How WannaCry made computers cry?

Comments · 3068 Views

The WannaCry ransomware attack was a global computer epidemic that took place in May 2017

WannaCry was a cryptoworm which is considered as one of the world’s infamous computer epidemic which targeted vulnerable Microsoft Windows operating system. The files from the computers were held hostage and the attackers demanded Bitcoin payments in return. The first victim of the worm is identified on May 12, 2017.

The above image shows the computer screen affected by the WannaCry cryptoworm.

What is WannaCry?

WannaCry ransomware was also known as Wana Decrypt0r, WCry, WannaCry, WannaCrypt, and WanaCrypt0r. WannaCry cryptoworm propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers. After the theft of the EternalBlue, Microsoft released patch that protects the computers from the vulnerability. The attack was targeted on the organizations that failed to apply the patch. According to multiple reports from security vendors, approximately 300,000 computers in over 150 countries had been severely damaged.

"PlayGame" propagated WannaCry

This malware has worm capabilities which means that it tries to be propagated via the network. For this, it uses the ETERNALBLUE (MS17-010) exploit with the intention of being propagated to all the computers that have not patched this vulnerability. EternalBlue is an exploit of Window's Server Message Block (SMB) protocol released by The Shadow Brokers. The worm component tries to connect to the following domain, using the InternetOpenUrl function: The aforementioned domain is a kill-switch domain. On the other hand, if the worm component cannot establish a connection with this, it continues to run and registers itself as a “Microsoft Security Center (2.0) Service” mssecsvs2.0 process on the infected machine. Hence, this kill-switch domain may be used as part of a detection technique when developing a defense system. All the actions are carried out by the service that the malware itself installs after its execution. Once the service has been installed and on execution, two threads are created which carry out the replication process to other systems.

The first action of this function is to obtain the "DLL stub" which shall be used to compose the "payload" to be sent to the victim computers and the malware itself is added to this "stub". This DLL contains a function called "PlayGame" that extracts and runs the resource of the DLL itself which, in this case, is the malware itself. In such a way that, when the 'PlayGame' function is called, the computer infection will start. This DLL never touches the drive as it is injected directly into the memory, specific in the LSASS process, after the execution of the ETERNALBLUE exploit in the compromised equipment.

Replication of WannaCry

The purpose of this 'PlayGame' function is to obtain miscellaneous information from the local network adapter in such a way that the IP addresses can be generated, pertaining to their network range, which they are subsequently going to attack. Then a new thread shall be created which carries out the exploitation of the vulnerability MS17-10 and infection by the worm on those computers which are vulnerable/unpatched. If the target computer is vulnerable, the worm duly injects its malicious code in it, to be precise, in the "LSASS.EXE" process, being executed remotely.

EternalBlue exploit and WannaCry

EternalBlue is an exploit of Window’s Server Message Block (SMB) protocol released by The Shadow Brokers. During the analysis, it was verified precisely how this same code is deployed which the NSA uses to carry out its implants. The only difference is that it does not need to use the DOUBLEPULSAR module as its intention is simply to be injected in the remote LSASS process. If compared with the already existing analyses, it can be seen how the "exploit" code is identical to that of the NSA 'opcode' by 'opcode'. The “exploit” carries out the same calls used in the NSA code to end up injecting the DLL sent in the LSASS process and execute its function called "PlayGame", thereby restarting the infection process from the compromised computer to other computers on the network.

Variants of WannaCry

Analysing the 5.1 million Wanna-A detections over the three-month period from October 1 through December 31, 2018, the analysis discovered something unexpected: The malicious file being dropped on these computers was not the original WannaCry mssecsvc.exe file. In fact, among the 5.1 million detections we identified 12,481 unique files.

  • The original, true WannaCry file was seen only 40 times, a number so low that it could easily be attributed to testing, rather than a real attack.
  • 12,005 of the unique files identified (96.1%) were seen fewer than 100 times each.
  • 476 of the unique files (3.8%) accounted for an overwhelming 98.8% of the detections.
  • Ten files accounted for 3.4 million (66.7%) of the detections, with the top three accounting for 2.6 million (50.1%).

Impacts of WannaCry

The above image shows the number of systems affected by Wannacry cryptoworm in different countries

The attack was first identified on May 12, 2017 at around 07:44 UTC. The initial attack was through Server Message Block port which windows uses to share files and printers. Within 24 hours of the first attack, the analysis shows the worm attacked around 3,000,000 systems in 150 countries. The Europol stated that this cryptoworm epidemic was an unprecedented attack in the cyber world. As per the reports from the multiple sources it was found that Russia, Ukraine, India and Taiwan was top four countries which was hardly attacked by the worm. 

National Health Services was one of the largest agencies hardly attacked by the worm causing malfunction of around 70,000 devices including computers, MRI scanners, blood-storage refrigerators and theatre equipment may have been affected. On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted. Nissan Motor Manufacturing UK in Tyne and Wear, England, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware. Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide. The attack's impact is said to be relatively low compared to other potential attacks of the same type in the past. It could be worst if the kill switch was not identified. Also the impact was low since it was not targeted on the critical infrastructures like nuclear power plants or railway systems.

According to cyber-risk-modeling firm Cyence, economic losses from the cyber attack could reach up to US$4 billion, with other groups estimating the losses to be in the hundreds of millions.

Studies shows that Saudi Arabia was the hardest hit among the countries affected in the Wannacry attack in May 2019.

Defence against Worm

The attack was halted within a few days of its discovery due to emergency patches released by Microsoft and the discovery of a kill switch that prevented infected computers from spreading WannaCry further. The patch is available in the patch security/ms17-010.aspx

The connections entering SMB ports (137, 138, 139 and 445) from computers external to the network must be blocked.

Prevention of similar threats

  • Update your software and operating system regularly
  • Do not click on suspicious links
  • Never open untrusted email attachments
  • Do not download from untrusted websites
  • Avoid unknown USBs
  • Use a VPN when using public Wi-Fi
  • Back up your data