Ransom.Wannacry

Ransom.Wannacry
【外部リンク】
https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99
Initial infection
At this time, the initial infection vector is unknown. There have been discussions of the threat being initially spread through email but this has not been confirmed.

Given the nature of the infection routine, it is possible that only a small number of targets may have been initially seeded with the worm and then the worm propagation routine continued to expand out the pool of compromised computers.

WannaCry is a threat composed of two main parts, a worm module and a ransomware module. The ransomware module is spread by a companion worm module. The worm module uses the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0144) and the Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0145) to spread.


Ransom demand amount
US$300-$600 paid in bitcoin

Protection

Antivirus
Ransom.Wannacry
Ransom.CryptXXX
Trojan.Gen.8!Cloud
Trojan.Gen.2
Ransom.Wannacry!gen1
Ransom.Wannacry!gen2
Ransom.Wannacry!gen3

SONAR behavior detection technology
SONAR.AM.E.!g18
SONAR.AM.E!g11
SONAR.Cryptlk!g1
SONAR.Cryptlocker!g59
SONAR.Cryptlocker!g60
SONAR.Cryptlocker!g80
SONAR.Heuristic.159
SONAR.Heur.Dropper
SONAR.Heur.RGC!g151
SONAR.Heur.RGC.CM!g13
SONAR.Heuristic.158
SONAR.Heuristic.161
SONAR.SuspDataRun
SONAR.SuspLaunch!g11
SONAR.SuspLaunch!gen4
SONAR.TCP!gen1

Advanced machine learning
Heur.AdvML.A
Heur.AdvML.B
Heur.AdvML.D

Network-based protection
OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
Attack: Shellcode Download Activity
System Infected: Ransom.Ransom32 Activity

Mitigation
Apply patches for the following issues:
Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0144)
Microsoft Windows SMB Server Remote Code Execution Vulnerability (CVE-2017-0145)

For more information, please see the following resources
What you need to know about the WannaCry Ransomware
Can files locked by WannaCry be decrypted: A technical analysis
Antivirus Protection Dates
Initial Rapid Release version May 12, 2017 revision 006
Latest Rapid Release version July 5, 2017 revision 009
Initial Daily Certified version May 12, 2017 revision 009
Latest Daily Certified version July 5, 2017 revision 008
Initial Weekly Certified release date May 17, 2017

The worm may attempt to connect to the following Tor domains:
gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2i r2embyv47.onion
cwwnhwhlz52maqm7.onion
Files
When it is first executed, it copies itself to the following locations:
%SystemDrive%\ProgramData\[RANDOM_STRING]\tasksche.exe
%SystemDrive%\Intel\[RANDOM_STRING]\tasksche.exe

It may then create the following files:
[PATH_TO_RANSOMWARE]\!WannaDecryptor!.exe
[PATH_TO_RANSOMWARE]\c.wry
[PATH_TO_RANSOMWARE]\f.wry
[PATH_TO_RANSOMWARE]\m.wry
[PATH_TO_RANSOMWARE]\r.wry
[PATH_TO_RANSOMWARE]\t.wry
[PATH_TO_RANSOMWARE]\u.wry
[PATH_TO_RANSOMWARE]\TaskHost
[PATH_TO_RANSOMWARE]\00000000.eky
[PATH_TO_RANSOMWARE]\00000000.pky
[PATH_TO_RANSOMWARE]\00000000.res
%Temp%\0.WCRYT
%Temp%\1.WCRYT
%Temp%\2.WCRYT
%Temp%\3.WCRYT
%Temp%\4.WCRYT
%Temp%\5.WCRYT
%Temp%\hibsys.WCRYT
%UserProfile%\Desktop\!WannaCryptor!.bmp
C:\Intel\zirjvfpqmgcm054\TaskData\Tor\taskhsvc.exe
C:\Intel\zirjvfpqmgcm054\TaskData\Tor\tor.exe
C:\Intel\zirjvfpqmgcm054\taskdl.exe
C:\Intel\zirjvfpqmgcm054\tasksche.exe
C:\Intel\zirjvfpqmgcm054\taskse.exe
C:\Intel\zirjvfpqmgcm054\@WanaDecryptor@.exe
C:\Intel\zirjvfpqmgcm054\msg\m_bulgarian.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_chinese (simplified).wnry
C:\Intel\zirjvfpqmgcm054\msg\m_chinese (traditional).wnry
C:\Intel\zirjvfpqmgcm054\msg\m_croatian.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_czech.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_danish.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_dutch.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_english.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_filipino.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_finnish.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_french.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_german.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_greek.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_indonesian.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_italian.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_japanese.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_korean.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_latvian.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_norwegian.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_polish.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_portuguese.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_romanian.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_russian.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_slovak.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_spanish.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_swedish.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_turkish.wnry
C:\Intel\zirjvfpqmgcm054\msg\m_vietnamese.wnry
C:\Intel\zirjvfpqmgcm054\b.wnry (copy of @WanaDecryptor@.bmp)
C:\Intel\zirjvfpqmgcm054\c.wnry
C:\Intel\zirjvfpqmgcm054\f.wnry
C:\Intel\zirjvfpqmgcm054\r.wnry (copy of @Please_Read_Me@.txt)
C:\Intel\zirjvfpqmgcm054\s.wnry
C:\Intel\zirjvfpqmgcm054\t.wnry
C:\Intel\zirjvfpqmgcm054\u.wnry

Registry modifications
The ransomware module may create the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Microsoft Update Task Scheduler" = ""[PATH_TO_RANSOMWARE]\[RANSOMWARE_EXECUTABLE]" /r"
HKEY_LOCAL_MACHINE\SOFTWARE\WannaCryptor\"wd" = "[PATH_TO_RANSOMWARE]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"zirjvfpqmgcm054" = ""C:\Intel\zirjvfpqmgcm054\tasksche.exe""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\zirjvfpqmgcm054\Security\"Security" = "[HEXADECIMAL VALUE]"
HKEY_LOCAL_MACHINE\SOFTWARE\WannaCryptor\"wd" = "[PATH_TO_RANSOMWARE ]"

The ransomware module also sets the following registry entry to change the desktop background image:
HKEY_CURRENT_USER\Control Panel\Desktop\"Wallpaper" = "%UserProfile%\Desktop\!WannaCryptor!.bmp"

Service creation
It then creates the following service which will enable it to be restarted whenever the computer starts:

Service name: [RANDOM_STRING]
Display name: [RANDOM_STRING]
Binary path: cmd.exe /c [PATH_TO_RANSOMWARE]
Start type: SERVICE_AUTO_START

End processes
It attempts to end the following processes:
sqlwriter.exe
sqlserver.exe
Microsoft.Exchange.*
MSExchange*

Encryption routine
After successful installation, the ransomware module will then search for files to encrypt. It looks for files with the following file extensions:
.123
.3dm
.3ds
.3g2
.3gp
.602
.7z
.ARC
.PAQ
.accdb
.aes
.ai
.asc
.asf
.asm
.asp
.avi
.backup
.bak
.bat
.bmp
.brd
.bz2
.cgm
.class
.cmd
.cpp
.crt
.cs
.csr
.csv
.db
.dbf
.dch
.der
.dif
.dip
.djvu
.doc
.docb
.docm
.docx
.dot
.dotm
.dotx
.dwg
.edb
.eml
.fla
.flv
.frm
.gif
.gpg
.gz
.hwp
.ibd
.iso
.jar
.java
.jpeg
.jpg
.js
.jsp
.key
.lay
.lay6
.ldf
.m3u
.m4u
.max
.mdb
.mdf
.mid
.mkv
.mml
.mov
.mp3
.mp4
.mpeg
.mpg
.msg
.myd
.myi
.nef
.odb
.odg
.odp
.ods
.odt
.onetoc2
.ost
.otg
.otp
.ots
.ott
.p12
.pas
.pdf
.pem
.pfx
.php
.pl
.png
.pot
.potm
.potx
.ppam
.pps
.ppsm
.ppsx
.ppt
.pptm
.pptx
.ps1
.psd
.pst
.rar
.raw
.rb
.rtf
.sch
.sh
.sldm
.sldx
.slk
.sln
.snt
.sql
.sqlite3
.sqlitedb
.stc
.std
.sti
.stw
.suo
.svg
.swf
.sxc
.sxd
.sxi
.sxm
.sxw
.tar
.tbk
.tgz
.tif
.tiff
.txt
.uop
.uot
.vb
.vbs
.vcd
.vdi
.vmdk
.vmx
.vob
.vsd
.vsdx
.wav
.wb2
.wk1
.wks
.wma
.wmv
.xlc
.xlm
.xls
.xlsb
.xlsm
.xlsx
.xlt
.xltm
.xltx
.xlw
.zip

Encrypted files
Files that are encrypted will be renamed with .WCRY appended to the file name. For example:
Original file name: readme.txt
Encrypted file name: readme.txt.WCRY

The following files are dropped inside every folder where files are encrypted:
Please_Read_Me@.txt
@WanaDecryptor@.exe.lnk
!WannaDecryptor!.exe.lnk
!Please Read Me!.txt

Encryption keys
Each file is encrypted with a separate AES (symmetric) encryption key. Each AES encryption key is separately encrypted using 2048 bit RSA (public key encryption).

OTHER FUNCTIONALITY
The ransomware module creates the following mutexes so that only one instance of the ransomware can run:
Global\WINDOWS_TASKOSHT_MUTEX0
Global\WINDOWS_TASKCST_MUTEX
Global\MsWinZonesCacheCounterMutexA

Ransom payment
The WannaCry payment logic is as follows:
WannaCry will create a file named 00000000.res which contains information including a unique user ID, total encrypted file count, and total encrypted file size etc.
WannaCry sends the user data in 00000000.res to the C&C servers which are hidden in the Tor network.
The WannaCry C&C server returns a new Bitcoin address which is linked to the user. The new Bitcoin address will be saved to the configuration file c.wnry to replace the old address (which is hardcoded in the sample).
Once the "Check Payment" button is clicked, WannaCry will send the user data in 00000000.res and the encrypted private key in 00000000.eky to the C&C servers.
If the payment is confirmed, the C&C servers will return the decrypted private key.
WannaCry then saves the decrypted private key to 00000000.dky and the decryption process uses the key in 00000000.dky to decrypt the files.

Due to a race condition bug, the above code fails and defaults to three bitcoin addresses:
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

As these Bitcoin addresses are shared among all victims as the method of payment, the attacker will be unable to determine whether a victim has paid.

【外部リンク】
https://community.norton.com/ja/blogs/product-update-announcements/wannacry-%E3%83%A9%E3%83%B3%E3%82%B5%E3%83%A0%E3%82%A6%E3%82%A7%E3%82%A2%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6%E7%9F%A5%E3%81%A3%E3%81%A6%E3%81%8A%E3%81%8F%E3%81%B9%E3%81%8D%E3%81%93%E3%81%A8
WannaCry ランサムウェアについて知っておくべきこと

【外部リンク】
https://www.symantec.com/connect/ja/blogs/wannacry-1?inid=hho_forums_srb_ransomwannacry
シマンテック公式ブログ
WannaCry ランサムウェアについて知っておくべきこと

2017 年 5 月、WannaCry ランサムウェアが全世界を急襲しました。WannaCry の攻撃が拡散する経緯を理解し、同様の攻撃からネットワークを保護しましょう。
SONAR の動作検出テクノロジ

SONAR.AM.E.!g18
SONAR.AM.E!g11
SONAR.Cryptlk!g1
SONAR.Cryptlocker!g59
SONAR.Cryptlocker!g60
SONAR.Cryptlocker!g80
SONAR.Heuristic.159
SONAR.Heur.Dropper
SONAR.Heur.RGC!g151
SONAR.Heur.RGC.CM!g13
SONAR.Heuristic.158
SONAR.Heuristic.161
SONAR.SuspDataRun
SONAR.SuspLaunch!g11
SONAR.SuspLaunch!gen4
SONAR.TCP!gen1
高度な機械学習

Heur.AdvML.A
Heur.AdvML.B
Heur.AdvML.D
ウイルス対策

保護と検出を強化するために、以下のウイルス対策シグネチャが更新されました。

Ransom.Wannacry
Ransom.CryptXXX
Trojan.Gen.8!Cloud
Trojan.Gen.2
Ransom.Wannacry!gen1
Ransom.Wannacry!gen2
Ransom.Wannacry!gen3
シマンテック製品をお使いの場合は、最新状態で保護されるように、LiveUpdate を実行して、次のバージョン以降の定義がインストールされていることを確認してください。

20170512.009
次の IPS シグネチャも、Ransom.Wannacry 関連の活動を遮断します。

System Infected: Ransom.Ransom32 Activity