Wannacry: The Ransomware That Spreads

Wannadecryptor, or better known as WannaCry, is a malware strain finding its roots in the Wikileaks’ NSA exploit tool leak from earlier last year. Microsoft specifically, exclaims that the ransomware utilizes the vulnerability codenamed “eternalblue” which impacts OS Windows XP, Windows 7, and Windows 8.  As of May 15 2017, the ransomware has infected over 75,000 systems in over 99 countries and has impacted everything from individual users, small businesses, hospitals, transit system infrastructure, to prolific companies such as Fedex.

What Makes Wannacry?

Wannacry is essentially a malware that takes advantage of the publicly leaked NSA toolkit “eternalblue” that allows for a remote code execution attack that takes advantage of a SMBv1 vulnerability in Windows. Now this particular exploit was patched on March 14th in MS17-010 and was issued even to End of Service OS’s such as Windows XP and Windows 8.

Furthermore, the ransomware acted in two variances: 1) Scanning for an open or unsecured smb server on port 445 that is connected to the internet or 2) email and other Phishing. In conjuncture with the nature of SMB’s vulnerability, this allowed for those infected with WannaCry to further spread the ransomware via their network at a rate that’s very uncommon with ransomware variants.

Additionally, a unique feature of Wannacry, the malware only acts and encrypts the file when it tries to, and unsuccessfully, connects to the domain “www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” or  “www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. In fact, a conjoined effort by MalwareTech and DarienHuss indicated that by registering said Domain, and allowing Wannacry to successfully connect to it, the files would be left unencrypted; acting as a killswitch of sorts.

Furthermore, it would appear that the ransomware runs on a private key infrastructure utilizing RES-128 combined with RSA-2048 encryption with know known decryptor available publicly.

What Was The Impact?

According to Avast, over 250,000 detections of the malware  spread over 115 countries, with Russia and China being some of the biggest targets.

With regards to industries, many UK and Spanish hospitals have had their systems and machines affected with the addition of transit ticket machines being hit and automotive companies such as Renault and Nissan UK needing to halt production due to system compromise.


Furthermore, Microsoft was very outspoken towards Government “hoarding” of zero day exploits, likening the action as akin to “having some of its[The US military] Tomahawk missiles stolen” and even using the lessons learned to further advocate and persuade all Governments to subscribe to the establishment of a “Digital Geneva Convention” that would prevent the “stockpiling” and trade of digital exploits and encourage vendor reporting.

Who’s Behind It?

While we know it was the group Shadowbrokers who helped publicize the NSA leak and make way for exploit tools (furthermore, it seems they look to sell and trade some more exploits in June or so) many researchers are unsure as to who compiled the ransomware; citing its craftmanship to be that of a novice or thorough with their code.

As of the time I’m writing this, only about 55,000 USD has been made from the victims of the attack (which is quite small given the number of countries its reached and systems its infected) and the way the bitcoin account and payment settings are configured, the criminals behind wannadecrypt are unlikely to track who’s paid and who hasn’t. (as well as narrow down law enforcement’s search for the offending account ) Additionally, the existence of the domain killswitch seems contradictory to the aim of the malware, or at least problematic with regards that its tied to a lack of domain registration.

Furthermore, copycats have begun to make their rounds with Wannacrypt 2.0 and other variants; thankfully to equally diminishing returns however. Also of interest are two rumours circulating that Wanacrypt is the work of 1) North Korea citing earlier, similar efforts to the Sony Hacks, South Korean Bitcoin Hacks and Bangledesh Digital Bank Robbery. Or 2) linked to the Lazarus Group. Of course, only time may tell with regards to who may be behind the malware.

How to Stop It and How To Prevent It?

If you were already hit by ransomware or Wannacry, it is recommended NOT to pay the ransom. As mentioned earlier, it is unlikely you’ll ever receive a key due to poor tracking on their part, and for the overall message of not giving into kidnappers of your data. Instead, if you have a recent, or good quality backup it is recommended you restore to that and perform a malware scan with an updated anti-virus and anti-malware tool.

Also recommended is to install MS17-10 patches for all Windows systems applicable and ensure port 445 is not connected to the internet to dissuade a remote attack.

Furthermore, avoid sketchy emails and files; particularly if the file asks for elevated permissions to get the “document” working. This is likely to contain a strain of ransomware as phishing via ransomware has increased significantly over the past year or so.

UPDATE ( May 21, 2017):

It would seem MalwareTech, the individual who helped top the spread of Wanacry was inadvertently “doxxed” (having one’s personal information exposed” by UK Press. This may have interesting ramifications further on


Further Recommended Links

MalwareTech’s killswitch

Microsoft Breakdown of Wannacry


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s