What you need to know about the WannaCry Ransomware

What you need to know about the WannaCry Ransomware

WannaCry ransomware spreads aggressively across networks, holds files to ransom.

By: Symantec Security Response Symantec Employee
What has happened? On May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.

 What is the WannaCry ransomware?

WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

Figure 1 Ransom demand screen displayed by WannaCry Trojan

It also drops a file named !Please Read Me!.txt which contains the ransom note.
Figure 2 Ransom demand note from WannaCry Trojan

WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:

  • .123
  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .602
  • .7z
  • .ARC
  • .PAQ
  • .accdb
  • .aes
  • .ai
  • .asc
  • .asf
  • .asm
  • .asp
  • .avi
  • .backup
  • .bak
  • .bat
  • .bmp
  • .brd
  • .bz2
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .csv
  • .db
  • .dbf
  • .dch
  • .der
  • .dif
  • .dip
  • .djvu
  • .doc
  • .docb
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dwg
  • .edb
  • .eml
  • .fla
  • .flv
  • .frm
  • .gif
  • .gpg
  • .gz
  • .hwp
  • .ibd
  • .iso
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .jsp
  • .key
  • .lay
  • .lay6
  • .ldf
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .msg
  • .myd
  • .myi
  • .nef
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .onetoc2
  • .ost
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .pas
  • .pdf
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps1
  • .psd
  • .pst
  • .rar
  • .raw
  • .rb
  • .rtf
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sln
  • .snt
  • .sql
  • .sqlite3
  • .sqlitedb
  • .stc
  • .std
  • .sti
  • .stw
  • .suo
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .vb
  • .vbs
  • .vcd
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .vsd
  • .vsdx
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .zip

It propagates to other computers by exploiting a known SMB remote code execution vulnerability in Microsoft Windows computers. (MS17-010)

Am I protected against this threat?

The Symantec Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.

Symantec and Norton customers are protected against WannaCry using a combination of technologies.

Antivirus

Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:

  • 20170512.009

SONAR protection

Network based protection

Symantec also has the following IPS protection in place which has proven highly effective in proactively blocking attempts to exploit the MS17-010 vulnerability:

The following IPS signature also blocks activity related to Ransom.Wannacry:

Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.

Who is impacted?

A number of organizations globally have been affected, the majority of which are in Europe.

Is this a targeted attack?

No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers which do not have the latest Windows security updates applied are at risk of infection.

Can I recover the encrypted files?

Decryption is not available at this time but Symantec is investigating. Symantec does not recommend paying the ransom. Encrypted files should be restored from back-ups where possible.

What are best practices for protecting against ransomware?

  • New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
  • Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
  • Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

Additional indicators and technical information about Ransom.Wannacry

When the Trojan is executed, it drops the following files:

  •  [PATH_TO_TROJAN]\!WannaDecryptor!.exe
  • [PATH_TO_TROJAN]\c.wry
  • [PATH_TO_TROJAN]\f.wry
  • [PATH_TO_TROJAN]\m.wry
  • [PATH_TO_TROJAN]\r.wry
  • [PATH_TO_TROJAN]\t.wry
  • [PATH_TO_TROJAN]\u.wry
  • [PATH_TO_TROJAN]\TaskHost
  • [PATH_TO_TROJAN]\00000000.eky
  • [PATH_TO_TROJAN]\00000000.pky
  • [PATH_TO_TROJAN]\00000000.res
  • %Temp%\0.WCRYT
  • %Temp%\1.WCRYT
  • %Temp%\2.WCRYT
  • %Temp%\3.WCRYT
  • %Temp%\4.WCRYT
  • %Temp%\5.WCRYT
  • %Temp%\hibsys.WCRYT

Note: [PATH_TO_TROJAN] is the path where the Trojan was originally executed.

The Trojan then creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Microsoft Update Task Scheduler” = “”[PATH_TO_TROJAN]\[TROJAN_EXE_NAME]” /r”

  • HKEY_LOCAL_MACHINE\SOFTWARE\WannaCryptor\”wd” = “[PATH_TO_TROJAN]”

The Trojan also sets the following registry entry:
HKEY_CURRENT_USER\Control Panel\Desktop\”Wallpaper” = “%UserProfile%\Desktop\!WannaCryptor!.bmp”

The Trojan creates the following mutexes:
Global\WINDOWS_TASKOSHT_MUTEX0

  • Global\WINDOWS_TASKCST_MUTEX

The Trojan then terminates the following processes using taskkil /f /iml:
sqlwriter.exe

  • sqlserver.exe
  • Microsoft.Exchange.*
  • MSExchange*

It then searches for and encrypts files with the following extensions:.123

  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .602
  • .7z
  • .ARC
  • .PAQ
  • .accdb
  • .aes
  • .ai
  • .asc
  • .asf
  • .asm
  • .asp
  • .avi
  • .backup
  • .bak
  • .bat
  • .bmp
  • .brd
  • .bz2
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .csv
  • .db
  • .dbf
  • .dch
  • .der
  • .dif
  • .dip
  • .djvu
  • .doc
  • .docb
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dwg
  • .edb
  • .eml
  • .fla
  • .flv
  • .frm
  • .gif
  • .gpg
  • .gz
  • .hwp
  • .ibd
  • .iso
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .jsp
  • .key
  • .lay
  • .lay6
  • .ldf
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .msg
  • .myd
  • .myi
  • .nef
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .onetoc2
  • .ost
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .pas
  • .pdf
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps1
  • .psd
  • .pst
  • .rar
  • .raw
  • .rb
  • .rtf
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sln
  • .snt
  • .sql
  • .sqlite3
  • .sqlitedb
  • .stc
  • .std
  • .sti
  • .stw
  • .suo
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .vb
  • .vbs
  • .vcd
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .vsd
  • .vsdx
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .zip

Encrypted files will have .WCRY appended to the end of the file names.
The Trojan then deletes the shadow copies of the encrypted files.
The Trojan drops the following files in every folder where files are encrypted:!WannaDecryptor!.exe.lnk

  • !Please Read Me!.txt

The contents of the !Please Read Me!.txt is a text version of the ransom note with details of how to pay the ransom.
The Trojan downloads Tor and uses it to connect to a server using the Tor network.
It then displays a ransom note explaining to the user what has happened and how to pay the ransom.
Tags: Security, Advanced Threat Protection, Endpoint Protection, Security Response, Malware, Ransom, Ransomware, WannaCry