Disastrous Wanna Cry Ransomware – 13 Teardown

On 12 May 2017, the world witnessed the rise infamous ransomware Wanna Cry. Also, known as Wana Cryptor or WannaCrypt or Wncry. It badly hit more than 230,000 computers in 150 countries. This attack disrupted the numerous organizations, public services, and personal PCs. No doubt, it’s an outcome of a brutal cyber weapon developed by Equation group, tied to the National Security Agency (NSA) of USA. This secret weapon came under spotlight after Wikileaks proclamation. Moreover, Shadow Broker group not only stole/hacked these secret NSA tools but also released them to public.

Later unknown hacker group used it to spread WannaCry ransomware. The Equation group is known for crafting hardest cryptography. They are creator and contributor to of many infamous cyber-attacks like Stuxnet and Flame. Other side, the Shadow Broker group known for stealing and publishing hack tools of NSA. As per Edward Snowden, former Central Intelligence Agency (CIA) employee, the Shadow brokers is an integral part of Russian intelligence.

Facts about Wanna Cry

Anyway, here we will discuss our research on Wanna Cry ransomware. This massive attack is combination two tools. They are EternalBlue and DoublePulsar. This exploit developed by NSA via Equation Group.

• EternalBlue scan for previously unknown Windows SMB vulnerability in network computers.
• If positive PC found, DoublePulsar injects the malicious dll files with the help of payloads.

It spread between computers via Windows previously unknown vulnerability in file sharing protocol. Known as SMB 1.0 / CIFS file sharing protocol. You can disable this function as protection measure.

Programming Language used in Wanna Cry

Wanna Cry has been written in Microsoft Visual C++ 6.0. Moreover, the hacker obfuscated core part of the code. You can decompile the file via reverse engineering. It needs extra treatment of decompilation and deobfuscations.

Following libraries are included in main WanaDecryptor.c file. We found it in decompiled source code of @Wana Decrypt0r@.exe

• #include <arpa/inet.h>
• #include <netdb.h>
• #include <netinet/in.h>
• #include <stdbool.h>
• #include <stdint.h>
• #include <stdio.h>
• #include <stdlib.h>
• #include <string.h>
• #include <sys/select.h>
• #include <sys/socket.h>
• #include <time.h>
• #include <unistd.h>
• #include <wchar.h>
• #include <windows.h>

Signature of 00000000.dky

The hacker sends the private key named 00000000.dky for decryption once his demand gets fulfilled. Fortunately, user can recover this key as soon as attack happen. As prime numbers are still alive in memory, if PC has not restarted and memory doesn’t get overwritten. So, there is chance to get this dky file without paying any ransom. This dky file contains the private key aka master key to decrypt all encrypted files. Following are some characteristics of 00000000.dky file.

• Start with same 20 encrypted characters.

  (Base64 value: BwIAAACkAABSU0EyAAgAAAEAAQA=)

• Contains 1172 character. Of course, file size too same. It’s 1172 bytes (~1.14 KB)
• Start with BEL, STX. Which mean 7 & 2 respectively.
• 3rd, 4th & 5th characters are NUL, reflects no value.
• 6th ASCII character ¤ represents the value 207
• 9th to 12th characters RSA2 (Remote Supervisor Adaptor) represents the method of algorithm used in encryption.
•  14th character is BS which means Backspace
• 17th & 19th characters denote SOH, means Start of header.

Payment Confirmation Message

Wanna Cry demand ransom via Bitcoin. Once it fulfilled, sends the 00000000.dky file to victim’s PC. In fact, there is no guarantee whether victim receive key or not. However, in this case, we have fetched dky key file from memory via WanaKiwi & paying zero payment to ransomware makers.

IP addresses used by Wanna Cry via Tor

Hacker have gotten help of Tor network for prominent level privacy and security. Tor network has inherent advantage of anonymity. In other, the traffic between data sender and receiver never establish direct connection. They go through a series of virtual tunnels. So, it’s impossible to track Tor’s users. It’s bit challenging too. One of the power-point of hacker group. We have multiple IP address with their port, that Wanna Cry used while establishing network communication.

• 46.101.169.151 :9001
• 188.165.194.195 :9001
• 131.188.40.188 :80
• 51.15.46.15 :9001
• 212.47.234.192 :8443
• 163.172.142.92 :443

Cryptographic functions in ascending order

1. TESTDATA
2. CryptGenKey
3. CryptDecrypt
4. CryptEncrypt
5. CryptDestroyKey
6. CryptImportKey
7. CryptAcquireContextA

After above steps, it fires the cmd command to destroy all shadow copies. In case of first version of Wanna Cry, there was no provision to destroy shadow copies. But the version 2.0 comes with more brutal way, they have closed the path to recover. So, user cannot be able to recall previous version of that file. Even via System Restore utility.

vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet"

Bitcoin address Mystery

In a decompiling process of Wana Decrypt0r 2.0, we found only one Bitcoin address. Beneath is that address.

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

However, the Wana Decrypt0r 2.0 windows showing following Bitcoin address. We didn’t find below address anywhere in the source code. It might be not hard coded or remain encrypted even after decompiled.

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Mysterious QR-Code address in source code

We found QR code address for the Bitcoin address. The URL hardcoded with variable string for Bitcoin address at the end. But surprisingly never seen in any window of Wana Cry ransomware.

http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
produces following output,
http://www.btcfrog.com/qr/bitcoinPNG.php?address=13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

They have embedded mysterious HOLA program

With reference to the code. We found one dependency or fellow program, might helping to Wana Cry. See following screenshot for more details. In fact, googling reveals the Hola program as VPN services. So, it might possible that the hacker group used VPN for anonymous communication along TOR medium.

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity name="Hola" version="10.0.1" processorArchitecture="X86" type="win32" /> <description>Hola</description> <dependency><dependentAssembly><assemblyIdentity Type="win32" name=Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" />

Manipulate the countdown via system date and time

Yes, you read right. Generally, Wana Decrypt0r 2.0 starts two countdowns. The first countdown begins from day 6. Whereas the second countdown begins from day 3. Day 1 to the third day, the amount of ransom is set to $300 (US dollars). After day 3 to day 6, the ransom amount increased to $600. On day 7, what will happen is still unclear. But you can still access to all functions including Check Payment, Decrypt. Although as per hacker group, the user will be lost the chance to decrypt the data. They also relieved that they are only to know the method to decrypt it.

However, in a note, they also clarify that they soon arrange the campaign after 6 months. In which, they will decrypt the files for free for poor users, who was unable to pay the ransom amount. But it is doubtful how they will distinguish poor user and rich user.

Warning: Manipulation of system date-time may cause for ZERO or ending the countdown and ransom amount increase up to $600. It takes some minutes to see this change. So, beware of this.

The user can manipulate their countdown by changing system date and time. Wana Decrypt0r 2.0 window reflects the change instantly. Or some time needs to end task wanacryptor and re-run the @WanaDecryptor@.exe

Insertion of dummy 00000000.dky file

As part of the experiment, we have cloned the 00000000.pky file with new name 00000000.dky. Because the dky file exists only when a hacker sent it to decrypt your system. Because it includes the private / master key to trigger decryption of the whole system.

As soon as you hit Decrypt > Start button. It goes into freeze mode. All buttons on Decrypt dialog-box get disabled. Means all Wana Decryptor 2.0 windows will not work. But no effect on a countdown. It also reveals the home path. Shows the org extension to t.wnry file, but in reality, it does not make any change to an extension of t.wnry file. Resetting the process wanadecrypt.exe from Task Manager is the only known solution to stop it. It will not open until you click on decryptor application or restart the system. But remember to remove dummy 00000000.dky file to non-bugged function.

What b.wnry doing here?

After compiling Bitcoin warning and ransom amount, Wanna Cry calls for b.wnry file. Why does it stand here? In fact, it includes TOR and C2 cyphers for communication purpose. We have tried to remove this b.wnry file. It resulted into a blank path in decrypt window. Then it works normally after restoring r.wnry.

Some notification dialogue found in source code

• “Your message has been sent successfully!”
• “You are sending too many mails! Please try again %d minutes later.”
• “Too short message!”
• “need dictionary”
• “invalid distance code”
• “invalid literal/length code”
• “invalid bit length repeat”
•  “too many length or distance symbols”
• “invalid stored block lengths”
•  “invalid block type”
• “incomplete dynamic bit lengths tree”
• “oversubscribed dynamic bit lengths tree”
• “incomplete literal/length tree”
• “oversubscribed literal/length tree”
• “empty distance tree with lengths”
• “incomplete distance tree”
•  “oversubscribed distance tree”
•  “1.1.3”
• “incorrect data check”
• “incorrect header check”
• “invalid window size”
• “unknown compression method”
• ” This folder protects against ransomware. Modifying it will reduce protection”
• “Temporary Internet Files”
• “Content.IE5”

How to get list of sample decrypted files

Wanna cry Decrypt0r 2.0 gives an opportunity to evaluate themselves on their decryption claim. It allows us to decrypt 10 files as proof of successful decryption. The ransom application chooses ten files randomly. It also offers a button to copy all list to clipboard. But when you open this window a second time or after restarting the system, you might not see any file list there.

But, you can find this list in the f.wnry file which is located mostly in C:\ProgramData\<randomtex><randomdigit>. Just open it in any text editor. It will show the last ten file decrypted by Wana Decrypt0r 2.0. You can see the code for f.wnry in a source code.

Fact behind single character wncry files

Like in movies, the villain or hero call their partner by secret name. Like, Mr. X, Mrs. Angel007, etc. Here hacker too followed the same. The hacker group also re-polished all file identities. Moreover, they kept extension (i.e. wnry) remains same, irrespective of distinctive characteristics of files. Let’s see them one by one,

Fact behind multi-zero figured files

On the same way, there are multi-zero named files too. They are 8 zero figures with four different extensions. However, you will see dky extension only after receiving the private key from hacker group to decrypt the files. It may appear after paying ransom amount. OR user can retrieve the dky version from memory dump before ransomware encrypted it with the public key, while application offers trial decryption process.

However, we strongly recommended to not to pay a single dollar to the hacker group. There is no guarantee of their identity and assurance. It also doubtful that how the hacker is going to identify the user who actually paid. So, seriously it’s a bad game. Coming time will clear all these things. Up to that be patient and wait for any reliable solution. Now looks the meaning of the multi-zero figured files.

Date & Time of File Last Modified by Hackers

Wanna Cry ransomware was first detected on 12 May 2017. Of course, the hackers made last modification at 12:29 PM on 11 May 2017. How we came to know this. We detected the tassche.exe (name may differ) file in the home folder of ransomware. Mostly located in C:\ProgramData\<random-alpha-numeric-directory>. This files also have different names too.

• wnry.exe
• wcry.exe
• data_1.exe
• ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Surprisingly, that tasksche.exe is a self-executable file with inbuilt ZIP extraction and ability to trigger encryption process. Moreover, you can extract this archive with good unzip tools. It is password protected ZIP file. The password is WNcry@20l7. The eighth and ninght character are alphabetical character ‘O’ and ‘L’ respectively & not numerical zero and one.

The unzipped tasksche.exe aka tasksche.zip file reveals some interesting data. Following files and folders name along with their time stamp.

We are baking some more stuff to reveal facts about Wanna Cry. We soon reveal a trick to resetting the countdown. Till then stay connected.

Source: Based on research of Shankar Sham Bhumkar & Laxmikant Sham Bhumkar, India.

(Writers are from non-science background, so pardon them with leaving correction tips in comments)