,[Dot]msg,[Dot]ost,[Dot]pst,[Dot]potm,[Dot]potx,[Dot]ppam,[Dot]ppsx,[Dot]ppm,[Dot]pps, [Dot]pot, [Dot]pptm, [Dot]pptx, [Dot]ppt, [Dot]xltm, [Dot]xltx, [Dot]xlc, [Dot]xlm, [Dot]xlt, [Dot]xlw, [Dot]xlsb, [Dot]xlsm, [Dot]xlsx, [Dot]xls, [Dot]dotx,[Dot]dotm, [Dot]dot, [Dot]docm, [Dot]docb, [Dot]docx, [Dot]doc

At the time of encryption, the ransomware will add “WannaCry!” String or a file marker to the opening of all the files. After encryption it will append the files with an extension of [Dot]WNCRY in order to verify later that the file is encrypted. When that ransomware is encrypting files, it saves a “@Please_Read_Me@.txt” ransom note and a replica of the decryptor file “@WanaDecryptor@.exe” to each and every folder to ensure that the files were already encrypted. At the last stage, the Wanna cry encryptor will execute commands that will clear the shadow volumes duplicates, disable window start-up recovery, clear Window backup recovery history by the following command:“C:WindowsSysWOW64cmd.exe /c vssadmin delete shadow /all /quiet & wmicshadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit/set{default} recoveryenabled no & wbadmin delete catalog -quiet”At the final stage, the installer will run the “@WanaDecryptor@.exe” program so that WannaCry lock screen is displayed to the user. This screen display information to the user like how to pay the ransom and how to select the language.When the user clicks on the make payment button, the ransomware will communicate with the TOR servers to verify if the payment is already done. If the payment was made the ransomware will automatically decrypt all the files. If the payment is not done, the user gets a dialogue box referring to complete the transaction and check it after 2 hours.

Plans to Control/Mitigate the risk:

As we always heard it “Prevention is always better than cure” so preclusion is essential in keeping a system safe.it is recommended for all the user’s that they keep all their critical software like operating system and antivirus up to date to the latest released patch. Always use multilayer protection system security solution that is dependable. A backup of all the important data should occur in a hard drive other than the connected storage offline.Ransomware can be directed via many sources like Spam Emails, Adwords, websites that are created in order to share ransomware to the victim users. Ransomware confines the use of the system for the user after infecting it and is divided into three categories Scareware, Lock-Screen, and encryption. Some of the suggested steps in order to prevent another attack:

Update the system with Microsoft released a new patch “MS17-010” to fix the SMB vulnerability.
The user should permit spam filter to avert phishing emails reaching the end user, there should be an authentication for inbound emails like SPF (Sender Policy Framework), DMARC (Domain Message Authentication Reporting and conformance) and DKIM (Domain Keys Identified Mail) preventing email spoofing.
All the incoming and outgoing emails should be scanned for the threat and the executable files should be filtered from reaching the end user.
Test all the backups to ensure they are working correctly.
Execute regular penetration testing on the server in order to discover any vulnerability and fix it.
Progress and train employee’s education for identifying frauds, malicious links, and social engineering attacks.

Future prediction of Problems:

Ransomware is something that is not some new concept to us, it was used by hackers for a long time. These days the use of ransomware has increased as it is very profitable. Since after the attack on NSA by the hacker group Shadow Broker and releasing a bunch of tools and code written by famous Equation Group has to lead to an increasing number of the attacks. Since these tools are available to hackers in the Dark Web, and it was often discovered that the Wanna cry attack was originated from one of the codes from that release. So, we can see many attacks like that in the future but more destructive force than it was now.As in Wanna cry, the ransomware encrypts all the data, but in future new enhancement can’t be made to the virus for better efficiency. In future, the hacker can add a new module to the ransomware which instead of encrypting, corrupts the data which can lead beyond recovering. It can be like a complete wipeout of all the files available on the victim's system. The hacker can also drop all the tables in the companies database or can tamper the data in the records of the desired database. These days due to rise in IOT, the hackers got a lot of choices in terms of selecting their target. The hackers can use a disruptive attack, and the attack can be originated from a web vulnerability or by IoT devices lack of security. We can take an example of today's connected automobile and futuristic autonomous automobiles, as they both can have internet connectivity either by an owner control car option or by from the vendor. A vulnerability in the web server communication within this application or the update mechanism can lead to remote code execution on the automobiles. It could be like any hacker who has compromised the device can hold anyone hostage and could demand a ransom while threatening you about disabling the vehicle’s brake or steering mechanism. It could be more troublesome if a hacker can compromise a vendor’s server and taking control of all the automobiles and directly demanding ransom from the vendor. In future, it can be seen that the virus will evolve from Ransomware to extortion-ware.

Conclusion:

As per the study and reading numerous of research paper and articles, I concluded that Ransomware these days are a new trend for the hackers for making quick money. As the world moves towards digitalization, we are making it more vulnerable, as perfect security is still a myth which doesn't believe in by keeping us and other people in a dilemma that they are safe. As for studying about the ransomware, the concept is simple, hacker attacks a target and encrypts victim's data till he pays the desired ransom. Whereas these days everything is becoming a computer, even our micro-oven is a computer that is used to eat the stuff up. Our refrigerator is a device to freeze stuff up. The cars, traffic light, television everything that is connected to the government power grid is not a computer and this all because of the hyped internet of things (IoT). Due to lack of security, when these devices are connected to the internet, they all become vulnerable to the ransomware and other system threats. It’s just a matter of time when the hackers will be targeting people daily needs utilities in order to get a ransom-like disabling a car’s engine or break and ask for a ransom if they want it up again. The attacker can also compromise door security of a house to blackmail user for a ransom if he wants to get out of the house. It could be more disastrous if these hackers compromised devices like heart pacemaker’s, asking ransom in order to keep it working.We always think that from where these hackers are getting such ideas, but from the past incidents, it was all government ideas whose codes were stolen and before that the government was also doing the same thing. One of the CIA’s leaked tool was able to target internet enabled Samsung Smart television, which can be used for eavesdropping on them.These days due to low-cost IoT devices in the market, the hackers got a numerous target, as for the big corporation like Microsoft, which have both capital and human resource to patch any vulnerability. These companies don’t have the funds or technical resource to provide a security update for the vulnerabilities. Whereas these devices are not like Smartphones or computers, which can be changed as per the release of some modern technology. These are thought to be last for decades like cars, refrigerators, television. So, at the time of the attack, the best practice is to throw these cheap devices and get a new one.We all know that the solution to problems is not either easy not pretty and the market is not going to fix this unassisted. Security is hard to estimate feature against a future risk, and the customer has long rewarded companies that provide easy-to-compare features and quick time market at its expenditure. There should guidelines and regulation assigning liabilities to the corporations that write an insecure application that put people’s lives in jeopardy. Even basic standardization should also be introduced to the IoT device. It would also be very appreciating if government agencies like NSA, Homeland Security, CIA provide their attention towards getting an information infrastructure safe by getting vulnerabilities fixed instead I am keeping it vulnerable and using them to eavesdrop on people.This could be saying wrong, but we are creating a future for our self where everything from our own property to our national infrastructure is all vulnerable can be held for a ransom by cyber criminal’s numerous times.