MAY 15, 2017

WANNACRY RANSOMWARE REPORT

BACKGROUND
The Malware
WannaCrypt 2.0 (WannaCry, WannaCrypt0r) is the worm used in the most recent, widespread

ransomware campaign. The malwares infections were first reported on May 12 in association

with a phishing email, encouraging users to download and execute a malicious file. Post-

execution, WannaCrypt encrypts 166 file types on the victims computer and posts a message

demanding Bitcoin payment in exchange for decryption.

Once settled on the host, the malware tries to propagate, mainly by using an exploit to abuse

the Server Message Block (SMB) protocol to infect new hosts in a network. This exploit is

based on a tool called EternalBlue that was exposed in the Shadow Brokers dump. The

malware scans hundreds of thousands of addresses on ports 135 and 445 and attempts to

execute the exploit. A successful run will result in a new infected host. For newer versions of

Windows (Win7 and above), Microsoft patched the vulnerability used in this exploit on March

14 in Microsoft Security Bulletin MS17-010. Microsoft also released a patch for older operating

systems on May 12, covering Windows XP, Windows 8 and Windows Server 2003. The only

machines still vulnerable to this attack are unpatched systems.

cybereason.com
200 Clarendon St, Boston, MA 02116 1
Campaign preparation
The initial campaign (if indeed perpetrated by the same attacker) in which the first version

WannaCryptor was used began in early March and used spear-phishing to spread but had no

autonomous propagation mechanism. The new super weaponized variant relies on an exploit

that was made public on April 14, which means the threat actor had less than one month to do

the following:

Leverage the propagation exploit used by the ransomware. This worm can be divided into three
main code components: the ransomware payload, the exploit and the code in charge of the
propagation. The payload seems not very different from the original variant detected in March
of this year. The exploit seems to be used in its original form, as downloaded from the Shadow
Brokers dump. The majority of the prep time likely went towards stitching these modules
together into a working framework. The fact that the patch was not actively pushed for supported
Windows systems, combined with the number of unsupported systems still operating globally,
made this exploit and work especially harmful.
Form a target list. The initial spear-phishing campaign that allowed the attacker to infiltrate
victims and the resounding success within networks of high-profile organizations worldwide
implies that the campaign started based on a target list. This list may have been manually
assembled based on broad scanning or may have been extracted out of previous analysis made
by security analyst regarding machine susceptible to DoublePulsar.
Concocte campaign strategy. The advantage and power of this campaign relies on its ability to
spread broadly and independently (and not on the initial intrusion). The attacker understood the
power of this strategy -- get a foothold in a vulnerable organization and start spraying around.
An organization with a number of infected machines is more prone to pay, and the odds to strike
gold (machines with critical, valuable data in the network) rise as the infection count in the
network rises. Among those targeted, major organizations with critical production services and
for whom business continuity is essential were likely targeted due to a higher likelihood of paying
the ransom (such as telecommunication, health, shipping, and transportation).
Delimit the boundaries of the campaign. The suspected target list and the hardcoded kill switch
in the ransomware (possibly designed to allow the attacker to control the rate and spread of
infections) allows the attacker to have a means of control in case it escalated out of control.
Create the payment backend. There are currently three known Bitcoin wallets linked to this
campaign. The 1.0 variant had only a single account. These accounts were created on the day of
the outbreak and are still stockpiling funds from victims.

cybereason.com
200 Clarendon St, Boston, MA 02116 2
These steps point to how rapidly this campaign was planned and executed. The last month

was most likely devoted to assembling this campaign. A glance at the number of infections

and the public hysteria indicate that the campaign was successful from an operational threat

perspective. It is still unknown how successful the overall campaign will be since most of the

infected victims have yet to pay the ransom and the ultimate motives of the actor are unknown

at this time.

DAMAGE
Victims
Victims of this campaign are spread across more than 100 countries, hitting more than

200,000 systems, including major health organizations, energy companies and a Spanish

telecommunication provider. The British National Health Service (NHS) was particularly

impacted with 40 of its hospitals and subsidiaries infected.

The 28 different languages supported in the UI do not fully correlate with the infected nations,

i.e Iran and other Islamic countries suffered infections in the campaign, yet Arabic or Farsi

are not supported. This may point to the attackers original target audience. Perhaps certain

countries or regions were flagged by the attacker as victims that rarely pay and hence are

not worth the effort, or might have been reachable with English if they accidentally became

targets-of-opportunity. Alternatively, the supported languages may have been selected by

the attacker due to political views, revenge or statistical analysis of susceptible system per

country.

As of Monday mid-day, the amount of money collected by the actors was equivalent to $59,000

in Bitcoins (BTC), suggesting that few victims actually paid the ransom. We predict more

victims will pay as the clock ticks closer to decryption day (D-day) when files will actually be lost.

cybereason.com
200 Clarendon St, Boston, MA 02116 3
Attack motives and profiling
The motive in this case is likely financial. A successful, large-scale attack can easily yield

millions of dollars in BTC. It is our estimation that this attack was carried out by a cybercrime

threat actor, with little experience in other large-scale campaigns. This is based on the

following:

Using only 3 BTC wallets to support hundreds of thousands of possible transactions

The kill-switch implementation
Weird choice of languages
The few changes in UI from the older version (that did not yield prosperously)
Using somebody elses code to gain superpowers

The main challenge for the attacker is the cash out process. Though BTC is an anonymous

method, there are many eyes watching for the wallet; and large fund movement is conspicuous.

Also, in case the attacker successfully amasses millions of dollars, the money-laundering and

legitimizing process of these funds will be challenging since converting large amounts of BTC

into cash is quite hectic and requires many resources.

Breaking the mold

Recent claims by several cyber security companies are tentatively linking North Korean cyber

actors to the WannaCry ransomware attack. The crux of this assessment is based on code

similarities in a randomization function call in a very early variant of the malware. This similarity

was first discovered by aA researcher at Google first discovered this similarityand was, which

was quickly picked up by several other security firms.

There is no disputing the code similarity. However, code reuse, especially from tools that are as

old as the DPRK sample, is common. Additionally, the code being reused in the initial sample

is a generic function call and has no specific indicators linking it to the Democratic Peoples

Republic of Korea coding practices. The deletion of the code (in samples of WannaCry from

March 2017 onwards) may have to do with functionality rather than an attempt to obfuscate

attribution. Further analysis will reveal how the code was created and perhaps more insight into

who created it.

cybereason.com
200 Clarendon St, Boston, MA 02116 4
So, did North Korea do this? The short answer is: its unlikely. Nothing in North Koreas past

cyber campaigns or in their conventional military and foreign policy fit this mold. Looking at

national identity, foreign policy and strategic messaging will greatly reduce the likelihood that

Pyongyang ordered this campaign.

Read more on our blog.

NEW VARIANT
On May 13, Cybereason identified a new variant of WannaCry.

mssecsvc.exe

Sha1: 6e37dd4ea21fd096b233161ec7af90c17b581638

MD5: 73766565804dc0e56de6bf2574fecde3

tasksche.exe

Sha1: 9b54c4c2fc77dc650d5446d2b1646cd5f45c99c8

MD5: 71f4a163938478116734c724f8d5109e

Similar to other variants of the recent WannaCry attack, this variant is automatically

executed by Microsoft Security Center (2.0) Service and is trying to spread by creating SMB

connections to random IP addresses, both internal and external. In addition, we identified

communication to the known C&C domain. www{dot}iuqerfsodp9ifjaposdfjhgosurijfaewrwergw

ea{dot}com in IPs 144.217.254.3 and 79.137.66.14.

cybereason.com
200 Clarendon St, Boston, MA 02116 5
AM I PROTECTED?
There is currently no WannaCry decryption tool. Users can protect themselves from this

ransomware worm by taking the following steps.

Keep your system current: Patch all Windows machines in your environment immediately,
including older operating systems that Microsoft no longer supports. If Microsoft still support
your operating system, a patch for the EternalBlue vulnerability was issued in March as part of
MS17-010. Since WannaCry infected operating systems that Microsoft no longer supports, the
company took the unusual step of releasing an emergency patch to protect these machines. That
patch was released on May 12 for Windows XP, 8 and Server 2003. Remember to update your
antivirus software. Many vendors have added the latest WannaCry signatures to their products.
Backup regularly: Maintain up-to-date file backups and regularly verify that your backups can be
restored. Remember that ransomware can spread to shared network drives and cloud backups
so make sure your backup plan includes saving files to external storage devices that arent
connected to a PC.
Disable Microsoft Server Message Block: US-CERT advises blocking all versions of SMB at the
network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and
TCP port 139, for all boundary devices as well as disabling SMB v1.
Think before you click: Phishing, social engineering and drive-by downloads are popular ways of
spreading ransomware. If you receive an email from a person whose name you dont recognize,
dont open it. If you open a suspicious email, dont click on any links it contains or open any
attachments. Try to verify the identity of the person who sent the email or request thats being
made. For example, if you receive an email with what appears to be a vendors invoice attached,
reach out to your finance department to see if this is a legitimate a vendor.
Use RansomFree from Cybereason: Small and medium-sized businesses and individuals
can protect themselves from WannaCry and other ransomware attacks by downloading and
installing RansomFree, Cybereasons free antiransomware tool. RansomFree detects and stops
ransomware, including WannaCry, and is available for PCs running Windows, 7, 8 and 10 and
servers running Windows Server 2008 R2 and 2012 R2.
Leverage the Cybereason platform for enterprises: The Cybereason platform uses behavioral
detection to detect and stop ransomware, including never-before-seen strains and new variants.
Cybereason detected WannaCry in customer environments and stopped it before it encrypted
files. The platform also offers the ability to automatically collect and query endpoint data to
determine if an organization is under attack as well as next-generation antivirus protection,
among other features.

cybereason.com
200 Clarendon St, Boston, MA 02116 6
WHAT NEXT?
Since the kill switch domain discovery, theres been a temporary lull in infections, but this will

not last long. Heres what the near future will likely have in store:

A large cash influx on or just before D-day. Currently there is no successful way to decrypt your
files without paying. The incentives given to the victims will probably make most of them pay
before the initial three days have passed. However, large organizations with a decent backup policy
will probably not pay.
New variant with no kill switch or a more sophisticated and less obvious kill switch. This has been
predicted by many experts and some samples have been spotted in the wild that can already
override the kill switch mechanism. A new variant means a new wave of attacks (probably of
smaller effect since many organization have now patched and secured their networks).
Appearance of new malware/ransomware that leverages other vulnerabilities, exploits or tools
that were used by other nation states and were leaked. The proliferation of new super weapons,
especially delivery mechanisms that likewise present a window of opportunity, such as those
discussed in our blog regarding the Vault7 leak.

cybereason.com
200 Clarendon St, Boston, MA 02116 7

Cybereason is the leader in endpoint protection, giving enterprises the upper hand over cyber adversaries.
The Cybereason platform is powered by a custom-built in-memory graph, the only truly automated hunting engine
anywhere. It detects behavioral patterns across every endpoint and surfaces malicious operations in an
exceptionally user-friendly interface.

Cybereason is privately held and headquartered in Boston with offices in London, Tel Aviv, and Tokyo.