WannaCry Analysis

Modular Structure


The WannaCry randsomware can be broken down into three modular pieces, each utilizing a different exploit/vulnerability. 1. The Worm


Upon infecting a host, WannaCry starts to scan the local network and random IP addresses on the internet. It does so to find ones using the Microsoft SMB protocol. This protcol is used by Windows to share documents between computers. It is at this point that it employs the EternalBlue exploit. EternalBlue had existed for several years before the advent of WannaCry, and it was only WannaCry that forced the NSA to inform Microsoft of the vulnerability. It works by exploiting the way some versions of Windows mishandle certain packets to allow an attacker to execute code on the target. This element allows it to copy and execute itself on remote computers. 2. The Kill Switch


Once WannaCry finds a target it drops the file mssecsvc.exe which then executes tasksche.exe, the Kill-switch checker. If the server does not exist then it proceeds to install the DOUBLEPULSAR backdoor. This allows it to gain persistence after which it installs the payload. 3. The Payload


After the intial check, tasksche.exe continues by searching the hosts files for directories starting with single letters such as C:/ and etc. It proceeds to encrypt them using 2048-bit RSA and make a new directory. Inside this newly created directory it adds several helper .exe files including tor.exe. After running it tor.exe, the malware connects through a tor node to hide the operators of WannaCry. Upon encrypting all the files, it produces the red randsome note senn on the previous page. This note instructs the victim to transfer $300 of BTC to a BTC wallet.

Kill Switch Mechanism


The origin of this kill-switch mechanism was intiailly disputed. However it it is agreed upon that the kill-switch was intentionally placed in the code by the makers. Two theories exist for its existence even after variants sprung up in response to the original version being stopped because of this kill switch. The first is that the operators of WannaCry wanted to have the ability to stop the attack for whatever reason. This seems unlikely. The stronger theory supports that it was employed as a way to prevent analysis in a sandbox. The idea is that if it were captured for analysis in an airgapped setting it would not be able to check whether the kill switch domain is live. This means it does not execute, making its analysis significantly harder.

Operatives


While the creators are still unknown, many clues have been found within the various variants. The current suspect behind WannaCry is the Lazarus Group. It is a known criminal hacking operation with links to the North Korean government. Among the clues included were that the computer that created the ransom notes has a special Korean language font installed. The time on infected computers was automatically set to UTC +09:00 the time zone of Korea. In additon, it is presumed that the Chinese language randsom note was the original, and the English one being a machine-translation. Despite many fingers pointed at North Korean state actors and the United States officially placing blame on them, very little new evidence has come to light. Ultimately it is clear that WannaCry was developed purely for economic gain, with no clear alterior motive.

The Original Bitcoin Wallets


Hard coded into WannaCry are three Bitcoin addresses to which victims could pay the randsom. These are:


- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94


- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn


- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw


Looking at these 3 wallets we discover two interesting pieces of information. Firstly, the operators did not earn very much money for the amount of computers infected. In fact at the time of the attack they netted around $150,000. While they did not move the coins for some time, it seems that over 2 years most of these wallets were drained over many small transactions. Due to the fact that these wallets are known to be associated to the attack, it remains quite difficult for the operatives to exchange their Bitcoin for fiat currency. This may have played in their favor as the combined value of those wallets today is over 3 million USD.


The second piece of information that can be gleaned from this is that WannaCry is still in operation. The wallets continue to see input transactions long after the operatives have cashed out. This means that people are still paying the ransom in hopes of recieving their files back, despite no reports of anyone ever getting them back after paying it. These newer transactions likely explain why the wallets still hold roughly 60,000 USD.

BTC Wallet 1 Balance BTC Wallet 1 Balance BTC Wallet 1 Balance

WannaCry

Philip Krause

 next article