Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn't work - it only propagates.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Exploit details: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

Vulnerable/Not Vulnerable

To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).

The MS17-010 patch fixes the vulnerability.

  • Windows XP: Doesn't spread. If run manually, can encrypt files.
  • Windows 7,8,2008: can spread unpatched, can encrypt files.
  • Windows 10: Doesn't spread. Even though Windows 10 does have the faulty SMB driver.
  • Linux: Doesn't spread. If run manually with wine, can encrypt files.

Infections

Informative Tweets

Cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it's entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

  • "Content.IE5"
  • "Temporary Internet Files"
  • " This folder protects against ransomware. Modifying it will reduce protection"
  • "\Local Settings\Temp"
  • "\AppData\Local\Temp"
  • "\Program Files (x86)"
  • "\Program Files"
  • "\WINDOWS"
  • "\ProgramData"
  • "\Intel"
  • "$"

The filetypes it looks for to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

credit herulume, thanks for extracting this list from the binary.

more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

Some other interesting strings

credit: nulldot https://pastebin.com/0LrH05y2

Encrypted file format

typedef struct _wc_file_t {
    char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
    uint32_t keylen;             // length of encrypted key
    uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown;            // usually 3 or 4, unknown
    uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

credit for reversing this file format info: cyg_x11.

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.

This was developed by "equation group" an exploit developer group associated with the NSA and leaked to the public by "the shadow brokers". Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott

paragonie-scott May 12, 2017

RSA-2048 uses the default padding mode (PKCS1v1.5). If the C2 server does a live decrypt with an RSA keypair, a padding oracle exploit should be straightforward.

RSA-2048 uses the default padding mode (PKCS1v1.5). If the C2 server does a live decrypt with an RSA keypair, a padding oracle exploit should be straightforward.

@roycewilliams

This comment has been minimized.

Show comment
Hide comment
@roycewilliams

roycewilliams May 12, 2017

From private email:
"The e-mail subjects we have seen so far are: FILE_<5 numbers>, SCAN_<5 numbers> , PDF_<4 or 5 numbers>"
"the attachment is always nm.pdf"
[Edit: as noted by @SecMonkey below, this is a sign of different ransomware, not WannaCry]

Independent detection of the vulnerability (Python and Metasploit module): https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners

roycewilliams commented May 12, 2017

From private email:
"The e-mail subjects we have seen so far are: FILE_<5 numbers>, SCAN_<5 numbers> , PDF_<4 or 5 numbers>"
"the attachment is always nm.pdf"
[Edit: as noted by @SecMonkey below, this is a sign of different ransomware, not WannaCry]

Independent detection of the vulnerability (Python and Metasploit module): https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners

@karel-3d

This comment has been minimized.

Show comment
Hide comment
@karel-3d

karel-3d May 12, 2017

Are the files actually decrypted after paying the ransom?

How is the payment detected if the addresses are hardcoded?

I can't get info about that anywhere

Are the files actually decrypted after paying the ransom?

How is the payment detected if the addresses are hardcoded?

I can't get info about that anywhere

@paragonie-scott

This comment has been minimized.

Show comment
Hide comment
@paragonie-scott

paragonie-scott May 12, 2017

Are the files actually decrypted after paying the ransom?

I don't know. I'll ask.

How is the payment detected if the addresses are hardcoded?

Well, the ransomware does generate a RSA keypair and send the private key to their C2 server. It's likely they hand over the private key upon successful ransom payment, and it then (hopefully) decrypts all your files after you supply the correct private key.

Are the files actually decrypted after paying the ransom?

I don't know. I'll ask.

How is the payment detected if the addresses are hardcoded?

Well, the ransomware does generate a RSA keypair and send the private key to their C2 server. It's likely they hand over the private key upon successful ransom payment, and it then (hopefully) decrypts all your files after you supply the correct private key.

@karel-3d

This comment has been minimized.

Show comment
Hide comment
@karel-3d

karel-3d May 12, 2017

I mean, the bitcoin network is pseudonymous, so the ransomware cannot detect which payment belongs to which victim.

Which leads me to think the ransomware is actually not decrypting anything, since it has no way of knowing which victim actually paid and which did not.

Maybe, there might be some human interaction involved - the attackers asking for original addresses and manually confirming, which makes sense based on the "open hours" in the text - but I am not sure how would that work either.

I mean, the bitcoin network is pseudonymous, so the ransomware cannot detect which payment belongs to which victim.

Which leads me to think the ransomware is actually not decrypting anything, since it has no way of knowing which victim actually paid and which did not.

Maybe, there might be some human interaction involved - the attackers asking for original addresses and manually confirming, which makes sense based on the "open hours" in the text - but I am not sure how would that work either.

@Thynix

This comment has been minimized.

Show comment
Hide comment
@Thynix

Thynix May 12, 2017

From the screenshot I've seen it offers limited sample decryption: https://twitter.com/i/moments/863117044161536000

You can decrypt some of your files for free. Try now by clicking <Decrypt>.

How viable would it be to write another application to extract the decryption key it uses to do this?

Thynix commented May 12, 2017

From the screenshot I've seen it offers limited sample decryption: https://twitter.com/i/moments/863117044161536000

You can decrypt some of your files for free. Try now by clicking <Decrypt>.

How viable would it be to write another application to extract the decryption key it uses to do this?

@SchizoDuckie

This comment has been minimized.

Show comment
Hide comment
@SchizoDuckie

SchizoDuckie May 12, 2017

@Thynix : I wouldn't be surprised if it uses a secondary embedded key to encrypt just these files.
This seems quite a sophisticated thing, and that would be a stupid thing to do.

@Thynix : I wouldn't be surprised if it uses a secondary embedded key to encrypt just these files.
This seems quite a sophisticated thing, and that would be a stupid thing to do.

@eur0pa

This comment has been minimized.

Show comment
Hide comment
@eur0pa

eur0pa May 12, 2017

Creating a "MsWinZonesCacheCounterMutexA" mutex will prevent the ransomware from starting

https://twitter.com/gN3mes1s/status/863149075159543808

eur0pa commented May 12, 2017

Creating a "MsWinZonesCacheCounterMutexA" mutex will prevent the ransomware from starting

https://twitter.com/gN3mes1s/status/863149075159543808

@gstevenson

This comment has been minimized.

Show comment
Hide comment
@gstevenson

gstevenson May 12, 2017

Easiest way to verify patches are up to date on a single machine? Looking for something automated..

Easiest way to verify patches are up to date on a single machine? Looking for something automated..

@h3ku

This comment has been minimized.

Show comment
Hide comment
@h3ku

h3ku May 12, 2017

@runn1ng I'm with you, it impossible to them know if some company pay or not, I search in the transaction for any comment or something that can be used as an identifier but nothing appears, a think they don't gonna decrypt the files.

h3ku commented May 12, 2017

@runn1ng I'm with you, it impossible to them know if some company pay or not, I search in the transaction for any comment or something that can be used as an identifier but nothing appears, a think they don't gonna decrypt the files.

@jbfuzier

This comment has been minimized.

Show comment
Hide comment
@jbfuzier

jbfuzier May 12, 2017

wmic qfe list gives the list of kb installed, check that one of the kb for your os is installed : https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?f=255&MSPPError=-2147217396

Ex for win7 sp1 you should have KB4012212 or KB4012215

wmic qfe list gives the list of kb installed, check that one of the kb for your os is installed : https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?f=255&MSPPError=-2147217396

Ex for win7 sp1 you should have KB4012212 or KB4012215

@gstevenson

This comment has been minimized.

Show comment
Hide comment
@gstevenson

gstevenson May 12, 2017

@jbfuzier Ugh, had a browse through some of our internal and production servers and we're running a few different OS's. Add to that our internal network (laptops and desktops) and that's not going to be fun.

And throw this into the mix: https://www.reddit.com/r/netsec/comments/6atfkl/wanacrypt0r_ransomware_hits_it_big_just_before/dhhdr3u/

Just as a heads up for people reading: KB4013429 has been replaced (through a long chain) by KB4019472. This affects Win10.1607 and WinServer 2016 users.
Replacement chain:
KB4013429
KB4015438
KB4016635
KB4015217
KB4019472

gstevenson commented May 12, 2017

@jbfuzier Ugh, had a browse through some of our internal and production servers and we're running a few different OS's. Add to that our internal network (laptops and desktops) and that's not going to be fun.

And throw this into the mix: https://www.reddit.com/r/netsec/comments/6atfkl/wanacrypt0r_ransomware_hits_it_big_just_before/dhhdr3u/

Just as a heads up for people reading: KB4013429 has been replaced (through a long chain) by KB4019472. This affects Win10.1607 and WinServer 2016 users.
Replacement chain:
KB4013429
KB4015438
KB4016635
KB4015217
KB4019472

@jbfuzier

This comment has been minimized.

Show comment
Hide comment

@gstevenson Thanks MS !

@dezren39

This comment has been minimized.

Show comment
Hide comment
@dezren39

dezren39 May 12, 2017

Couldn't you just send them your public key and then they decrypt whoever sends them the key first? I'd recommend sending your key to them first, then paying. Actually, I'd recommend wiping the drive and using those offline/offsite backups that totally exist. They could rip you off, most ransomware seems to.. but a big op would want to decrypt so that the word got out that it works, right?

Edit: I'm not sure if the check payment or contact us page has a thing to 'message' them something like your public key though. Haven't played with the software personally.

dezren39 commented May 12, 2017

Couldn't you just send them your public key and then they decrypt whoever sends them the key first? I'd recommend sending your key to them first, then paying. Actually, I'd recommend wiping the drive and using those offline/offsite backups that totally exist. They could rip you off, most ransomware seems to.. but a big op would want to decrypt so that the word got out that it works, right?

Edit: I'm not sure if the check payment or contact us page has a thing to 'message' them something like your public key though. Haven't played with the software personally.

@Keisial

This comment has been minimized.

Show comment
Hide comment
@Keisial

Keisial May 12, 2017

@roycewilliams Could some samples of such emails be shared?

Keisial commented May 12, 2017

@roycewilliams Could some samples of such emails be shared?

@sheeit

This comment has been minimized.

Show comment
Hide comment
@sheeit

sheeit May 13, 2017

That's what you get for using Windows.

sheeit commented May 13, 2017

That's what you get for using Windows.

@0E800

This comment has been minimized.

Show comment
Hide comment
@0E800

0E800 May 13, 2017

^ kek - so true. Says the guy that also uses an iPhone 👍

Save time searching for the patch for:

2008 R2
March, 2017 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB4012212)
windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 7.

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212

Or play with the url.

Anyone have a registry hack for XP and 2003 servers? Any special port to block?

0E800 commented May 13, 2017

^ kek - so true. Says the guy that also uses an iPhone 👍

Save time searching for the patch for:

2008 R2
March, 2017 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB4012212)
windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 7.

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212

Or play with the url.

Anyone have a registry hack for XP and 2003 servers? Any special port to block?

@aTastyCookie

This comment has been minimized.

Show comment
Hide comment
@aTastyCookie

aTastyCookie May 13, 2017

Use this like hot fix
dism /online /norestart /disable-feature /featurename:SMB1Protocol

Use this like hot fix
dism /online /norestart /disable-feature /featurename:SMB1Protocol

@GarryMartin

This comment has been minimized.

Show comment
Hide comment
@GarryMartin

GarryMartin May 13, 2017

Microsoft have released custom support patch for Windows XP, Windows 8 and Windows Server 2003 systems
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Microsoft have released custom support patch for Windows XP, Windows 8 and Windows Server 2003 systems
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

@S0m3Th1nG-AwFul

This comment has been minimized.

Show comment
Hide comment
@S0m3Th1nG-AwFul

S0m3Th1nG-AwFul May 13, 2017

"Microsoft first patch for XP since 2017" — you probably meant "since 2014"?

S0m3Th1nG-AwFul commented May 13, 2017

"Microsoft first patch for XP since 2017" — you probably meant "since 2014"?

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost May 13, 2017

An Italian university in Milan has also been hit. Here's the link to my fork with the revision if you want to integrate the info - https://gist.github.com/errantbot/b83e1ff48a45378a26cbacf10a57193c

ghost commented May 13, 2017

An Italian university in Milan has also been hit. Here's the link to my fork with the revision if you want to integrate the info - https://gist.github.com/errantbot/b83e1ff48a45378a26cbacf10a57193c

@pe3zx

This comment has been minimized.

Show comment
Hide comment
@pe3zx

pe3zx May 13, 2017

I wrote Hybrid-Analysis sample crawler with provided hash on AlienVault OTX and just noticed this early sample.

pe3zx commented May 13, 2017

I wrote Hybrid-Analysis sample crawler with provided hash on AlienVault OTX and just noticed this early sample.

@RealLitb

This comment has been minimized.

Show comment
Hide comment
@RealLitb

RealLitb May 13, 2017

@paragonie-scott "the ransomware does generate a RSA keypair and send the private key to their C2 server". But this gist says "https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the aes keys)". I don't understand how both of this can be true. So, will it always generate the same keypair? Or are there multiple versions around?

@paragonie-scott "the ransomware does generate a RSA keypair and send the private key to their C2 server". But this gist says "https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the aes keys)". I don't understand how both of this can be true. So, will it always generate the same keypair? Or are there multiple versions around?

@HillReywer

This comment has been minimized.

Show comment
Hide comment
@HillReywer

HillReywer May 13, 2017

Misprint: Сбера bank - Sberbank Russia

Misprint: Сбера bank - Sberbank Russia

@Riatre

This comment has been minimized.

Show comment
Hide comment
@Riatre

Riatre May 13, 2017

@RealLitb It seems like the description in gist is slightly off. The correct one should be "The ransomware pubkey, used to encrypt generated keypair."

Riatre commented May 13, 2017

@RealLitb It seems like the description in gist is slightly off. The correct one should be "The ransomware pubkey, used to encrypt generated keypair."

@rain-1

This comment has been minimized.

Show comment
Hide comment
@rain-1

rain-1 May 13, 2017

Thank you very much @Riatre

I have updated the cryptographic information with the corrections.

Owner

rain-1 commented May 13, 2017

Thank you very much @Riatre

I have updated the cryptographic information with the corrections.

@Riatre

This comment has been minimized.

Show comment
Hide comment
@Riatre

Riatre May 13, 2017

@rain-1

The public key here is used to encrypt a generated RSA key pair, which in turn is used to encrypt generated AES key. A brief description of what it actually does when it's trying to initialize the key:

  1. Try to load a public key from 00000000.pky, use it as the local key
  2. Otherwise, generate a new RSA 2048 keypair via CryptGenKey, then export PUBLICKEYBLOB to 00000000.pky unencrypted. Export PRIVATEKEYBLOB, encrypt with the public key https://haxx.in/key1.bin (the master key), write to 00000000.eky. Here the encryption is done with CryptEncrypt, thus the default RSA+AES suite provided by Cryptographic Service Providers.
  3. Load a public key from 00000000.pky (which is just written in step 2), use as the local key.
  4. For each victim file, generate an AES key, use this AES key to encrypt the file. Then encrypt the AES key with the local key. Write the encrypted AES key and encrypted file content to the victim file.

I don't know how to give you a source, as I myself is a reverse engineer and staring at the code. Maybe check http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/? Their description of 00000000.eky is off but other parts seems correct to me.

EDIT: Cool! Just saw the updated description, seems like I'm too slow documenting these :P

Riatre commented May 13, 2017

@rain-1

The public key here is used to encrypt a generated RSA key pair, which in turn is used to encrypt generated AES key. A brief description of what it actually does when it's trying to initialize the key:

  1. Try to load a public key from 00000000.pky, use it as the local key
  2. Otherwise, generate a new RSA 2048 keypair via CryptGenKey, then export PUBLICKEYBLOB to 00000000.pky unencrypted. Export PRIVATEKEYBLOB, encrypt with the public key https://haxx.in/key1.bin (the master key), write to 00000000.eky. Here the encryption is done with CryptEncrypt, thus the default RSA+AES suite provided by Cryptographic Service Providers.
  3. Load a public key from 00000000.pky (which is just written in step 2), use as the local key.
  4. For each victim file, generate an AES key, use this AES key to encrypt the file. Then encrypt the AES key with the local key. Write the encrypted AES key and encrypted file content to the victim file.

I don't know how to give you a source, as I myself is a reverse engineer and staring at the code. Maybe check http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/? Their description of 00000000.eky is off but other parts seems correct to me.

EDIT: Cool! Just saw the updated description, seems like I'm too slow documenting these :P

@rain-1

This comment has been minimized.

Show comment
Hide comment
@rain-1

rain-1 May 13, 2017

Based on the latest reverse engineering I think there is a path to recovering files, but only if the malware author chooses to release his master key:

  • The original malware author should release the private key associated with the public used in the virus.
  • We can then use it to write a program that decrypts 00000000.eky into 00000000.dky
  • We can then use 00000000.dky along with a modified version of the malware to decrypt the files.
Owner

rain-1 commented May 13, 2017

Based on the latest reverse engineering I think there is a path to recovering files, but only if the malware author chooses to release his master key:

  • The original malware author should release the private key associated with the public used in the virus.
  • We can then use it to write a program that decrypts 00000000.eky into 00000000.dky
  • We can then use 00000000.dky along with a modified version of the malware to decrypt the files.
@rain-1

This comment has been minimized.

Show comment
Hide comment
@rain-1

rain-1 May 13, 2017

@Riatre, Thank you very very much for your corrections to the public information about this! Would you like to join irc.freenode.net #wannadecrypt in this channel people have been working on RE and other research?

Owner

rain-1 commented May 13, 2017

@Riatre, Thank you very very much for your corrections to the public information about this! Would you like to join irc.freenode.net #wannadecrypt in this channel people have been working on RE and other research?

@zerodword

This comment has been minimized.

Show comment
Hide comment
@zerodword

zerodword May 13, 2017

If EternalBlue is used only to exploit Windows 7 and Windows Server 2008, how machines on other versions of Windows are infecting? Do they use specific version of tool or they wrote their own one?

If EternalBlue is used only to exploit Windows 7 and Windows Server 2008, how machines on other versions of Windows are infecting? Do they use specific version of tool or they wrote their own one?

@rain-1

This comment has been minimized.

Show comment
Hide comment
@rain-1

rain-1 May 13, 2017

Diagram of the Worm

WANACRY

Owner

rain-1 commented May 13, 2017

Diagram of the Worm

WANACRY

@JustKappaMan

This comment has been minimized.

Show comment
Hide comment
@JustKappaMan

JustKappaMan May 13, 2017

Is there any source code?

Is there any source code?

@vladimirc81

This comment has been minimized.

Show comment
Hide comment
@vladimirc81

vladimirc81 May 13, 2017

index of servers infected with wannacry google dork: intitle:“Index of" "/ .WNCRY”

index of servers infected with wannacry google dork: intitle:“Index of" "/ .WNCRY”

@aviraxp

This comment has been minimized.

Show comment
Hide comment
@aviraxp

aviraxp May 13, 2017

My university blocks the connection to www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Don't know why.

Edit: Oops, I am wrong. They redirect it to our university homepage, to make sure everyone can get connected to it.

aviraxp commented May 13, 2017

My university blocks the connection to www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Don't know why.

Edit: Oops, I am wrong. They redirect it to our university homepage, to make sure everyone can get connected to it.

@ivladdalvi

This comment has been minimized.

Show comment
Hide comment
@JMuckley

This comment has been minimized.

Show comment
Hide comment
@JMuckley

JMuckley May 13, 2017

Have there been any confirmed reports of users receiving the decryption key and successfully decrypting their files followin paying the ransom?

Have there been any confirmed reports of users receiving the decryption key and successfully decrypting their files followin paying the ransom?

@Epivalent

This comment has been minimized.

Show comment
Hide comment
@Epivalent

Epivalent May 13, 2017

still no reports of successful decryption. looking at decryptor.exe still to see how it would work in theory.

still no reports of successful decryption. looking at decryptor.exe still to see how it would work in theory.

@Sjors

This comment has been minimized.

Show comment
Hide comment
@Sjors

Sjors May 13, 2017

If for whatever reason the malware author wants to claim attribution, they should sign a message using the private key of one of the bitcoin addresses. I challenged 0xSpamTech (see "claimed attrib" above) to do so. Given the nonsense they spouted in this tweet, I doubt they will sign such a message, but you never know.

Sjors commented May 13, 2017

If for whatever reason the malware author wants to claim attribution, they should sign a message using the private key of one of the bitcoin addresses. I challenged 0xSpamTech (see "claimed attrib" above) to do so. Given the nonsense they spouted in this tweet, I doubt they will sign such a message, but you never know.

@jedisct1

This comment has been minimized.

Show comment
Hide comment
@jedisct1

jedisct1 May 13, 2017

Anyone have the dropper?

Anyone have the dropper?

@Sjors

This comment has been minimized.

Show comment
Hide comment
@Sjors

Sjors May 13, 2017

The new version (?) item points to a tweet from April 11th.

Sjors commented May 13, 2017

The new version (?) item points to a tweet from April 11th.

@Riatre

This comment has been minimized.

Show comment
Hide comment
@Riatre

Riatre May 13, 2017

@jedisct1
Search 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c on Google for a sample of worm.

Riatre commented May 13, 2017

@jedisct1
Search 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c on Google for a sample of worm.

@Epivalent

This comment has been minimized.

Show comment
Hide comment

Yara rules for WannaCrypt: https://pastebin.com/FKgEjYHu

@path-braenaru

This comment has been minimized.

Show comment
Hide comment
@path-braenaru

path-braenaru May 13, 2017

Four YARA rules, one generic for variants, two for older specific sampels and one for the NHS wcry/doublepulsar bundle strain

https://pastebin.com/FKgEjYHu

path-braenaru commented May 13, 2017

Four YARA rules, one generic for variants, two for older specific sampels and one for the NHS wcry/doublepulsar bundle strain

https://pastebin.com/FKgEjYHu

@defuse

This comment has been minimized.

Show comment
Hide comment
@defuse

defuse May 13, 2017

How does the "You can decrypt some of your files for free" decryption work? I can imagine some possibilities:

  1. It just leaves some files unencrypted and pretends they're encrypted and stops pretending when you want to do the decrypt test,
  2. It sends 00000000.eky to the C&C server which returns the decrypted private key. Then it's erased locally after decrypting the test files,
  3. It sends the pair (00000000.eky, the encrypted AES key) to the C&C server which returns the decrypted AES key.

If (2) then a decrypter is possible by keeping a copy of the decrypted private key.

If (3), then how does the C&C server enforce a limit on how many files can be decrypted? Is it based on a counter per unique 00000000.eky? Is 00000000.eky malleable somehow so that it can appear as different to get more decryptions allowed out of the C&C?

(@paragonie-scott's idea) If (2) or (3) then can we use a padding oracle attack against the C&C server to learn either the master private key or the specific infection's 00000000.dky?

Also it's still not clear to me how bitcoin payments are tied to the individual infection if the addresses are hardcoded -- what stops someone from paying once and then everyone can claim that as their payment? Does it ask you to provide a txid (unauthenticated) after you pay or something like that?

defuse commented May 13, 2017

How does the "You can decrypt some of your files for free" decryption work? I can imagine some possibilities:

  1. It just leaves some files unencrypted and pretends they're encrypted and stops pretending when you want to do the decrypt test,
  2. It sends 00000000.eky to the C&C server which returns the decrypted private key. Then it's erased locally after decrypting the test files,
  3. It sends the pair (00000000.eky, the encrypted AES key) to the C&C server which returns the decrypted AES key.

If (2) then a decrypter is possible by keeping a copy of the decrypted private key.

If (3), then how does the C&C server enforce a limit on how many files can be decrypted? Is it based on a counter per unique 00000000.eky? Is 00000000.eky malleable somehow so that it can appear as different to get more decryptions allowed out of the C&C?

(@paragonie-scott's idea) If (2) or (3) then can we use a padding oracle attack against the C&C server to learn either the master private key or the specific infection's 00000000.dky?

Also it's still not clear to me how bitcoin payments are tied to the individual infection if the addresses are hardcoded -- what stops someone from paying once and then everyone can claim that as their payment? Does it ask you to provide a txid (unauthenticated) after you pay or something like that?

@Shadow0ps

This comment has been minimized.

Show comment
Hide comment
@Shadow0ps

Shadow0ps May 13, 2017

Do we have a link to the decryptor.exe?

Do we have a link to the decryptor.exe?

@path-braenaru

This comment has been minimized.

Show comment
Hide comment
@path-braenaru

path-braenaru May 13, 2017

The decryptor is bundled as a file with the original infection, so one gains a decryptor when one is infected

The decryptor is bundled as a file with the original infection, so one gains a decryptor when one is infected

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost May 13, 2017

Updated list of samples, again link to revision if you want to include the info - https://gist.github.com/errantbot/fd6811395842894c70772931013742e2

ghost commented May 13, 2017

Updated list of samples, again link to revision if you want to include the info - https://gist.github.com/errantbot/fd6811395842894c70772931013742e2

@cybernova

This comment has been minimized.

Show comment
Hide comment
@cybernova

cybernova May 13, 2017

I have found the private key of this:
https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)
Private key in hex (2048 bit):
b9a8170420e48302d90f30fa928b45cc9c2907c56b17020c1fc174bf875dba2a1033e11d53efff4d515714a60157c99cced7aafda243d495a089b9e14fa96f1b4a657ba70bd6d221a9c022a506b7fd8fe0d9b9c832d1fe8c82c68ff035d68431d8bad97c4fbe5a9ee6c39a18004c8a345183b627636d5ec15415c49f900aab354029fe0ec3d681d90d279ff96963b83af9f3ed6290b54cc66c301ac556a4b77ba28c12d3268a854176b6f6501f3cf3ba3b769b86d52fca3ac5d8041a29686fc84f3082e897a6eaa7a0a37d1c7711ca6fd33c43cf346d6c341031e3eeda81ad02ae621735061f77bfffe24767ebb2e868c6e236cd261f73f39fb1b0cfbbf3465

I have found the private key of this:
https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)
Private key in hex (2048 bit):
b9a8170420e48302d90f30fa928b45cc9c2907c56b17020c1fc174bf875dba2a1033e11d53efff4d515714a60157c99cced7aafda243d495a089b9e14fa96f1b4a657ba70bd6d221a9c022a506b7fd8fe0d9b9c832d1fe8c82c68ff035d68431d8bad97c4fbe5a9ee6c39a18004c8a345183b627636d5ec15415c49f900aab354029fe0ec3d681d90d279ff96963b83af9f3ed6290b54cc66c301ac556a4b77ba28c12d3268a854176b6f6501f3cf3ba3b769b86d52fca3ac5d8041a29686fc84f3082e897a6eaa7a0a37d1c7711ca6fd33c43cf346d6c341031e3eeda81ad02ae621735061f77bfffe24767ebb2e868c6e236cd261f73f39fb1b0cfbbf3465

@error0x01

This comment has been minimized.

Show comment
Hide comment
@cybernova

This comment has been minimized.

Show comment
Hide comment
@cybernova

cybernova May 13, 2017

I tried to encrypt something with the master public key and decrypt the result with the private key that I found, and gives me the original plain text. Can someone confirm?

I tried to encrypt something with the master public key and decrypt the result with the private key that I found, and gives me the original plain text. Can someone confirm?

@defuse

This comment has been minimized.

Show comment
Hide comment
@defuse

defuse May 13, 2017

@cybernova: Can you share the code that you used to do it (will save me some time trying to confirm)? Also how did you get the private key?

defuse commented May 13, 2017

@cybernova: Can you share the code that you used to do it (will save me some time trying to confirm)? Also how did you get the private key?

@cybernova

This comment has been minimized.

Show comment
Hide comment
@defuse

This comment has been minimized.

Show comment
Hide comment
@defuse

defuse May 13, 2017

@cybernova: I might be reading the code wrong but according to this the modulus of the private key (75974c3b...f1ce) is encoded in little-endian and your library's hex to BigInteger code is interpreting it as big-endian. The actual modulus interpreted with the wrong endianness will probably have small factors (and so is easily factorable), so I think that's what happened.

defuse commented May 13, 2017

@cybernova: I might be reading the code wrong but according to this the modulus of the private key (75974c3b...f1ce) is encoded in little-endian and your library's hex to BigInteger code is interpreting it as big-endian. The actual modulus interpreted with the wrong endianness will probably have small factors (and so is easily factorable), so I think that's what happened.

@RomelSan

This comment has been minimized.

Show comment
Hide comment
@RomelSan

RomelSan May 13, 2017

SMB v1 is vulnerable, even if you patch the system... There will be another exploit anytime... it is better to disable SMB v1.
Follow my manual instructions or use the GUI i made on powershell 3 weeks ago.
https://github.com/RomelSan/SMB1-Disabler

SMB v1 is vulnerable, even if you patch the system... There will be another exploit anytime... it is better to disable SMB v1.
Follow my manual instructions or use the GUI i made on powershell 3 weeks ago.
https://github.com/RomelSan/SMB1-Disabler

@vladimirc81

This comment has been minimized.

Show comment
Hide comment
@vladimirc81

vladimirc81 May 13, 2017

I just find that behind wanna18@hotmail is connected with wa*****@statravel.com

vladimirc81 commented May 13, 2017

I just find that behind wanna18@hotmail is connected with wa*****@statravel.com

@hinell

This comment has been minimized.

Show comment
Hide comment
@hinell

hinell May 13, 2017

Сбербанк - Sberbank Russia (russia)

This information is inaccurate. According to the reports from bank's employee there only one stand-alone terminal that is infected and it doesn't belong to the bank itself and doesn't have access to the banks servers anyway except the WAN/internet.

https://twitter.com/sberbank/status/863347998645989377
https://twitter.com/sberbank/status/863347953137840128

hinell commented May 13, 2017

Сбербанк - Sberbank Russia (russia)

This information is inaccurate. According to the reports from bank's employee there only one stand-alone terminal that is infected and it doesn't belong to the bank itself and doesn't have access to the banks servers anyway except the WAN/internet.

https://twitter.com/sberbank/status/863347998645989377
https://twitter.com/sberbank/status/863347953137840128

@rain-1

This comment has been minimized.

Show comment
Hide comment
@rain-1

rain-1 May 13, 2017

@hinell, Sberbank has no need to be embarassed. everybody got hacked. Thank you for the info.

Owner

rain-1 commented May 13, 2017

@hinell, Sberbank has no need to be embarassed. everybody got hacked. Thank you for the info.

@WestfW

This comment has been minimized.

Show comment
Hide comment
@WestfW

WestfW May 13, 2017

Try to load a public key from 00000000.pky, use it as the local key

What happens if YOU create a 00000000.pky file containing a public key for which you also posses the private key?

WestfW commented May 13, 2017

Try to load a public key from 00000000.pky, use it as the local key

What happens if YOU create a 00000000.pky file containing a public key for which you also posses the private key?

@cybernova

This comment has been minimized.

Show comment
Hide comment
@cybernova

cybernova May 14, 2017

@defuse: you right, good reply!

@defuse: you right, good reply!

@Zaicheda

This comment has been minimized.

Show comment
Hide comment
@Zaicheda

Zaicheda May 14, 2017

@cybernova @defuse so no way for a decrypter ?

@cybernova @defuse so no way for a decrypter ?

@defuse

This comment has been minimized.

Show comment
Hide comment
@defuse

defuse May 14, 2017

@Zaicheda: Not that we know of. Maybe one of these ideas will work, but I'm not good enough at reversing malware to figure out myself.

defuse commented May 14, 2017

@Zaicheda: Not that we know of. Maybe one of these ideas will work, but I'm not good enough at reversing malware to figure out myself.

@ericwong3

This comment has been minimized.

Show comment
Hide comment
@ericwong3

ericwong3 May 14, 2017

@Zaicheda probably not, rsa2048 aint no joke

@Zaicheda probably not, rsa2048 aint no joke

@Zaicheda

This comment has been minimized.

Show comment
Hide comment
@Zaicheda

Zaicheda May 14, 2017

@ericwong3 @defuse any agency or whitehat can be the hero of this malware ?

Zaicheda commented May 14, 2017

@ericwong3 @defuse any agency or whitehat can be the hero of this malware ?

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 14, 2017

@defuse the infection doesn't require internet access, nor does the decryption demo. tested on a windows 7 VM, the files it claimed as being decrypted were plain text, but I didn't check if they were encrypted before. also it seems to be random which files it decrypts (if it does it at all).

if decrypting offline does actually work, it would mean that everything needed is there and the only thing the C&Cs are contacted for is to receive a simple true/false answer, so maybe one can hijack the function (via DLL injection) that handles the result? something like "if (true) return true;"

unfortunately my decompile only returns this for the function in question:

// Address range: 0x401970 - 0x4019cf
int32_t function_401970(int32_t a1) {
    // 0x401970
    abort();
    // UNREACHABLE
}

and it's called a lot from here (note the strings!):

int32_t function_401600(int32_t a1, int32_t lParam, int32_t a3, int32_t a4) {
    g2 = a1 - 0x4e20;
    int32_t v1 = pointer_active_process; // esi
    int32_t v2;
    char * v3; // bp-20
    int32_t v4; // bp-32
    int32_t v5; // 0x401747
    int32_t v6; // 0x40174a
    int32_t v7; // 0x40174b
    if (a1 == 0x4e20) {
        // 0x4016e5
        if (lParam == 0) {
            // 0x4016e9
            v2 = pointer_active_process;
            int32_t v8 = &v2; // 0x4016e9_0
            v3 = "Connected";
            _qm__qm_0CString__QAE_PBD_Z();
            function_401970((int32_t)v3);
            int32_t hWnd = *(int32_t *)(v1 + 128); // 0x401701
            int32_t result = SendMessageA((char *)hWnd, 1026, 30, lParam); // 0x401710
            g2 = result;
            pointer_active_process = v1;
            v4 = a1;
            *(int32_t *)(v1 + 176) = 35;
            _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v8);
            g6 = v4;
            g8 = lParam;
            g4 = v8;
            return result;
        }
        // 0x401734
        if (lParam == -1) {
            // 0x401739
            *(int32_t *)(pointer_active_process + 168) = -1;
            v7 = a1;
            v6 = lParam;
            v5 = v1;
            // branch -> 0x401743
        } else {
            v7 = 0x4e20;
            v6 = lParam;
            v5 = pointer_active_process;
        }
        // 0x401743
        pointer_active_process = v5;
        v2 = a3;
        _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v7, v6, a3);
        g6 = v7;
        g8 = (int32_t)(char *)v6;
        g4 = v2;
        return g2;
    }
    int32_t v9 = a1 - 0x4e21; // 0x40161a
    g2 = v9;
    if (v9 == 0) {
        // 0x40168f
        if (lParam == 0) {
            // 0x401693
            v2 = pointer_active_process;
            int32_t v10 = &v2; // 0x401693_0
            v3 = "Sent request";
            _qm__qm_0CString__QAE_PBD_Z();
            function_401970((int32_t)v3);
            int32_t hWnd2 = *(int32_t *)(v1 + 128); // 0x4016ab
            int32_t result2 = SendMessageA((char *)hWnd2, 1026, 35, lParam); // 0x4016ba
            g2 = result2;
            pointer_active_process = v1;
            v4 = a1;
            *(int32_t *)(v1 + 176) = 40;
            _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v10);
            g6 = v4;
            g8 = lParam;
            g4 = v10;
            return result2;
        }
        // 0x4016de
        if (lParam == -1) {
            // 0x401739
            *(int32_t *)(pointer_active_process + 168) = -1;
            v7 = a1;
            v6 = lParam;
            v5 = v1;
            // branch -> 0x401743
        } else {
            v7 = a1;
            v6 = lParam;
            v5 = pointer_active_process;
        }
    } else {
        int32_t v11 = a1 - 0x4e22; // 0x40161d
        g2 = v11;
        if (v11 == 0) {
            // 0x401624
            if (lParam == 0) {
                // 0x401628
                v2 = pointer_active_process;
                int32_t v12 = &v2; // 0x401628_0
                v3 = "Received response";
                _qm__qm_0CString__QAE_PBD_Z();
                function_401970((int32_t)v3);
                pointer_active_process = v1;
                v4 = a1;
                *(int32_t *)(v1 + 168) = 1;
                _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v12);
                g6 = v4;
                g8 = lParam;
                g4 = v12;
                return 0;
            }
            // 0x40165e
            if (lParam == 1) {
                // 0x401663
                v2 = pointer_active_process;
                int32_t v13 = &v2; // 0x401663_0
                v3 = "Succeed";
                _qm__qm_0CString__QAE_PBD_Z();
                function_401970((int32_t)v3);
                pointer_active_process = v1;
                _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(a1, lParam, v13);
                g6 = a1;
                g8 = lParam;
                g4 = v13;
                return 0;
            }
            // 0x4016de
            if (lParam == -1) {
                // 0x401739
                *(int32_t *)(pointer_active_process + 168) = -1;
                v7 = a1;
                v6 = lParam;
                v5 = v1;
                // branch -> 0x401743
            } else {
                v7 = a1;
                v6 = lParam;
                v5 = pointer_active_process;
            }
        } else {
            v7 = a1;
            v6 = lParam;
            v5 = pointer_active_process;
        }
    }
    // 0x401743
    pointer_active_process = v5;
    v2 = a3;
    _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v7, v6, a3);
    g6 = v7;
    g8 = (int32_t)(char *)v6;
    g4 = v2;
    return g2;
}

Toxyl commented May 14, 2017

@defuse the infection doesn't require internet access, nor does the decryption demo. tested on a windows 7 VM, the files it claimed as being decrypted were plain text, but I didn't check if they were encrypted before. also it seems to be random which files it decrypts (if it does it at all).

if decrypting offline does actually work, it would mean that everything needed is there and the only thing the C&Cs are contacted for is to receive a simple true/false answer, so maybe one can hijack the function (via DLL injection) that handles the result? something like "if (true) return true;"

unfortunately my decompile only returns this for the function in question:

// Address range: 0x401970 - 0x4019cf
int32_t function_401970(int32_t a1) {
    // 0x401970
    abort();
    // UNREACHABLE
}

and it's called a lot from here (note the strings!):

int32_t function_401600(int32_t a1, int32_t lParam, int32_t a3, int32_t a4) {
    g2 = a1 - 0x4e20;
    int32_t v1 = pointer_active_process; // esi
    int32_t v2;
    char * v3; // bp-20
    int32_t v4; // bp-32
    int32_t v5; // 0x401747
    int32_t v6; // 0x40174a
    int32_t v7; // 0x40174b
    if (a1 == 0x4e20) {
        // 0x4016e5
        if (lParam == 0) {
            // 0x4016e9
            v2 = pointer_active_process;
            int32_t v8 = &v2; // 0x4016e9_0
            v3 = "Connected";
            _qm__qm_0CString__QAE_PBD_Z();
            function_401970((int32_t)v3);
            int32_t hWnd = *(int32_t *)(v1 + 128); // 0x401701
            int32_t result = SendMessageA((char *)hWnd, 1026, 30, lParam); // 0x401710
            g2 = result;
            pointer_active_process = v1;
            v4 = a1;
            *(int32_t *)(v1 + 176) = 35;
            _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v8);
            g6 = v4;
            g8 = lParam;
            g4 = v8;
            return result;
        }
        // 0x401734
        if (lParam == -1) {
            // 0x401739
            *(int32_t *)(pointer_active_process + 168) = -1;
            v7 = a1;
            v6 = lParam;
            v5 = v1;
            // branch -> 0x401743
        } else {
            v7 = 0x4e20;
            v6 = lParam;
            v5 = pointer_active_process;
        }
        // 0x401743
        pointer_active_process = v5;
        v2 = a3;
        _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v7, v6, a3);
        g6 = v7;
        g8 = (int32_t)(char *)v6;
        g4 = v2;
        return g2;
    }
    int32_t v9 = a1 - 0x4e21; // 0x40161a
    g2 = v9;
    if (v9 == 0) {
        // 0x40168f
        if (lParam == 0) {
            // 0x401693
            v2 = pointer_active_process;
            int32_t v10 = &v2; // 0x401693_0
            v3 = "Sent request";
            _qm__qm_0CString__QAE_PBD_Z();
            function_401970((int32_t)v3);
            int32_t hWnd2 = *(int32_t *)(v1 + 128); // 0x4016ab
            int32_t result2 = SendMessageA((char *)hWnd2, 1026, 35, lParam); // 0x4016ba
            g2 = result2;
            pointer_active_process = v1;
            v4 = a1;
            *(int32_t *)(v1 + 176) = 40;
            _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v10);
            g6 = v4;
            g8 = lParam;
            g4 = v10;
            return result2;
        }
        // 0x4016de
        if (lParam == -1) {
            // 0x401739
            *(int32_t *)(pointer_active_process + 168) = -1;
            v7 = a1;
            v6 = lParam;
            v5 = v1;
            // branch -> 0x401743
        } else {
            v7 = a1;
            v6 = lParam;
            v5 = pointer_active_process;
        }
    } else {
        int32_t v11 = a1 - 0x4e22; // 0x40161d
        g2 = v11;
        if (v11 == 0) {
            // 0x401624
            if (lParam == 0) {
                // 0x401628
                v2 = pointer_active_process;
                int32_t v12 = &v2; // 0x401628_0
                v3 = "Received response";
                _qm__qm_0CString__QAE_PBD_Z();
                function_401970((int32_t)v3);
                pointer_active_process = v1;
                v4 = a1;
                *(int32_t *)(v1 + 168) = 1;
                _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v12);
                g6 = v4;
                g8 = lParam;
                g4 = v12;
                return 0;
            }
            // 0x40165e
            if (lParam == 1) {
                // 0x401663
                v2 = pointer_active_process;
                int32_t v13 = &v2; // 0x401663_0
                v3 = "Succeed";
                _qm__qm_0CString__QAE_PBD_Z();
                function_401970((int32_t)v3);
                pointer_active_process = v1;
                _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(a1, lParam, v13);
                g6 = a1;
                g8 = lParam;
                g4 = v13;
                return 0;
            }
            // 0x4016de
            if (lParam == -1) {
                // 0x401739
                *(int32_t *)(pointer_active_process + 168) = -1;
                v7 = a1;
                v6 = lParam;
                v5 = v1;
                // branch -> 0x401743
            } else {
                v7 = a1;
                v6 = lParam;
                v5 = pointer_active_process;
            }
        } else {
            v7 = a1;
            v6 = lParam;
            v5 = pointer_active_process;
        }
    }
    // 0x401743
    pointer_active_process = v5;
    v2 = a3;
    _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v7, v6, a3);
    g6 = v7;
    g8 = (int32_t)(char *)v6;
    g4 = v2;
    return g2;
}
@nickfox-taterli

This comment has been minimized.

Show comment
Hide comment
@nickfox-taterli

nickfox-taterli May 14, 2017

@cybernova private key that wrong?

@cybernova private key that wrong?

@nickfox-taterli

This comment has been minimized.

Show comment
Hide comment
@nickfox-taterli

nickfox-taterli May 14, 2017

I test if time left,nothing (nothing be delete.) will be happen.

I test if time left,nothing (nothing be delete.) will be happen.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 14, 2017

// file: c.wnry 
// bytes 0x70 - 0x73: expiration date time
// bytes 0x7E - 0x7F: ???
// bytes 0x86 - 0xD7: bitcoin wallet

anyone an idea what 0x7E is?

Toxyl commented May 14, 2017

// file: c.wnry 
// bytes 0x70 - 0x73: expiration date time
// bytes 0x7E - 0x7F: ???
// bytes 0x86 - 0xD7: bitcoin wallet

anyone an idea what 0x7E is?

@wzxjohn

This comment has been minimized.

Show comment
Hide comment
@wzxjohn

wzxjohn May 14, 2017

@defuse According to some research, the ransomware randomly choose some files than encrypted their AES key with the embedded RSA key. So the decrypt demo can only decrypt those files in this list.

@cybernova The key format is Microsoft's PUBLICKEYBOLB and PRIVATEKEYBLOB, you can use openssl to transfer them into PEM or DER format.

wzxjohn commented May 14, 2017

@defuse According to some research, the ransomware randomly choose some files than encrypted their AES key with the embedded RSA key. So the decrypt demo can only decrypt those files in this list.

@cybernova The key format is Microsoft's PUBLICKEYBOLB and PRIVATEKEYBLOB, you can use openssl to transfer them into PEM or DER format.

@defuse

This comment has been minimized.

Show comment
Hide comment
@defuse

defuse May 14, 2017

@Toxyl: What binary is that from? I spent some time poking around CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE and CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE trying to trace backwards from calls to CryptDecrypt() and didn't come across that.

defuse commented May 14, 2017

@Toxyl: What binary is that from? I spent some time poking around CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE and CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE trying to trace backwards from calls to CryptDecrypt() and didn't come across that.

@gibethub

This comment has been minimized.

Show comment
Hide comment
@gibethub

gibethub May 14, 2017

"Their message in Filipino language is very bad/wrongly translated - don't use google translate!"

"Their message in Filipino language is very bad/wrongly translated - don't use google translate!"

@kingex1124

This comment has been minimized.

Show comment
Hide comment
@wzxjohn

This comment has been minimized.

Show comment
Hide comment
@wzxjohn

wzxjohn May 14, 2017

@kingex1124 This is only a fake popup. No file has been decrypted in real.

wzxjohn commented May 14, 2017

@kingex1124 This is only a fake popup. No file has been decrypted in real.

@thez3r0

This comment has been minimized.

Show comment
Hide comment
@thez3r0

thez3r0 May 14, 2017

Still we are in the same place. infection is going on. & still we don't have any decryptor

thez3r0 commented May 14, 2017

Still we are in the same place. infection is going on. & still we don't have any decryptor

@thez3r0

This comment has been minimized.

Show comment
Hide comment
@thez3r0

thez3r0 May 14, 2017

kill switch is pathed in new version. anyone having update on it??

thez3r0 commented May 14, 2017

kill switch is pathed in new version. anyone having update on it??

@nickfox-taterli

This comment has been minimized.

Show comment
Hide comment
@nickfox-taterli

nickfox-taterli May 14, 2017

@wzxjohn @defuse I guess there is no way to decrypt by wannacrypt0r, only have to try to break/crack/try out the RSA key.but But QiHoo 360 (China)say that decrypt the key, but I can not verify.not any tools.

@wzxjohn @defuse I guess there is no way to decrypt by wannacrypt0r, only have to try to break/crack/try out the RSA key.but But QiHoo 360 (China)say that decrypt the key, but I can not verify.not any tools.

@thez3r0

This comment has been minimized.

Show comment
Hide comment
@thez3r0

thez3r0 May 14, 2017

@nickfox-taterli where QiHoo 360 say that "But QiHoo 360 (China)say that decrypt the key, but I can not verify.not any tools." ??

thez3r0 commented May 14, 2017

@nickfox-taterli where QiHoo 360 say that "But QiHoo 360 (China)say that decrypt the key, but I can not verify.not any tools." ??

@Riatre

This comment has been minimized.

Show comment
Hide comment
@Riatre

Riatre May 14, 2017

@nickfox-taterli @kingex1124

Qihoo 360 said "本工具的文件恢复成功率会受到文件数量、时间、磁盘操作情况等因素影响。一般来说,中毒后越早恢复,成功的几率越高。", which translates to "The success rate of this tool depends on the number of files, time, disk operations and more. Generally, earlier you run this after being hit, higher the success rate."

Based on their description I believe they are trying to do some file recovery things. They don't have the private key.

EDIT: The malware doesn't inplace overwrite all files it encrypts. Sometimes (?) it writes the encrypted file content to a new file and then removes the original file. In this case traditional file undeletion stuff might work.

Riatre commented May 14, 2017

@nickfox-taterli @kingex1124

Qihoo 360 said "本工具的文件恢复成功率会受到文件数量、时间、磁盘操作情况等因素影响。一般来说,中毒后越早恢复,成功的几率越高。", which translates to "The success rate of this tool depends on the number of files, time, disk operations and more. Generally, earlier you run this after being hit, higher the success rate."

Based on their description I believe they are trying to do some file recovery things. They don't have the private key.

EDIT: The malware doesn't inplace overwrite all files it encrypts. Sometimes (?) it writes the encrypted file content to a new file and then removes the original file. In this case traditional file undeletion stuff might work.

@nickfox-taterli

This comment has been minimized.

Show comment
Hide comment
@nickfox-taterli

nickfox-taterli May 14, 2017

my chinese friend tell me the message popup in 360safe manager two hours ago.but at that time,not any tools can be download.

my chinese friend tell me the message popup in 360safe manager two hours ago.but at that time,not any tools can be download.

@Riatre

This comment has been minimized.

Show comment
Hide comment
@Riatre

Riatre May 14, 2017

@nickfox-taterli

Yeah I'm pretty sure it just does undeletion. It stated "360深入分析病毒原理,发现有可能恢复一定比例文件的急救方案" (360 analyzed how virus works and found it's possible to recover a certain percentage of files). It is not a full decryption.

There are some success stories so if someone is affected and can read Chinese they might want to try it ,thanks for linking this!
(And if you can't read Chinese you might try some other offline data recovery tools, remember to disconnect your drive ASAP for that.)

Riatre commented May 14, 2017

@nickfox-taterli

Yeah I'm pretty sure it just does undeletion. It stated "360深入分析病毒原理,发现有可能恢复一定比例文件的急救方案" (360 analyzed how virus works and found it's possible to recover a certain percentage of files). It is not a full decryption.

There are some success stories so if someone is affected and can read Chinese they might want to try it ,thanks for linking this!
(And if you can't read Chinese you might try some other offline data recovery tools, remember to disconnect your drive ASAP for that.)

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 14, 2017

@defuse The binary was the WanaDecryptor I've downloaded from one the infected servers. And then decompiled with this site: https://retdec.com/decompilation-run/

Toxyl commented May 14, 2017

@defuse The binary was the WanaDecryptor I've downloaded from one the infected servers. And then decompiled with this site: https://retdec.com/decompilation-run/

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 14, 2017

just set my infected VM's time a year into the future, so by then the worm should have deleted files. reboot and guess what? no files deleted. so that's just a paper tiger.

Toxyl commented May 14, 2017

just set my infected VM's time a year into the future, so by then the worm should have deleted files. reboot and guess what? no files deleted. so that's just a paper tiger.

@OsandaMalith

This comment has been minimized.

Show comment
Hide comment
@OsandaMalith

OsandaMalith May 14, 2017

v4 = InternetOpenA(0, 1u, 0, 0, 0);
1 = INTERNET_OPEN_TYPE_DIRECT

If you are under proxy the kill switch won't work.

v4 = InternetOpenA(0, 1u, 0, 0, 0);
1 = INTERNET_OPEN_TYPE_DIRECT

If you are under proxy the kill switch won't work.

@wzxjohn

This comment has been minimized.

Show comment
Hide comment
@wzxjohn

wzxjohn May 14, 2017

@nickfox-taterli @thez3r0 @Riatre Qihoo 360 just release the old decrypt tool again... May be add some feature to do data recover, not a really decrypt program.

wzxjohn commented May 14, 2017

@nickfox-taterli @thez3r0 @Riatre Qihoo 360 just release the old decrypt tool again... May be add some feature to do data recover, not a really decrypt program.

@cryptohazard

This comment has been minimized.

Show comment
Hide comment
@cryptohazard

cryptohazard May 14, 2017

Hi all, I have a question concerning the 00000000.pky

  1. Where is it saved?
  2. Can you confirm that the ransomware will use that file if I put it there before? This mean we could generate our own key and decrypt the files in case of infection, as defense-in-depth.
  3. This is also an entry point to get the master private key if they were not careful on the entry for RSA encryption.

Hi all, I have a question concerning the 00000000.pky

  1. Where is it saved?
  2. Can you confirm that the ransomware will use that file if I put it there before? This mean we could generate our own key and decrypt the files in case of infection, as defense-in-depth.
  3. This is also an entry point to get the master private key if they were not careful on the entry for RSA encryption.
@GarryMartin

This comment has been minimized.

Show comment
Hide comment
@GarryMartin

GarryMartin May 14, 2017

Possible hexedit and re-release with modified domain re: killswitch
https://twitter.com/msuiche/status/863730377642442752

GarryMartin commented May 14, 2017

Possible hexedit and re-release with modified domain re: killswitch
https://twitter.com/msuiche/status/863730377642442752

@rain-1

This comment has been minimized.

Show comment
Hide comment
@rain-1

rain-1 May 14, 2017

@cryptohazard, "if you run the exe from anything but C drive, it will create the Intel\random_bit directory and take a nap there. else, it's the current directory" analysis by clickjack. Example of "random_bit": https://swoosh.s3-eu-central-1.amazonaws.com/ss/QXILWzTYIDGW.png

Owner

rain-1 commented May 14, 2017

@cryptohazard, "if you run the exe from anything but C drive, it will create the Intel\random_bit directory and take a nap there. else, it's the current directory" analysis by clickjack. Example of "random_bit": https://swoosh.s3-eu-central-1.amazonaws.com/ss/QXILWzTYIDGW.png

@wzxjohn

This comment has been minimized.

Show comment
Hide comment
@wzxjohn

wzxjohn May 14, 2017

@cryptohazard If you can put the key before the ransomware running, why not just do something to prevent it's running?

wzxjohn commented May 14, 2017

@cryptohazard If you can put the key before the ransomware running, why not just do something to prevent it's running?

@cryptohazard

This comment has been minimized.

Show comment
Hide comment
@cryptohazard

cryptohazard May 14, 2017

@rain-1 so :

  1. For the C drive, can I make it use my key? (that would be awesome i think)
  2. For the other locations, does it keep track of the folder or, for instance if you restart it, does it use a new folder?

I guess my idea won't work for defense overall.

@wzxjohn Apparently, a lot of machines are not or will not be updated. It could have been a wort case option.

@rain-1 so :

  1. For the C drive, can I make it use my key? (that would be awesome i think)
  2. For the other locations, does it keep track of the folder or, for instance if you restart it, does it use a new folder?

I guess my idea won't work for defense overall.

@wzxjohn Apparently, a lot of machines are not or will not be updated. It could have been a wort case option.

@roycewilliams

This comment has been minimized.

Show comment
Hide comment
@roycewilliams

roycewilliams May 14, 2017

https://twitter.com/hackerfantastic/status/863807098177679360
https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip

"Code to prevent WCRY ransomware on an unpatched host, registers the mutex used by the payload to prevent an infection from being run on the host. Innoculates the host by registering the same mutex. This wont stop your host being infected with the worm and used to infect other hosts but it will stop the ransomware component from being executed on a vulnerable host"

https://twitter.com/hackerfantastic/status/863807098177679360
https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip

"Code to prevent WCRY ransomware on an unpatched host, registers the mutex used by the payload to prevent an infection from being run on the host. Innoculates the host by registering the same mutex. This wont stop your host being infected with the worm and used to infect other hosts but it will stop the ransomware component from being executed on a vulnerable host"

@Shadow0ps

This comment has been minimized.

Show comment
Hide comment
@Shadow0ps

Shadow0ps May 14, 2017

Does anyone have a "rate of file encryption"? Looks like the average time to spread is about 3 minutes based on our honeypot and internal lab tests (can anyone confirm similar on their end?)

Does anyone have a "rate of file encryption"? Looks like the average time to spread is about 3 minutes based on our honeypot and internal lab tests (can anyone confirm similar on their end?)

@wyatthuckaby

This comment has been minimized.

Show comment
Hide comment
@wyatthuckaby

wyatthuckaby May 14, 2017

Does anyone have an actual sample of an encrypted file?

Does anyone have an actual sample of an encrypted file?

@cryptohazard

This comment has been minimized.

Show comment
Hide comment
@cryptohazard

cryptohazard May 14, 2017

For what it is worth, I converted the public key to PEM format:
https://pastebin.com/c561kZqy

For what it is worth, I converted the public key to PEM format:
https://pastebin.com/c561kZqy

@Shadow0ps

This comment has been minimized.

Show comment
Hide comment
@Shadow0ps

Shadow0ps May 14, 2017

@pnelego I think we have one in our lab if you want to look at it you can DM our engineer on Twitter. If everyone else wants a copy here I can publish it but I dont want to muddy up the stream.

Twitter: https://twitter.com/Shadow0pz

@pnelego I think we have one in our lab if you want to look at it you can DM our engineer on Twitter. If everyone else wants a copy here I can publish it but I dont want to muddy up the stream.

Twitter: https://twitter.com/Shadow0pz

@Shadow0ps

This comment has been minimized.

Show comment
Hide comment
@Shadow0ps

Shadow0ps May 14, 2017

Disk begins to fill very rapidly (2GB/MIN) once the date/time is accelerated past the ransom date. Rolling the date back has no effect on the disk filling in our lab environment. Can anyone confirm similar behavior?

Disk begins to fill very rapidly (2GB/MIN) once the date/time is accelerated past the ransom date. Rolling the date back has no effect on the disk filling in our lab environment. Can anyone confirm similar behavior?

@thaidn

This comment has been minimized.

Show comment
Hide comment
@thaidn

thaidn May 14, 2017

I wanna look at the encryptor code (to find flaws if possible), which DLL should I look at?

thaidn commented May 14, 2017

I wanna look at the encryptor code (to find flaws if possible), which DLL should I look at?

@roycewilliams

This comment has been minimized.

Show comment
Hide comment
@roycewilliams

roycewilliams May 14, 2017

Via https://twitter.com/TalBeerySec/status/863741929401585664, description of the actual bug being exploited:

https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb#L30-L34

"There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD."

Via https://twitter.com/TalBeerySec/status/863741929401585664, description of the actual bug being exploited:

https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb#L30-L34

"There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD."

@mtnwrw

This comment has been minimized.

Show comment
Hide comment
@mtnwrw

mtnwrw May 14, 2017

This thing is really nasty. I found routines that take care of preventing to undelete the original files. It writes 200MB worth of "10" bit patterns to the harddrive every 10s.

mtnwrw commented May 14, 2017

This thing is really nasty. I found routines that take care of preventing to undelete the original files. It writes 200MB worth of "10" bit patterns to the harddrive every 10s.

@mtnwrw

This comment has been minimized.

Show comment
Hide comment
@mtnwrw

mtnwrw May 14, 2017

As already reported, the test decryption offered by the authors does not require internet access. The encryptor generates two types of crypted files: .wncry and .wncyr. The .wncry files are undecryptable without the private RSA key of the authors, the .wncyr files store the 128-bit AES key unencrypted in the files. The test decryption most likely only decrypts the .wncyr files.

mtnwrw commented May 14, 2017

As already reported, the test decryption offered by the authors does not require internet access. The encryptor generates two types of crypted files: .wncry and .wncyr. The .wncry files are undecryptable without the private RSA key of the authors, the .wncyr files store the 128-bit AES key unencrypted in the files. The test decryption most likely only decrypts the .wncyr files.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 14, 2017

@wethinjp I can't exactly confirm, but I found a (seemingly unused) function that does create NULL files. While they don't take up disk space, they do increase the size of the TOC. Is that what is happening?

Btw, my VM has been running for hours with the date set one year into the future, but it doesn't use as much disk space. But I do have almost 4GB difference between what all files occupy (~11GB) and what is reported as disk usage for the drive.

Toxyl commented May 14, 2017

@wethinjp I can't exactly confirm, but I found a (seemingly unused) function that does create NULL files. While they don't take up disk space, they do increase the size of the TOC. Is that what is happening?

Btw, my VM has been running for hours with the date set one year into the future, but it doesn't use as much disk space. But I do have almost 4GB difference between what all files occupy (~11GB) and what is reported as disk usage for the drive.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 14, 2017

@mtnwrw that does make sense, there is a specific check for the different extensions in the code.

Toxyl commented May 14, 2017

@mtnwrw that does make sense, there is a specific check for the different extensions in the code.

@achow101

This comment has been minimized.

Show comment
Hide comment
@achow101

achow101 May 14, 2017

What's the difference between the 3 samples linked in the doc?

What's the difference between the 3 samples linked in the doc?

@Kimax89

This comment has been minimized.

Show comment
Hide comment
@Kimax89

Kimax89 May 14, 2017

In the nulldot pastebin i noticed another Bitcoin address.
line 80: 00:34 < nulldot> 0x1000eff2, 34, 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

is that related to WannaCry or am i missing something?

Kimax89 commented May 14, 2017

In the nulldot pastebin i noticed another Bitcoin address.
line 80: 00:34 < nulldot> 0x1000eff2, 34, 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

is that related to WannaCry or am i missing something?

@mtnwrw

This comment has been minimized.

Show comment
Hide comment
@mtnwrw

mtnwrw May 14, 2017

It also seems that the way that the "unlock" is going to happen is to send the encrypted private RSA key via Tor and receive the decrypted one. The master key is never sent to the client, at least there is no function in the code to handle that.

At least I can confirm that there are actual recursive decryption routines in the supposed decryptor part. So in theory, the files can be decrypted if the private RSA key is "unlocked" by the authors. Question is if they will do it.

mtnwrw commented May 14, 2017

It also seems that the way that the "unlock" is going to happen is to send the encrypted private RSA key via Tor and receive the decrypted one. The master key is never sent to the client, at least there is no function in the code to handle that.

At least I can confirm that there are actual recursive decryption routines in the supposed decryptor part. So in theory, the files can be decrypted if the private RSA key is "unlocked" by the authors. Question is if they will do it.

@marksteward

This comment has been minimized.

Show comment
Hide comment
@marksteward

marksteward May 14, 2017

@Kimax89 it's the Bitcoin address used by "version 1.0" of the ransomware, back in March-April (there's a Bitcoin address in an even earlier version, 1G7bggAjH8pJaUfUoC9kRAcSCoev6djwFZ, but no money was sent to it).

marksteward commented May 14, 2017

@Kimax89 it's the Bitcoin address used by "version 1.0" of the ransomware, back in March-April (there's a Bitcoin address in an even earlier version, 1G7bggAjH8pJaUfUoC9kRAcSCoev6djwFZ, but no money was sent to it).

@Shadow0ps

This comment has been minimized.

Show comment
Hide comment
@Shadow0ps

Shadow0ps May 14, 2017

All please look at @shadow0pz tweets about the disk filling. Lots of information there. I don't have time to write it here but if someone can put this info out it's REALLY important for those who are infected. More info to come.

All please look at @shadow0pz tweets about the disk filling. Lots of information there. I don't have time to write it here but if someone can put this info out it's REALLY important for those who are infected. More info to come.

@Kimax89

This comment has been minimized.

Show comment
Hide comment
@Kimax89

Kimax89 May 14, 2017

@marksteward Thanks. I made my own monitor for the bitcoins address sociated to the attack, just to keep an eye out for new transactions and looking at the volume of all 3 address.

Kimax89 commented May 14, 2017

@marksteward Thanks. I made my own monitor for the bitcoins address sociated to the attack, just to keep an eye out for new transactions and looking at the volume of all 3 address.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 14, 2017

WanaCryAnalyzer or WanaCryAnalyzer (Mirror)
Current result set
Current result set without unreachables
Alternate downloads (same server)

#What This Is
This is my collection of data related to the WanaCry ransomware. It includes decompiled sources, but no binaries of the worm nor the decryptor. They are easy to obtain, however, if you pay attention to the links I placed. ;) To automate the process a bit I've wrote a simple name mapper which grabs all folders from the directory data\sources and parses them using the file name_mapping.json which must be present in each source folder to be parsed. It will rename all occurences of the string in the C source file and in the SVG call graphs. This way we can build a mapping table to get a better understanding of the source and hopefully find a weakness. Here's what is in this package:
| Dir/File | Content |
| --- | --- |
| bin\analyzer | PHP scripts for mapping, file IO and console output |
| bin\ansicon | x86 and x64 versions of Ansicon, used to colorize the console output, you can get your own copy here |
| bin\php | x86 version of PHP 5.6.30, you can get your own copy here |
| data\keys | Keys associated with the worm and the PEM conversion shell script posted by cryptohazard |
| data\output | In here the results will be saved. D'oh. |
| data\sources\decryptor_without_unreachables | This is the output generated by the Retarget Decompiler for the @WanaDecryptor@.exe I've downloaded from an infected website, you can easily find your own copy. |
| data\sources (not processed)\decryptor | This is the output of decompiling @WanaDecryptor@.exe with the decompile unreachable functions option enabled which adds about 20k lines of code. |
| data\sources (not processed)\worm | This is the output of decompiling the worm mssecsvc.exe sample downloaded from Payload Security. |
| WannaCryAnalyzer.bat | This batch file starts the conversion process. It will process everything in the data\sources\ directory. |

#Approach
My approach is to piece by piece reconstruct names of functions and global variables in order to get more readable code. Since it can be an errorprone process to do it manually (30k+ lines of code...) I decided to create a mapping table and replace names automatically. This is also done in all SVGs which can be very useful, I recommend you have a look at a bunch of the function graphs. So far I have mapped 100 function/variable names, but I'm confident not all of them will be correct, so please have a look at them, too.

#Some Notes
The __call_graph__.svg file from the output can be pretty useful to find relations between functions which might give an indication of their purpose.
Also I've named functions that appeared very complex or deeply nested. Especially f_maybe_keygen_12_possibly_obfuscated.svg might be worth a look, to me these chains of useless if-else structures look like obfuscation - if so, why did someone bother to obfuscate this piece of code?

#Did You Find More?
Please post new mappings here.

Toxyl commented May 14, 2017

WanaCryAnalyzer or WanaCryAnalyzer (Mirror)
Current result set
Current result set without unreachables
Alternate downloads (same server)

#What This Is
This is my collection of data related to the WanaCry ransomware. It includes decompiled sources, but no binaries of the worm nor the decryptor. They are easy to obtain, however, if you pay attention to the links I placed. ;) To automate the process a bit I've wrote a simple name mapper which grabs all folders from the directory data\sources and parses them using the file name_mapping.json which must be present in each source folder to be parsed. It will rename all occurences of the string in the C source file and in the SVG call graphs. This way we can build a mapping table to get a better understanding of the source and hopefully find a weakness. Here's what is in this package:
| Dir/File | Content |
| --- | --- |
| bin\analyzer | PHP scripts for mapping, file IO and console output |
| bin\ansicon | x86 and x64 versions of Ansicon, used to colorize the console output, you can get your own copy here |
| bin\php | x86 version of PHP 5.6.30, you can get your own copy here |
| data\keys | Keys associated with the worm and the PEM conversion shell script posted by cryptohazard |
| data\output | In here the results will be saved. D'oh. |
| data\sources\decryptor_without_unreachables | This is the output generated by the Retarget Decompiler for the @WanaDecryptor@.exe I've downloaded from an infected website, you can easily find your own copy. |
| data\sources (not processed)\decryptor | This is the output of decompiling @WanaDecryptor@.exe with the decompile unreachable functions option enabled which adds about 20k lines of code. |
| data\sources (not processed)\worm | This is the output of decompiling the worm mssecsvc.exe sample downloaded from Payload Security. |
| WannaCryAnalyzer.bat | This batch file starts the conversion process. It will process everything in the data\sources\ directory. |

#Approach
My approach is to piece by piece reconstruct names of functions and global variables in order to get more readable code. Since it can be an errorprone process to do it manually (30k+ lines of code...) I decided to create a mapping table and replace names automatically. This is also done in all SVGs which can be very useful, I recommend you have a look at a bunch of the function graphs. So far I have mapped 100 function/variable names, but I'm confident not all of them will be correct, so please have a look at them, too.

#Some Notes
The __call_graph__.svg file from the output can be pretty useful to find relations between functions which might give an indication of their purpose.
Also I've named functions that appeared very complex or deeply nested. Especially f_maybe_keygen_12_possibly_obfuscated.svg might be worth a look, to me these chains of useless if-else structures look like obfuscation - if so, why did someone bother to obfuscate this piece of code?

#Did You Find More?
Please post new mappings here.

@pusparajm

This comment has been minimized.

Show comment
Hide comment
@pusparajm

pusparajm May 15, 2017

Does "rsdkvkltskcven666" mean anything ? It doesn't look random generated. Also i forced shutdown the system before the malware could fully encrypt all the files. It missed some files, as a result didn't got the "Pay us ransom warning".
Malware sample hxxps://transfer.sh/8XcTr/rsdkvkltskcven666-fucknsa.zip

Password:fucknsa

Does "rsdkvkltskcven666" mean anything ? It doesn't look random generated. Also i forced shutdown the system before the malware could fully encrypt all the files. It missed some files, as a result didn't got the "Pay us ransom warning".
Malware sample hxxps://transfer.sh/8XcTr/rsdkvkltskcven666-fucknsa.zip

Password:fucknsa

@pusparajm

This comment has been minimized.

Show comment
Hide comment
@pusparajm

pusparajm May 15, 2017

I found the malware at /ProgramData/rsdkvkltskcven666 . But i didn't found the tor binary there. Was it not fully extracted ? Or it deleted it after sending the key ?

Also some directories had the "@WanaDecryptor@.exe" itself. Some had symlink to the above mentioned directory.

pusparajm commented May 15, 2017

I found the malware at /ProgramData/rsdkvkltskcven666 . But i didn't found the tor binary there. Was it not fully extracted ? Or it deleted it after sending the key ?

Also some directories had the "@WanaDecryptor@.exe" itself. Some had symlink to the above mentioned directory.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

Maybe you interrupted the deployment of TOR when shutting down. Also check C:\Intel - in some cases it installs itself there
the folder names are randomly generated AFAIK

Toxyl commented May 15, 2017

Maybe you interrupted the deployment of TOR when shutting down. Also check C:\Intel - in some cases it installs itself there
the folder names are randomly generated AFAIK

@Epivalent

This comment has been minimized.

Show comment
Hide comment
@Epivalent

Epivalent May 15, 2017

@Toxyl I've mirrored your WanaCryAnalyzer.rar at http://ch0wn.org/pub/WanaCryAnalyzer.rar as your poor connection is getting hosed. Hope you don't mind. Thanks for your great work!

@Toxyl I've mirrored your WanaCryAnalyzer.rar at http://ch0wn.org/pub/WanaCryAnalyzer.rar as your poor connection is getting hosed. Hope you don't mind. Thanks for your great work!

@pusparajm

This comment has been minimized.

Show comment
Hide comment
@pusparajm

pusparajm May 15, 2017

Checked intel , it's empty. But found mssecscv.exe and qeriuwjhrf in C:\Windows

Sample here hxxps://transfer.sh/138W1c/wana.zip
Password:fucknsa

pusparajm commented May 15, 2017

Checked intel , it's empty. But found mssecscv.exe and qeriuwjhrf in C:\Windows

Sample here hxxps://transfer.sh/138W1c/wana.zip
Password:fucknsa

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

@Epivalent: thx! a raspi ain't that much ;) and you're welcome, I hope it helps

Toxyl commented May 15, 2017

@Epivalent: thx! a raspi ain't that much ;) and you're welcome, I hope it helps

@Epivalent

This comment has been minimized.

Show comment
Hide comment
@Epivalent

Epivalent May 15, 2017

Maybe put the results separately from the analyzer. A lot of opaque dlls there people might be hesitant to run.

Maybe put the results separately from the analyzer. A lot of opaque dlls there people might be hesitant to run.

@Toxyl

This comment has been minimized.

Show comment
Hide comment

Toxyl commented May 15, 2017

Good point. Can you mirror those too?
Results Decryptor
Results Decryptor (without unreachables)

@Scientits

This comment has been minimized.

Show comment
Hide comment
@Scientits

Scientits May 15, 2017

Does Windows 10 ( 1703)'s Bitlocker can prevent Ransomeware ( include WannaCry) ?

Scientits commented May 15, 2017

Does Windows 10 ( 1703)'s Bitlocker can prevent Ransomeware ( include WannaCry) ?

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

I've read claims Win10 users were safe, but none mentioned Bitlocker. Considering that WannaCry makes use of encryption/decryption functionality provided by the OS, I wouldn't bet on it.

Toxyl commented May 15, 2017

I've read claims Win10 users were safe, but none mentioned Bitlocker. Considering that WannaCry makes use of encryption/decryption functionality provided by the OS, I wouldn't bet on it.

@deadmans96

This comment has been minimized.

Show comment
Hide comment
@deadmans96

deadmans96 May 15, 2017

Is't possible to Analyze any Active Traffics that can be managed by Owner !? unless how he can know that the victim make payment or not !?
Second thing < What the (Contact us) Button leads to !?

Is't possible to Analyze any Active Traffics that can be managed by Owner !? unless how he can know that the victim make payment or not !?
Second thing < What the (Contact us) Button leads to !?

@ache7

This comment has been minimized.

Show comment
Hide comment
@ache7

ache7 May 15, 2017

Maybe someone can make a vaccine for this SMB bug, which will use vulnerability to get in and then close it with update.

ache7 commented May 15, 2017

Maybe someone can make a vaccine for this SMB bug, which will use vulnerability to get in and then close it with update.

@datlife

This comment has been minimized.

Show comment
Hide comment
@datlife

datlife May 15, 2017

Which way could a computer get infected by this Ransomeware? Accidentally click on a link or how?

datlife commented May 15, 2017

Which way could a computer get infected by this Ransomeware? Accidentally click on a link or how?

@Shadow0ps

This comment has been minimized.

Show comment
Hide comment
@Shadow0ps

Shadow0ps May 15, 2017

Very Important Document.txt.WNCRY - Encrypted file for those who have been asking for it. Courtesy of @shadow0pz (Twitter)

http://s000.tinyupload.com/index.php?file_id=28489631393354922319

Shadow0ps commented May 15, 2017

Very Important Document.txt.WNCRY - Encrypted file for those who have been asking for it. Courtesy of @shadow0pz (Twitter)

http://s000.tinyupload.com/index.php?file_id=28489631393354922319

@roycewilliams

This comment has been minimized.

Show comment
Hide comment

Good overview of public collaboration on fighting this thing:

https://medium.com/@KyleHanslovan/proud-moment-wannacry-collaboration-e1f6fafe76dc

@wyatthuckaby

This comment has been minimized.

Show comment
Hide comment
@wyatthuckaby

wyatthuckaby May 15, 2017

@ache2 I formed a quick vaccine script for windows 10; I cant confirm if it works on 7 or 8 (i don't know if the SMB1 PowerShell commands switch over.)
https://github.com/pnelego/WannaCry-VaccineScript

its really quick and dirty, and im working on a better vaccine "installer" so that anyone can quickly run an .exe and have protected their machine.

@ache2 I formed a quick vaccine script for windows 10; I cant confirm if it works on 7 or 8 (i don't know if the SMB1 PowerShell commands switch over.)
https://github.com/pnelego/WannaCry-VaccineScript

its really quick and dirty, and im working on a better vaccine "installer" so that anyone can quickly run an .exe and have protected their machine.

@jackjiongyin

This comment has been minimized.

Show comment
Hide comment
@jackjiongyin

jackjiongyin May 15, 2017

is there any source code ?

is there any source code ?

@ache7

This comment has been minimized.

Show comment
Hide comment
@ache7

ache7 May 15, 2017

@pnelego, I mean program that scans IP addresses over internet and injects vaccine, so no one can exploit vulnerability.

ache7 commented May 15, 2017

@pnelego, I mean program that scans IP addresses over internet and injects vaccine, so no one can exploit vulnerability.

@wyatthuckaby

This comment has been minimized.

Show comment
Hide comment
@wyatthuckaby

wyatthuckaby May 15, 2017

@ache7 I see what you're saying, I misunderstood my apologies.

@ache7 I see what you're saying, I misunderstood my apologies.

@rc-dfir

This comment has been minimized.

Show comment
Hide comment
@rc-dfir

rc-dfir May 15, 2017

decryption and encryption explained in detail for #wannacry

https://modexp.wordpress.com/2017/05/15/wanacryptor/

rc-dfir commented May 15, 2017

decryption and encryption explained in detail for #wannacry

https://modexp.wordpress.com/2017/05/15/wanacryptor/

@thez3r0

This comment has been minimized.

Show comment
Hide comment
@thez3r0

thez3r0 May 15, 2017

@dat-ai first way of infection is e-mail champain
second thing that it does. it scans the local network if other hosts found it try to exploit SMB1 protocol using the 0day named as "eternal Blue"

if exploit works.. it replicate the exe on that host & start the encryption.

thez3r0 commented May 15, 2017

@dat-ai first way of infection is e-mail champain
second thing that it does. it scans the local network if other hosts found it try to exploit SMB1 protocol using the 0day named as "eternal Blue"

if exploit works.. it replicate the exe on that host & start the encryption.

@geddar2010

This comment has been minimized.

Show comment
Hide comment
@geddar2010

geddar2010 May 15, 2017

Quick and dirty PowerShell script fighting against WanaCry Decryptor
https://github.com/geddar2010/wncry-vaccine/tree/master/Shell

Quick and dirty PowerShell script fighting against WanaCry Decryptor
https://github.com/geddar2010/wncry-vaccine/tree/master/Shell

@thez3r0

This comment has been minimized.

Show comment
Hide comment
@thez3r0

thez3r0 May 15, 2017

@geddar2010
can you translate the readme.md to english?

thez3r0 commented May 15, 2017

@geddar2010
can you translate the readme.md to english?

@geddar2010

This comment has been minimized.

Show comment
Hide comment
@geddar2010

geddar2010 May 15, 2017

yes, I've done it

yes, I've done it

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

One question that I keep coming back to: does WanaCryptor, after encrypting a file, send the private key to the ransomware author, so it can be send back when the user has paid? It happily infected my offline VM, so it was never able to send any private key, thus my encrypted data should be lost forever. And in my call graph I find only two functions writing files with fwrite(), one is creating NULL files, the other deals with c.wnry - so every other write operation either happens in other code or uses memory addressing magic to hide the call to fwrite().

If it never sends the private key we can be certain that there is no way to decrypt the files, even if the user has paid. If it does we might have a slim chance that it might be stored somewhere or still linger in memory as long as the machine wasn't rebooted.

Toxyl commented May 15, 2017

One question that I keep coming back to: does WanaCryptor, after encrypting a file, send the private key to the ransomware author, so it can be send back when the user has paid? It happily infected my offline VM, so it was never able to send any private key, thus my encrypted data should be lost forever. And in my call graph I find only two functions writing files with fwrite(), one is creating NULL files, the other deals with c.wnry - so every other write operation either happens in other code or uses memory addressing magic to hide the call to fwrite().

If it never sends the private key we can be certain that there is no way to decrypt the files, even if the user has paid. If it does we might have a slim chance that it might be stored somewhere or still linger in memory as long as the machine wasn't rebooted.

@araneta

This comment has been minimized.

Show comment
Hide comment
@araneta

araneta May 15, 2017

does any body know the value of this constant WC_ENCKEY_LEN ? Thanks

araneta commented May 15, 2017

does any body know the value of this constant WC_ENCKEY_LEN ? Thanks

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

@araneta check the f_DYNAMIC_BIT_LENGTH_TREE function from my result set, maybe it has something to do with it.

Toxyl commented May 15, 2017

@araneta check the f_DYNAMIC_BIT_LENGTH_TREE function from my result set, maybe it has something to do with it.

@olljanat

This comment has been minimized.

Show comment
Hide comment
@olljanat

olljanat May 15, 2017

@Toxyl, If you click "Check Payment" it wants internet connection so I assume that it will send encrypted private key on that point and they will return decrypted one back.

And actually because they are not even tried to encrypt binary, they used quite old vulnerability, it will not really remove files and because they included kill switch I actually assume that they will release private key/decryption tool on some point of time. They just wanted to so that how badly patching have been done around of world. But that of course is just my guess.

@Toxyl, If you click "Check Payment" it wants internet connection so I assume that it will send encrypted private key on that point and they will return decrypted one back.

And actually because they are not even tried to encrypt binary, they used quite old vulnerability, it will not really remove files and because they included kill switch I actually assume that they will release private key/decryption tool on some point of time. They just wanted to so that how badly patching have been done around of world. But that of course is just my guess.

@simonjosephsmith

This comment has been minimized.

Show comment
Hide comment
@simonjosephsmith

simonjosephsmith May 15, 2017

@vladimirc81 I came up with the statravel as well. False positive? Has anyone at least looked at it?

@vladimirc81 I came up with the statravel as well. False positive? Has anyone at least looked at it?

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

@olljanat so we could intercept the private key when it's sent? not sure if it's worth anything, but maybe there is a flaw somewhere in that process.

Toxyl commented May 15, 2017

@olljanat so we could intercept the private key when it's sent? not sure if it's worth anything, but maybe there is a flaw somewhere in that process.

@olljanat

This comment has been minimized.

Show comment
Hide comment
@olljanat

olljanat May 15, 2017

@tonyx, that does not help. It will only sent that 00000000.eky which you can already see on file system and they will return unencrypted version 00000000.dky. Look: https://modexp.wordpress.com/2017/05/15/wanacryptor/

@tonyx, that does not help. It will only sent that 00000000.eky which you can already see on file system and they will return unencrypted version 00000000.dky. Look: https://modexp.wordpress.com/2017/05/15/wanacryptor/

@OlesyaShell

This comment has been minimized.

Show comment
Hide comment
@OlesyaShell

OlesyaShell May 15, 2017

jpeg schema for updates MS17-010 https://www.dropbox.com/s/s2509ichluff07i/MS17-010.png?dl=1 (updatable)
Utility for windows to scan and verify MS17-010 (smbv1/smbv2/KB patches) https://www.dropbox.com/s/sieb37o5pye2b48/SecurityChecker.v2.zip?dl=1 Scan authenticated, over WMI, without exploitation.

jpeg schema for updates MS17-010 https://www.dropbox.com/s/s2509ichluff07i/MS17-010.png?dl=1 (updatable)
Utility for windows to scan and verify MS17-010 (smbv1/smbv2/KB patches) https://www.dropbox.com/s/sieb37o5pye2b48/SecurityChecker.v2.zip?dl=1 Scan authenticated, over WMI, without exploitation.

@ghost

This comment has been minimized.

Show comment
Hide comment

ghost commented May 15, 2017

@mtnwrw

This comment has been minimized.

Show comment
Hide comment
@mtnwrw

mtnwrw May 15, 2017

@Toxyl It does send the encrypted private key via Tor. After receiving the result, it writes the decryption key to the .dky file which is then used to actually decrypt all the encrypted files (at least code is present to do that, question is if they will ever really decrypt the .eky after sent via Tor).

The description in https://modexp.wordpress.com/2017/05/15/wanacryptor/ is quite accurate, I basically obtained the same details after disassembling the crypt/decrypt routines in the main files.

And no, the private master key is never sent via the network at any point.

The f_DYNAMIC_BIT_LENGTH_TREE belong to the embedded unzipper that takes care of unpacking the Tor suite.

mtnwrw commented May 15, 2017

@Toxyl It does send the encrypted private key via Tor. After receiving the result, it writes the decryption key to the .dky file which is then used to actually decrypt all the encrypted files (at least code is present to do that, question is if they will ever really decrypt the .eky after sent via Tor).

The description in https://modexp.wordpress.com/2017/05/15/wanacryptor/ is quite accurate, I basically obtained the same details after disassembling the crypt/decrypt routines in the main files.

And no, the private master key is never sent via the network at any point.

The f_DYNAMIC_BIT_LENGTH_TREE belong to the embedded unzipper that takes care of unpacking the Tor suite.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

Ahh, good to know, thx.

Toxyl commented May 15, 2017

Ahh, good to know, thx.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost May 15, 2017

@geddar2010 @pnelego

Thought of rewriting in C# or C++/CLR?

Seems the Powershell API is only available from .NET
http://stackoverflow.com/questions/19634220/c-and-powershell

ghost commented May 15, 2017

@geddar2010 @pnelego

Thought of rewriting in C# or C++/CLR?

Seems the Powershell API is only available from .NET
http://stackoverflow.com/questions/19634220/c-and-powershell

@davidbuckleyni

This comment has been minimized.

Show comment
Hide comment
@davidbuckleyni

davidbuckleyni May 15, 2017

Where can one get this as want to look at it in a virual machine ?

Where can one get this as want to look at it in a virual machine ?

@dev

This comment has been minimized.

Show comment
Hide comment
@dev

dev May 15, 2017

Wondering the same as @davidbuckleyni. Where can we get these binaries?

dev commented May 15, 2017

Wondering the same as @davidbuckleyni. Where can we get these binaries?

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

Guys, my rapi has been under attack with failed login attempts for root from 127.0.0.1 (!!!) and also somehow my result sets vanished from the raspi without any trace. I've taken it offline for now, will check logs later. Meanwhile, please make mirrors of the result sets, maybe they contain vital information.

Toxyl commented May 15, 2017

Guys, my rapi has been under attack with failed login attempts for root from 127.0.0.1 (!!!) and also somehow my result sets vanished from the raspi without any trace. I've taken it offline for now, will check logs later. Meanwhile, please make mirrors of the result sets, maybe they contain vital information.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

@Legit @davidbuckleyni decryptor: Download it from an infected website.
worm sample: download from Payload Security.

Toxyl commented May 15, 2017

@Legit @davidbuckleyni decryptor: Download it from an infected website.
worm sample: download from Payload Security.

@AphidGit

This comment has been minimized.

Show comment
Hide comment
@AphidGit

AphidGit May 15, 2017

127.0.0.1 is localhost; i.e. the computer itself. That means a program on your Pi is trying (and failing) to authenticate. Taking it offline won't help you mitigate the attacks, though it can protect other machines from the Pi.
If you think it's malicious activity, you should inspect the Pi's contents from a different machine (e.g. mount its partition(s)).

127.0.0.1 is localhost; i.e. the computer itself. That means a program on your Pi is trying (and failing) to authenticate. Taking it offline won't help you mitigate the attacks, though it can protect other machines from the Pi.
If you think it's malicious activity, you should inspect the Pi's contents from a different machine (e.g. mount its partition(s)).

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

I'm at work at the moment, will analyze it in a VM when I'm back

Toxyl commented May 15, 2017

I'm at work at the moment, will analyze it in a VM when I'm back

@HeXN0P

This comment has been minimized.

Show comment
Hide comment

HeXN0P commented May 15, 2017

Found a mod version with a new kill switch web link: https://s13.postimg.org/i02rflft3/screenshot_1552017_20_H16_M53_S188ms.jpg

@timvisee

This comment has been minimized.

Show comment
Hide comment
@timvisee

timvisee May 15, 2017

@WestfW Interesting idea. That wouldn't allow you to decrypt any files on other machines though, I'm afraid. If you'd be trying to be faster than the virus anyways, why wouldn't you patch your system. ^^

@tinyhaker Nice find! Although, .testing isn't a valid TLD yet, as far as I know.

timvisee commented May 15, 2017

@WestfW Interesting idea. That wouldn't allow you to decrypt any files on other machines though, I'm afraid. If you'd be trying to be faster than the virus anyways, why wouldn't you patch your system. ^^

@tinyhaker Nice find! Although, .testing isn't a valid TLD yet, as far as I know.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

@timvisee maybe that's the point, one can't sinkhole what one can't register

Toxyl commented May 15, 2017

@timvisee maybe that's the point, one can't sinkhole what one can't register

@infosecabaret

This comment has been minimized.

Show comment
Hide comment
@infosecabaret

infosecabaret May 15, 2017

Does anyone have a dump of the traffic towards Tor, i.e. how the submission of the .eky file works? Something like an actual traffic dump and if it uses SSL some sort of MitM of the traffic with a proxy like Burp.

infosecabaret commented May 15, 2017

Does anyone have a dump of the traffic towards Tor, i.e. how the submission of the .eky file works? Something like an actual traffic dump and if it uses SSL some sort of MitM of the traffic with a proxy like Burp.

@evil79genius

This comment has been minimized.

Show comment
Hide comment
@evil79genius

evil79genius May 15, 2017

@Toxyl it can be sinkholed, but only on internal DNS - any organization having an Active Directory, or simply managing a private DNS, can do that.

@Toxyl it can be sinkholed, but only on internal DNS - any organization having an Active Directory, or simply managing a private DNS, can do that.

@Toxyl

This comment has been minimized.

Show comment
Hide comment
@Toxyl

Toxyl May 15, 2017

so the kill switch can be useful for the devs of the ransomware in their dev environment.

Toxyl commented May 15, 2017

so the kill switch can be useful for the devs of the ransomware in their dev environment.

@RussellMcOrmond

This comment has been minimized.

Show comment
Hide comment
@RussellMcOrmond

RussellMcOrmond May 15, 2017

BTW: University of Waterloo is in Ontario, Canada -- not in the US.

BTW: University of Waterloo is in Ontario, Canada -- not in the US.

@sasqwatch