Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Infections

Malware samples

Binary blob in PE crypted with pass 'WNcry@2ol7', credits to ens!

essentially the full known catalogue of samples. credit to errantbot and @codexgigassys

Informative Tweets

Cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it's entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

  • "Content.IE5"
  • "Temporary Internet Files"
  • " This folder protects against ransomware. Modifying it will reduce protection"
  • "\Local Settings\Temp"
  • "\AppData\Local\Temp"
  • "\Program Files (x86)"
  • "\Program Files"
  • "\WINDOWS"
  • "\ProgramData"
  • "\Intel"
  • "$"

The filetypes it looks for to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

credit herulume, thanks for extracting this list from the binary.

more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

Some other interesting strings

BAYEGANSRV\administrator Smile465666SA wanna18@hotmail.com

credit: nulldot https://pastebin.com/0LrH05y2

Encrypted file format

<64-bit SIGNATURE>        - WANACRY!
<length of encrypted key> - 256 for 2048-bit keys, cannot exceed 4096-bits
<encrypted key>           - 256 bytes if keys are 2048-bits
<32-bit value>            - unknown
<64 bit file size>        - return by GetFileSizeEx
<encrypted data>          - with custom AES-128 in CBC mode

credit for reversing this file format info: cyg_x11

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.

This was developed by "equation group" an exploit developer group associated with the NSA and leaked to the public by "the shadow brokers". Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

RSA-2048 uses the default padding mode (PKCS1v1.5). If the C2 server does a live decrypt with an RSA keypair, a padding oracle exploit should be straightforward.

roycewilliams commented May 12, 2017 edited

From private email:
"The e-mail subjects we have seen so far are: FILE_<5 numbers>, SCAN_<5 numbers> , PDF_<4 or 5 numbers>"
"the attachment is always nm.pdf"
[Edit: as noted by @SecMonkey below, this is a sign of different ransomware, not WannaCry]

Independent detection of the vulnerability (Python and Metasploit module): https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners

runn1ng commented May 12, 2017

Are the files actually decrypted after paying the ransom?

How is the payment detected if the addresses are hardcoded?

I can't get info about that anywhere

Are the files actually decrypted after paying the ransom?

I don't know. I'll ask.

How is the payment detected if the addresses are hardcoded?

Well, the ransomware does generate a RSA keypair and send the private key to their C2 server. It's likely they hand over the private key upon successful ransom payment, and it then (hopefully) decrypts all your files after you supply the correct private key.

runn1ng commented May 12, 2017

I mean, the bitcoin network is pseudonymous, so the ransomware cannot detect which payment belongs to which victim.

Which leads me to think the ransomware is actually not decrypting anything, since it has no way of knowing which victim actually paid and which did not.

Maybe, there might be some human interaction involved - the attackers asking for original addresses and manually confirming, which makes sense based on the "open hours" in the text - but I am not sure how would that work either.

Thynix commented May 12, 2017 edited

From the screenshot I've seen it offers limited sample decryption: https://twitter.com/i/moments/863117044161536000

You can decrypt some of your files for free. Try now by clicking <Decrypt>.

How viable would it be to write another application to extract the decryption key it uses to do this?

@Thynix : I wouldn't be surprised if it uses a secondary embedded key to encrypt just these files.
This seems quite a sophisticated thing, and that would be a stupid thing to do.

eur0pa commented May 12, 2017

Creating a "MsWinZonesCacheCounterMutexA" mutex will prevent the ransomware from starting

https://twitter.com/gN3mes1s/status/863149075159543808

Easiest way to verify patches are up to date on a single machine? Looking for something automated..

h3ku commented May 12, 2017

@runn1ng I'm with you, it impossible to them know if some company pay or not, I search in the transaction for any comment or something that can be used as an identifier but nothing appears, a think they don't gonna decrypt the files.

wmic qfe list gives the list of kb installed, check that one of the kb for your os is installed : https://technet.microsoft.com/en-us/library/security/ms17-010.aspx?f=255&MSPPError=-2147217396

Ex for win7 sp1 you should have KB4012212 or KB4012215

gstevenson commented May 12, 2017 edited

@jbfuzier Ugh, had a browse through some of our internal and production servers and we're running a few different OS's. Add to that our internal network (laptops and desktops) and that's not going to be fun.

And throw this into the mix: https://www.reddit.com/r/netsec/comments/6atfkl/wanacrypt0r_ransomware_hits_it_big_just_before/dhhdr3u/

Just as a heads up for people reading: KB4013429 has been replaced (through a long chain) by KB4019472. This affects Win10.1607 and WinServer 2016 users.
Replacement chain:
KB4013429
KB4015438
KB4016635
KB4015217
KB4019472

@gstevenson Thanks MS !

dezren39 commented May 12, 2017 edited

Couldn't you just send them your public key and then they decrypt whoever sends them the key first? I'd recommend sending your key to them first, then paying. Actually, I'd recommend wiping the drive and using those offline/offsite backups that totally exist. They could rip you off, most ransomware seems to.. but a big op would want to decrypt so that the word got out that it works, right?

Edit: I'm not sure if the check payment or contact us page has a thing to 'message' them something like your public key though. Haven't played with the software personally.

Keisial commented May 12, 2017

@roycewilliams Could some samples of such emails be shared?

sheeit commented May 13, 2017

That's what you get for using Windows.

0E800 commented May 13, 2017 edited

^ kek - so true. Says the guy that also uses an iPhone 👍

Save time searching for the patch for:

2008 R2
March, 2017 Security Only Quality Update for Windows Server 2008 R2 for x64-based Systems (KB4012212)
windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

Windows 7.

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012212

Or play with the url.

Anyone have a registry hack for XP and 2003 servers? Any special port to block?

Use this like hot fix
dism /online /norestart /disable-feature /featurename:SMB1Protocol

Microsoft have released custom support patch for Windows XP, Windows 8 and Windows Server 2003 systems
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

S0m3Th1nG-AwFul commented May 13, 2017 edited

"Microsoft first patch for XP since 2017" — you probably meant "since 2014"?

An Italian university in Milan has also been hit. Here's the link to my fork with the revision if you want to integrate the info - https://gist.github.com/errantbot/b83e1ff48a45378a26cbacf10a57193c

pe3zx commented May 13, 2017

I wrote Hybrid-Analysis sample crawler with provided hash on AlienVault OTX and just noticed this early sample.

@paragonie-scott "the ransomware does generate a RSA keypair and send the private key to their C2 server". But this gist says "https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the aes keys)". I don't understand how both of this can be true. So, will it always generate the same keypair? Or are there multiple versions around?

Misprint: Сбера bank - Sberbank Russia

Riatre commented May 13, 2017

@RealLitb It seems like the description in gist is slightly off. The correct one should be "The ransomware pubkey, used to encrypt generated keypair."

Owner

rain-1 commented May 13, 2017

Thank you very much @Riatre

I have updated the cryptographic information with the corrections.

Riatre commented May 13, 2017 edited

@rain-1

The public key here is used to encrypt a generated RSA key pair, which in turn is used to encrypt generated AES key. A brief description of what it actually does when it's trying to initialize the key:

  1. Try to load a public key from 00000000.pky, use it as the local key
  2. Otherwise, generate a new RSA 2048 keypair via CryptGenKey, then export PUBLICKEYBLOB to 00000000.pky unencrypted. Export PRIVATEKEYBLOB, encrypt with the public key https://haxx.in/key1.bin (the master key), write to 00000000.eky. Here the encryption is done with CryptEncrypt, thus the default RSA+AES suite provided by Cryptographic Service Providers.
  3. Load a public key from 00000000.pky (which is just written in step 2), use as the local key.
  4. For each victim file, generate an AES key, use this AES key to encrypt the file. Then encrypt the AES key with the local key. Write the encrypted AES key and encrypted file content to the victim file.

I don't know how to give you a source, as I myself is a reverse engineer and staring at the code. Maybe check http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/? Their description of 00000000.eky is off but other parts seems correct to me.

EDIT: Cool! Just saw the updated description, seems like I'm too slow documenting these :P

Owner

rain-1 commented May 13, 2017

Based on the latest reverse engineering I think there is a path to recovering files, but only if the malware author chooses to release his master key:

  • The original malware author should release the private key associated with the public used in the virus.
  • We can then use it to write a program that decrypts 00000000.eky into 00000000.dky
  • We can then use 00000000.dky along with a modified version of the malware to decrypt the files.
Owner

rain-1 commented May 13, 2017

@Riatre, Thank you very very much for your corrections to the public information about this! Would you like to join irc.freenode.net #wannadecrypt in this channel people have been working on RE and other research?

If EternalBlue is used only to exploit Windows 7 and Windows Server 2008, how machines on other versions of Windows are infecting? Do they use specific version of tool or they wrote their own one?

Owner

rain-1 commented May 13, 2017

Diagram of the Worm

WANACRY

Is there any source code?

index of servers infected with wannacry google dork: intitle:“Index of" "/ .WNCRY”

aviraxp commented May 13, 2017 edited

My university blocks the connection to www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Don't know why.

Edit: Oops, I am wrong. They redirect it to our university homepage, to make sure everyone can get connected to it.

Have there been any confirmed reports of users receiving the decryption key and successfully decrypting their files followin paying the ransom?

still no reports of successful decryption. looking at decryptor.exe still to see how it would work in theory.

Sjors commented May 13, 2017

If for whatever reason the malware author wants to claim attribution, they should sign a message using the private key of one of the bitcoin addresses. I challenged 0xSpamTech (see "claimed attrib" above) to do so. Given the nonsense they spouted in this tweet, I doubt they will sign such a message, but you never know.

Anyone have the dropper?

Sjors commented May 13, 2017

The new version (?) item points to a tweet from April 11th.

Riatre commented May 13, 2017

@jedisct1
Search 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c on Google for a sample of worm.

Yara rules for WannaCrypt: https://pastebin.com/FKgEjYHu

path-braenaru commented May 13, 2017 edited

Four YARA rules, one generic for variants, two for older specific sampels and one for the NHS wcry/doublepulsar bundle strain

https://pastebin.com/FKgEjYHu

defuse commented May 13, 2017 edited

How does the "You can decrypt some of your files for free" decryption work? I can imagine some possibilities:

  1. It just leaves some files unencrypted and pretends they're encrypted and stops pretending when you want to do the decrypt test,
  2. It sends 00000000.eky to the C&C server which returns the decrypted private key. Then it's erased locally after decrypting the test files,
  3. It sends the pair (00000000.eky, the encrypted AES key) to the C&C server which returns the decrypted AES key.

If (2) then a decrypter is possible by keeping a copy of the decrypted private key.

If (3), then how does the C&C server enforce a limit on how many files can be decrypted? Is it based on a counter per unique 00000000.eky? Is 00000000.eky malleable somehow so that it can appear as different to get more decryptions allowed out of the C&C?

(@paragonie-scott's idea) If (2) or (3) then can we use a padding oracle attack against the C&C server to learn either the master private key or the specific infection's 00000000.dky?

Also it's still not clear to me how bitcoin payments are tied to the individual infection if the addresses are hardcoded -- what stops someone from paying once and then everyone can claim that as their payment? Does it ask you to provide a txid (unauthenticated) after you pay or something like that?

Do we have a link to the decryptor.exe?

The decryptor is bundled as a file with the original infection, so one gains a decryptor when one is infected

Updated list of samples, again link to revision if you want to include the info - https://gist.github.com/errantbot/fd6811395842894c70772931013742e2

I have found the private key of this:
https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)
Private key in hex (2048 bit):
b9a8170420e48302d90f30fa928b45cc9c2907c56b17020c1fc174bf875dba2a1033e11d53efff4d515714a60157c99cced7aafda243d495a089b9e14fa96f1b4a657ba70bd6d221a9c022a506b7fd8fe0d9b9c832d1fe8c82c68ff035d68431d8bad97c4fbe5a9ee6c39a18004c8a345183b627636d5ec15415c49f900aab354029fe0ec3d681d90d279ff96963b83af9f3ed6290b54cc66c301ac556a4b77ba28c12d3268a854176b6f6501f3cf3ba3b769b86d52fca3ac5d8041a29686fc84f3082e897a6eaa7a0a37d1c7711ca6fd33c43cf346d6c341031e3eeda81ad02ae621735061f77bfffe24767ebb2e868c6e236cd261f73f39fb1b0cfbbf3465

I tried to encrypt something with the master public key and decrypt the result with the private key that I found, and gives me the original plain text. Can someone confirm?

defuse commented May 13, 2017 edited

@cybernova: Can you share the code that you used to do it (will save me some time trying to confirm)? Also how did you get the private key?

defuse commented May 13, 2017

@cybernova: I might be reading the code wrong but according to this the modulus of the private key (75974c3b...f1ce) is encoded in little-endian and your library's hex to BigInteger code is interpreting it as big-endian. The actual modulus interpreted with the wrong endianness will probably have small factors (and so is easily factorable), so I think that's what happened.

SMB v1 is vulnerable, even if you patch the system... There will be another exploit anytime... it is better to disable SMB v1.
Follow my manual instructions or use the GUI i made on powershell 3 weeks ago.
https://github.com/RomelSan/SMB1-Disabler

vladimirc81 commented May 13, 2017 edited

I just find that behind wanna18@hotmail is connected with wa*****@statravel.com

hinell commented May 13, 2017 edited

Сбербанк - Sberbank Russia (russia)

This information is inaccurate. According to the reports from bank's employee there only one stand-alone terminal that is infected and it doesn't belong to the bank itself and doesn't have access to the banks servers anyway except the WAN/internet.

https://twitter.com/sberbank/status/863347998645989377
https://twitter.com/sberbank/status/863347953137840128

Owner

rain-1 commented May 13, 2017 edited

@hinell, Sberbank has no need to be embarassed. everybody got hacked. Thank you for the info.

WestfW commented May 13, 2017 edited

Try to load a public key from 00000000.pky, use it as the local key

What happens if YOU create a 00000000.pky file containing a public key for which you also posses the private key?

@defuse: you right, good reply!

@cybernova @defuse so no way for a decrypter ?

defuse commented May 14, 2017

@Zaicheda: Not that we know of. Maybe one of these ideas will work, but I'm not good enough at reversing malware to figure out myself.

@Zaicheda probably not, rsa2048 aint no joke

Zaicheda commented May 14, 2017 edited

@ericwong3 @defuse any agency or whitehat can be the hero of this malware ?

Toxyl commented May 14, 2017 edited

@defuse the infection doesn't require internet access, nor does the decryption demo. tested on a windows 7 VM, the files it claimed as being decrypted were plain text, but I didn't check if they were encrypted before. also it seems to be random which files it decrypts (if it does it at all).

if decrypting offline does actually work, it would mean that everything needed is there and the only thing the C&Cs are contacted for is to receive a simple true/false answer, so maybe one can hijack the function (via DLL injection) that handles the result? something like "if (true) return true;"

unfortunately my decompile only returns this for the function in question:

// Address range: 0x401970 - 0x4019cf
int32_t function_401970(int32_t a1) {
    // 0x401970
    abort();
    // UNREACHABLE
}

and it's called a lot from here (note the strings!):

int32_t function_401600(int32_t a1, int32_t lParam, int32_t a3, int32_t a4) {
    g2 = a1 - 0x4e20;
    int32_t v1 = pointer_active_process; // esi
    int32_t v2;
    char * v3; // bp-20
    int32_t v4; // bp-32
    int32_t v5; // 0x401747
    int32_t v6; // 0x40174a
    int32_t v7; // 0x40174b
    if (a1 == 0x4e20) {
        // 0x4016e5
        if (lParam == 0) {
            // 0x4016e9
            v2 = pointer_active_process;
            int32_t v8 = &v2; // 0x4016e9_0
            v3 = "Connected";
            _qm__qm_0CString__QAE_PBD_Z();
            function_401970((int32_t)v3);
            int32_t hWnd = *(int32_t *)(v1 + 128); // 0x401701
            int32_t result = SendMessageA((char *)hWnd, 1026, 30, lParam); // 0x401710
            g2 = result;
            pointer_active_process = v1;
            v4 = a1;
            *(int32_t *)(v1 + 176) = 35;
            _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v8);
            g6 = v4;
            g8 = lParam;
            g4 = v8;
            return result;
        }
        // 0x401734
        if (lParam == -1) {
            // 0x401739
            *(int32_t *)(pointer_active_process + 168) = -1;
            v7 = a1;
            v6 = lParam;
            v5 = v1;
            // branch -> 0x401743
        } else {
            v7 = 0x4e20;
            v6 = lParam;
            v5 = pointer_active_process;
        }
        // 0x401743
        pointer_active_process = v5;
        v2 = a3;
        _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v7, v6, a3);
        g6 = v7;
        g8 = (int32_t)(char *)v6;
        g4 = v2;
        return g2;
    }
    int32_t v9 = a1 - 0x4e21; // 0x40161a
    g2 = v9;
    if (v9 == 0) {
        // 0x40168f
        if (lParam == 0) {
            // 0x401693
            v2 = pointer_active_process;
            int32_t v10 = &v2; // 0x401693_0
            v3 = "Sent request";
            _qm__qm_0CString__QAE_PBD_Z();
            function_401970((int32_t)v3);
            int32_t hWnd2 = *(int32_t *)(v1 + 128); // 0x4016ab
            int32_t result2 = SendMessageA((char *)hWnd2, 1026, 35, lParam); // 0x4016ba
            g2 = result2;
            pointer_active_process = v1;
            v4 = a1;
            *(int32_t *)(v1 + 176) = 40;
            _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v10);
            g6 = v4;
            g8 = lParam;
            g4 = v10;
            return result2;
        }
        // 0x4016de
        if (lParam == -1) {
            // 0x401739
            *(int32_t *)(pointer_active_process + 168) = -1;
            v7 = a1;
            v6 = lParam;
            v5 = v1;
            // branch -> 0x401743
        } else {
            v7 = a1;
            v6 = lParam;
            v5 = pointer_active_process;
        }
    } else {
        int32_t v11 = a1 - 0x4e22; // 0x40161d
        g2 = v11;
        if (v11 == 0) {
            // 0x401624
            if (lParam == 0) {
                // 0x401628
                v2 = pointer_active_process;
                int32_t v12 = &v2; // 0x401628_0
                v3 = "Received response";
                _qm__qm_0CString__QAE_PBD_Z();
                function_401970((int32_t)v3);
                pointer_active_process = v1;
                v4 = a1;
                *(int32_t *)(v1 + 168) = 1;
                _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v4, lParam, v12);
                g6 = v4;
                g8 = lParam;
                g4 = v12;
                return 0;
            }
            // 0x40165e
            if (lParam == 1) {
                // 0x401663
                v2 = pointer_active_process;
                int32_t v13 = &v2; // 0x401663_0
                v3 = "Succeed";
                _qm__qm_0CString__QAE_PBD_Z();
                function_401970((int32_t)v3);
                pointer_active_process = v1;
                _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(a1, lParam, v13);
                g6 = a1;
                g8 = lParam;
                g4 = v13;
                return 0;
            }
            // 0x4016de
            if (lParam == -1) {
                // 0x401739
                *(int32_t *)(pointer_active_process + 168) = -1;
                v7 = a1;
                v6 = lParam;
                v5 = v1;
                // branch -> 0x401743
            } else {
                v7 = a1;
                v6 = lParam;
                v5 = pointer_active_process;
            }
        } else {
            v7 = a1;
            v6 = lParam;
            v5 = pointer_active_process;
        }
    }
    // 0x401743
    pointer_active_process = v5;
    v2 = a3;
    _qm_DefWindowProcA_CWnd__MAEJIIJ_Z(v7, v6, a3);
    g6 = v7;
    g8 = (int32_t)(char *)v6;
    g4 = v2;
    return g2;
}

@cybernova private key that wrong?

I test if time left,nothing (nothing be delete.) will be happen.

Toxyl commented May 14, 2017 edited

// file: c.wnry 
// bytes 0x70 - 0x73: expiration date time
// bytes 0x7E - 0x7F: ???
// bytes 0x86 - 0xD7: bitcoin wallet

anyone an idea what 0x7E is?

wzxjohn commented May 14, 2017

@defuse According to some research, the ransomware randomly choose some files than encrypted their AES key with the embedded RSA key. So the decrypt demo can only decrypt those files in this list.

@cybernova The key format is Microsoft's PUBLICKEYBOLB and PRIVATEKEYBLOB, you can use openssl to transfer them into PEM or DER format.

defuse commented May 14, 2017

@Toxyl: What binary is that from? I spent some time poking around CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE and CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE trying to trace backwards from calls to CryptDecrypt() and didn't come across that.

"Their message in Filipino language is very bad/wrongly translated - don't use google translate!"

wzxjohn commented May 14, 2017 edited

@kingex1124 This is only a fake popup. No file has been decrypted in real.

thez3r0 commented May 14, 2017

Still we are in the same place. infection is going on. & still we don't have any decryptor

thez3r0 commented May 14, 2017

kill switch is pathed in new version. anyone having update on it??

@wzxjohn @defuse I guess there is no way to decrypt by wannacrypt0r, only have to try to break/crack/try out the RSA key.but But QiHoo 360 (China)say that decrypt the key, but I can not verify.not any tools.

thez3r0 commented May 14, 2017 edited

@nickfox-taterli where QiHoo 360 say that "But QiHoo 360 (China)say that decrypt the key, but I can not verify.not any tools." ??

Riatre commented May 14, 2017 edited

@nickfox-taterli @kingex1124

Qihoo 360 said "本工具的文件恢复成功率会受到文件数量、时间、磁盘操作情况等因素影响。一般来说,中毒后越早恢复,成功的几率越高。", which translates to "The success rate of this tool depends on the number of files, time, disk operations and more. Generally, earlier you run this after being hit, higher the success rate."

Based on their description I believe they are trying to do some file recovery things. They don't have the private key.

EDIT: The malware doesn't inplace overwrite all files it encrypts. Sometimes (?) it writes the encrypted file content to a new file and then removes the original file. In this case traditional file undeletion stuff might work.

my chinese friend tell me the message popup in 360safe manager two hours ago.but at that time,not any tools can be download.

Riatre commented May 14, 2017 edited

@nickfox-taterli

Yeah I'm pretty sure it just does undeletion. It stated "360深入分析病毒原理,发现有可能恢复一定比例文件的急救方案" (360 analyzed how virus works and found it's possible to recover a certain percentage of files). It is not a full decryption.

There are some success stories so if someone is affected and can read Chinese they might want to try it ,thanks for linking this!
(And if you can't read Chinese you might try some other offline data recovery tools, remember to disconnect your drive ASAP for that.)

Toxyl commented May 14, 2017

@defuse The binary was the WanaDecryptor I've downloaded from one the infected servers. And then decompiled with this site: https://retdec.com/decompilation-run/

Toxyl commented May 14, 2017

just set my infected VM's time a year into the future, so by then the worm should have deleted files. reboot and guess what? no files deleted. so that's just a paper tiger.

v4 = InternetOpenA(0, 1u, 0, 0, 0);
1 = INTERNET_OPEN_TYPE_DIRECT

If you are under proxy the kill switch won't work.

wzxjohn commented May 14, 2017

@nickfox-taterli @thez3r0 @Riatre Qihoo 360 just release the old decrypt tool again... May be add some feature to do data recover, not a really decrypt program.

Hi all, I have a question concerning the 00000000.pky

  1. Where is it saved?
  2. Can you confirm that the ransomware will use that file if I put it there before? This mean we could generate our own key and decrypt the files in case of infection, as defense-in-depth.
  3. This is also an entry point to get the master private key if they were not careful on the entry for RSA encryption.

GarryMartin commented May 14, 2017 edited

Possible hexedit and re-release with modified domain re: killswitch
https://twitter.com/msuiche/status/863730377642442752

Owner

rain-1 commented May 14, 2017 edited

@cryptohazard, "if you run the exe from anything but C drive, it will create the Intel\random_bit directory and take a nap there. else, it's the current directory" analysis by clickjack. Example of "random_bit": https://swoosh.s3-eu-central-1.amazonaws.com/ss/QXILWzTYIDGW.png

wzxjohn commented May 14, 2017

@cryptohazard If you can put the key before the ransomware running, why not just do something to prevent it's running?

@rain-1 so :

  1. For the C drive, can I make it use my key? (that would be awesome i think)
  2. For the other locations, does it keep track of the folder or, for instance if you restart it, does it use a new folder?

I guess my idea won't work for defense overall.

@wzxjohn Apparently, a lot of machines are not or will not be updated. It could have been a wort case option.

https://twitter.com/hackerfantastic/status/863807098177679360
https://github.com/HackerFantastic/Public/blob/master/tools/WCRYSLAP.zip

"Code to prevent WCRY ransomware on an unpatched host, registers the mutex used by the payload to prevent an infection from being run on the host. Innoculates the host by registering the same mutex. This wont stop your host being infected with the worm and used to infect other hosts but it will stop the ransomware component from being executed on a vulnerable host"

Does anyone have a "rate of file encryption"? Looks like the average time to spread is about 3 minutes based on our honeypot and internal lab tests (can anyone confirm similar on their end?)

Does anyone have an actual sample of an encrypted file?

For what it is worth, I converted the public key to PEM format:
https://pastebin.com/c561kZqy

@pnelego I think we have one in our lab if you want to look at it you can DM our engineer on Twitter. If everyone else wants a copy here I can publish it but I dont want to muddy up the stream.

Twitter: https://twitter.com/Shadow0pz

Disk begins to fill very rapidly (2GB/MIN) once the date/time is accelerated past the ransom date. Rolling the date back has no effect on the disk filling in our lab environment. Can anyone confirm similar behavior?

thaidn commented May 14, 2017

I wanna look at the encryptor code (to find flaws if possible), which DLL should I look at?

Via https://twitter.com/TalBeerySec/status/863741929401585664, description of the actual bug being exploited:

https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb#L30-L34

"There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD."

mtnwrw commented May 14, 2017 edited

This thing is really nasty. I found routines that take care of preventing to undelete the original files. It writes 200MB worth of "10" bit patterns to the harddrive every 10s.

mtnwrw commented May 14, 2017

As already reported, the test decryption offered by the authors does not require internet access. The encryptor generates two types of crypted files: .wncry and .wncyr. The .wncry files are undecryptable without the private RSA key of the authors, the .wncyr files store the 128-bit AES key unencrypted in the files. The test decryption most likely only decrypts the .wncyr files.

Toxyl commented May 14, 2017 edited

@wethinjp I can't exactly confirm, but I found a (seemingly unused) function that does create NULL files. While they don't take up disk space, they do increase the size of the TOC. Is that what is happening?

Btw, my VM has been running for hours with the date set one year into the future, but it doesn't use as much disk space. But I do have almost 4GB difference between what all files occupy (~11GB) and what is reported as disk usage for the drive.

Toxyl commented May 14, 2017

@mtnwrw that does make sense, there is a specific check for the different extensions in the code.

What's the difference between the 3 samples linked in the doc?

Kimax89 commented May 14, 2017

In the nulldot pastebin i noticed another Bitcoin address.
line 80: 00:34 < nulldot> 0x1000eff2, 34, 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

is that related to WannaCry or am i missing something?

mtnwrw commented May 14, 2017 edited

It also seems that the way that the "unlock" is going to happen is to send the encrypted private RSA key via Tor and receive the decrypted one. The master key is never sent to the client, at least there is no function in the code to handle that.

At least I can confirm that there are actual recursive decryption routines in the supposed decryptor part. So in theory, the files can be decrypted if the private RSA key is "unlocked" by the authors. Question is if they will do it.

marksteward commented May 14, 2017 edited

@Kimax89 it's the Bitcoin address used by "version 1.0" of the ransomware, back in March-April (there's a Bitcoin address in an even earlier version, 1G7bggAjH8pJaUfUoC9kRAcSCoev6djwFZ, but no money was sent to it).

All please look at @shadow0pz tweets about the disk filling. Lots of information there. I don't have time to write it here but if someone can put this info out it's REALLY important for those who are infected. More info to come.

Kimax89 commented May 14, 2017

@marksteward Thanks. I made my own monitor for the bitcoins address sociated to the attack, just to keep an eye out for new transactions and looking at the volume of all 3 address.

Toxyl commented May 14, 2017 edited

WanaCryAnalyzer or WanaCryAnalyzer (Mirror)
Current result set
Current result set without unreachables
Alternate downloads (same server)

#What This Is
This is my collection of data related to the WanaCry ransomware. It includes decompiled sources, but no binaries of the worm nor the decryptor. They are easy to obtain, however, if you pay attention to the links I placed. ;) To automate the process a bit I've wrote a simple name mapper which grabs all folders from the directory data\sources and parses them using the file name_mapping.json which must be present in each source folder to be parsed. It will rename all occurences of the string in the C source file and in the SVG call graphs. This way we can build a mapping table to get a better understanding of the source and hopefully find a weakness. Here's what is in this package:
| Dir/File | Content |
| --- | --- |
| bin\analyzer | PHP scripts for mapping, file IO and console output |
| bin\ansicon | x86 and x64 versions of Ansicon, used to colorize the console output, you can get your own copy here |
| bin\php | x86 version of PHP 5.6.30, you can get your own copy here |
| data\keys | Keys associated with the worm and the PEM conversion shell script posted by cryptohazard |
| data\output | In here the results will be saved. D'oh. |
| data\sources\decryptor_without_unreachables | This is the output generated by the Retarget Decompiler for the @WanaDecryptor@.exe I've downloaded from an infected website, you can easily find your own copy. |
| data\sources (not processed)\decryptor | This is the output of decompiling @WanaDecryptor@.exe with the decompile unreachable functions option enabled which adds about 20k lines of code. |
| data\sources (not processed)\worm | This is the output of decompiling the worm mssecsvc.exe sample downloaded from Payload Security. |
| WannaCryAnalyzer.bat | This batch file starts the conversion process. It will process everything in the data\sources\ directory. |

#Approach
My approach is to piece by piece reconstruct names of functions and global variables in order to get more readable code. Since it can be an errorprone process to do it manually (30k+ lines of code...) I decided to create a mapping table and replace names automatically. This is also done in all SVGs which can be very useful, I recommend you have a look at a bunch of the function graphs. So far I have mapped 100 function/variable names, but I'm confident not all of them will be correct, so please have a look at them, too.

#Some Notes
The __call_graph__.svg file from the output can be pretty useful to find relations between functions which might give an indication of their purpose.
Also I've named functions that appeared very complex or deeply nested. Especially f_maybe_keygen_12_possibly_obfuscated.svg might be worth a look, to me these chains of useless if-else structures look like obfuscation - if so, why did someone bother to obfuscate this piece of code?

#Did You Find More?
Please post new mappings here.

Does "rsdkvkltskcven666" mean anything ? It doesn't look random generated. Also i forced shutdown the system before the malware could fully encrypt all the files. It missed some files, as a result didn't got the "Pay us ransom warning".
Malware sample hxxps://transfer.sh/8XcTr/rsdkvkltskcven666-fucknsa.zip

Password:fucknsa

pusparajm commented May 15, 2017 edited

I found the malware at /ProgramData/rsdkvkltskcven666 . But i didn't found the tor binary there. Was it not fully extracted ? Or it deleted it after sending the key ?

Also some directories had the "@WanaDecryptor@.exe" itself. Some had symlink to the above mentioned directory.

Toxyl commented May 15, 2017

Maybe you interrupted the deployment of TOR when shutting down. Also check C:\Intel - in some cases it installs itself there
the folder names are randomly generated AFAIK

@Toxyl I've mirrored your WanaCryAnalyzer.rar at http://ch0wn.org/pub/WanaCryAnalyzer.rar as your poor connection is getting hosed. Hope you don't mind. Thanks for your great work!

pusparajm commented May 15, 2017 edited

Checked intel , it's empty. But found mssecscv.exe and qeriuwjhrf in C:\Windows

Sample here hxxps://transfer.sh/138W1c/wana.zip
Password:fucknsa

Toxyl commented May 15, 2017

@Epivalent: thx! a raspi ain't that much ;) and you're welcome, I hope it helps

Maybe put the results separately from the analyzer. A lot of opaque dlls there people might be hesitant to run.

Toxyl commented May 15, 2017

Good point. Can you mirror those too?
Results Decryptor
Results Decryptor (without unreachables)

Scientits commented May 15, 2017 edited

Does Windows 10 ( 1703)'s Bitlocker can prevent Ransomeware ( include WannaCry) ?

Toxyl commented May 15, 2017 edited

I've read claims Win10 users were safe, but none mentioned Bitlocker. Considering that WannaCry makes use of encryption/decryption functionality provided by the OS, I wouldn't bet on it.

Is't possible to Analyze any Active Traffics that can be managed by Owner !? unless how he can know that the victim make payment or not !?
Second thing < What the (Contact us) Button leads to !?

ache7 commented May 15, 2017

Maybe someone can make a vaccine for this SMB bug, which will use vulnerability to get in and then close it with update.

dat-ai commented May 15, 2017

Which way could a computer get infected by this Ransomeware? Accidentally click on a link or how?

Shadow0ps commented May 15, 2017 edited

Very Important Document.txt.WNCRY - Encrypted file for those who have been asking for it. Courtesy of @shadow0pz (Twitter)

http://s000.tinyupload.com/index.php?file_id=28489631393354922319

Good overview of public collaboration on fighting this thing:

https://medium.com/@KyleHanslovan/proud-moment-wannacry-collaboration-e1f6fafe76dc

@ache2 I formed a quick vaccine script for windows 10; I cant confirm if it works on 7 or 8 (i don't know if the SMB1 PowerShell commands switch over.)
https://github.com/pnelego/WannaCry-VaccineScript

its really quick and dirty, and im working on a better vaccine "installer" so that anyone can quickly run an .exe and have protected their machine.

is there any source code ?

ache7 commented May 15, 2017

@pnelego, I mean program that scans IP addresses over internet and injects vaccine, so no one can exploit vulnerability.

@ache7 I see what you're saying, I misunderstood my apologies.

rc-dfir commented May 15, 2017

decryption and encryption explained in detail for #wannacry

https://modexp.wordpress.com/2017/05/15/wanacryptor/

thez3r0 commented May 15, 2017

@dat-ai first way of infection is e-mail champain
second thing that it does. it scans the local network if other hosts found it try to exploit SMB1 protocol using the 0day named as "eternal Blue"

if exploit works.. it replicate the exe on that host & start the encryption.

Quick and dirty PowerShell script fighting against WanaCry Decryptor
https://github.com/geddar2010/wncry-vaccine/tree/master/Shell

thez3r0 commented May 15, 2017

@geddar2010
can you translate the readme.md to english?

yes, I've done it

Toxyl commented May 15, 2017

One question that I keep coming back to: does WanaCryptor, after encrypting a file, send the private key to the ransomware author, so it can be send back when the user has paid? It happily infected my offline VM, so it was never able to send any private key, thus my encrypted data should be lost forever. And in my call graph I find only two functions writing files with fwrite(), one is creating NULL files, the other deals with c.wnry - so every other write operation either happens in other code or uses memory addressing magic to hide the call to fwrite().

If it never sends the private key we can be certain that there is no way to decrypt the files, even if the user has paid. If it does we might have a slim chance that it might be stored somewhere or still linger in memory as long as the machine wasn't rebooted.

araneta commented May 15, 2017

does any body know the value of this constant WC_ENCKEY_LEN ? Thanks

Toxyl commented May 15, 2017

@araneta check the f_DYNAMIC_BIT_LENGTH_TREE function from my result set, maybe it has something to do with it.

@Toxyl, If you click "Check Payment" it wants internet connection so I assume that it will send encrypted private key on that point and they will return decrypted one back.

And actually because they are not even tried to encrypt binary, they used quite old vulnerability, it will not really remove files and because they included kill switch I actually assume that they will release private key/decryption tool on some point of time. They just wanted to so that how badly patching have been done around of world. But that of course is just my guess.

@vladimirc81 I came up with the statravel as well. False positive? Has anyone at least looked at it?

Toxyl commented May 15, 2017

@olljanat so we could intercept the private key when it's sent? not sure if it's worth anything, but maybe there is a flaw somewhere in that process.

@tonyx, that does not help. It will only sent that 00000000.eky which you can already see on file system and they will return unencrypted version 00000000.dky. Look: https://modexp.wordpress.com/2017/05/15/wanacryptor/

jpeg schema for updates MS17-010 https://www.dropbox.com/s/s2509ichluff07i/MS17-010.png?dl=1 (updatable)
Utility for windows to scan and verify MS17-010 (smbv1/smbv2/KB patches) https://www.dropbox.com/s/sieb37o5pye2b48/SecurityChecker.v2.zip?dl=1 Scan authenticated, over WMI, without exploitation.

mtnwrw commented May 15, 2017

@Toxyl It does send the encrypted private key via Tor. After receiving the result, it writes the decryption key to the .dky file which is then used to actually decrypt all the encrypted files (at least code is present to do that, question is if they will ever really decrypt the .eky after sent via Tor).

The description in https://modexp.wordpress.com/2017/05/15/wanacryptor/ is quite accurate, I basically obtained the same details after disassembling the crypt/decrypt routines in the main files.

And no, the private master key is never sent via the network at any point.

The f_DYNAMIC_BIT_LENGTH_TREE belong to the embedded unzipper that takes care of unpacking the Tor suite.

Toxyl commented May 15, 2017

Ahh, good to know, thx.

mudlord commented May 15, 2017

@geddar2010 @pnelego

Thought of rewriting in C# or C++/CLR?

Seems the Powershell API is only available from .NET
http://stackoverflow.com/questions/19634220/c-and-powershell

Where can one get this as want to look at it in a virual machine ?

dev commented May 15, 2017

Wondering the same as @davidbuckleyni. Where can we get these binaries?

Toxyl commented May 15, 2017

Guys, my rapi has been under attack with failed login attempts for root from 127.0.0.1 (!!!) and also somehow my result sets vanished from the raspi without any trace. I've taken it offline for now, will check logs later. Meanwhile, please make mirrors of the result sets, maybe they contain vital information.

Toxyl commented May 15, 2017

@Legit @davidbuckleyni decryptor: Download it from an infected website.
worm sample: download from Payload Security.

127.0.0.1 is localhost; i.e. the computer itself. That means a program on your Pi is trying (and failing) to authenticate. Taking it offline won't help you mitigate the attacks, though it can protect other machines from the Pi.
If you think it's malicious activity, you should inspect the Pi's contents from a different machine (e.g. mount its partition(s)).

Toxyl commented May 15, 2017

I'm at work at the moment, will analyze it in a VM when I'm back

Found a mod version with a new kill switch web link: https://s13.postimg.org/i02rflft3/screenshot_1552017_20_H16_M53_S188ms.jpg

timvisee commented May 15, 2017 edited

@WestfW Interesting idea. That wouldn't allow you to decrypt any files on other machines though, I'm afraid. If you'd be trying to be faster than the virus anyways, why wouldn't you patch your system. ^^

@Tinyhaker Nice find! Although, .testing isn't a valid TLD yet, as far as I know.

Toxyl commented May 15, 2017

@timvisee maybe that's the point, one can't sinkhole what one can't register

infosecabaret commented May 15, 2017 edited

Does anyone have a dump of the traffic towards Tor, i.e. how the submission of the .eky file works? Something like an actual traffic dump and if it uses SSL some sort of MitM of the traffic with a proxy like Burp.

@Toxyl it can be sinkholed, but only on internal DNS - any organization having an Active Directory, or simply managing a private DNS, can do that.

Toxyl commented May 15, 2017

so the kill switch can be useful for the devs of the ransomware in their dev environment.

BTW: University of Waterloo is in Ontario, Canada -- not in the US.

Some good information shared at http://pentestit.com/wanacrypt-information/

Toxyl commented May 15, 2017

Has anyone been able to confirm that this works?

zeus770 commented May 15, 2017

@Tinyhaker: can you share your sample via https://transfer.sh ?

ralf-9000 commented May 15, 2017 edited

There is a HA sandboxing showing

www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test

Only .test, which is a valid root domain. See https://www.hybrid-analysis.com/sample/bd927d915f19a89468391133465b1f2fb78d7a58178867933c44411f4d5de8eb?environmentId=100

Toxyl commented May 15, 2017

Where do you see that? I can only spot .testing

DId anyone done analysis of network scanning part which is used there? I see following possibilities:

  1. It just uses your network settings IP + mask and scan your local subnet/subnets based on this info [most likely]
  2. Scan all non routable ipv4 address space [most likely not]

I also have following questions I still didn't see answers:

  • does it work with IPv6 only?
  • if to scan network for other machines with open port 445 they use case 1 from above, it is quite possible that machines connected directly to ISP without any routers will aggressively scan and find other host in ISP subnet. Does anybody saw confirmation of this?
  • I set up few honeypots with IPv4 routable space using vulnerable Win7, but those machines still fine. So I really wondering if network vector wasn't primary source to jump from one infected network/provider to another (non private ip address space)

@Toxyl, I just tested on clean VM that if you place 00000000.eky and 00000000.pky files to folder where you will start WannaCry then you can use wannadecrypt with 00000000.dky to decrypt them.

So now we looks to have working decryption tool which can be used even after WannaCry is removed from computer. Then we "just" need to wait that original author releases his private key or he will be found.

And as info that they look providing 00000000.dky file after payment: https://twitter.com/mikko/status/864107673146490880

I am the CISO at the University of Waterloo, and as of this moment, there is no WannaCry infection here. There was a student who noticed one in the lobby of their building, but AFAIK that's off-campus.

@olljanat We could propose to put a custom 00000000.pky to defend against new variants on those systems that can't be updated (read it is the case with medical PC). But it doesn't work in the cases wcry start from other location than C:/

Can someone explain how the process of requesting a decryption key works?

aead commented May 15, 2017

Is there any info available about how WannaCry generates the local RSA keys? Especially about how the private key part ( d ) is generated?

Toxyl commented May 15, 2017

@olljanat that's good news, kinda. and reports of getting back their data... might be useful to find a victim willing to pay and then track every little bit of traffic that can be tracked during the process.

Toxyl commented May 15, 2017 edited

@aead What I've spotted so far that might have to do with it: search the call graph for everything named f_maybe_keygen, those are complex looking functions that by the look of them may have to do with the key generation. If you hover over the nodes you get tooltips that give you the original function name (made from the memory address).
And here are the function graphs for the functions in question: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12* and 13. Function 12 looks like it has been obfuscated, so maybe worth a closer look.

Also have a look at this article.

aead commented May 15, 2017

@Toxyl Thanks for the references, I'll take a look at the functions - I don't expect to have success but may we are lucky and the authors made a mistake: e.g. generate wrong public / private exponent or a low private exponent.

Further I've no clue whether and how the authors decryption process works, but may they've expected to decrypt a many keys - which means many people pay the money - so maybe they have chosen a small private exponent (d part) for their root key to speed-up decryption. If so the root key can recovered by a low exponent attack - See: https://crypto.stanford.edu/~dabo/papers/RSA-survey.pdf
I think the probability is low but at least worth a try...

Toxyl commented May 15, 2017

@aead You already know a lot more about this stuff than I do ;) Them making a mistake somewhere is the only hope we have, I guess. From what I've seen so far there are at least two coding styles present. Maybe that hints at the author(s) using someone else's, more sophisticated, code. In that case we have a chance they broke something without knowing. Could explain the kill switch.

aead commented May 15, 2017 edited

Okay, authors use common RSA key:

Modulus:
    00:ce:f1:18:be:2e:fe:91:0f:fb:b9:ad:f7:4a:30:
    9d:cf:28:3c:46:d5:e2:2b:60:cd:92:69:11:30:9d:
    e5:fb:3b:d9:72:a1:de:e5:df:8e:42:27:68:81:17:
    e6:41:50:72:71:f8:dc:32:ea:e1:9b:70:88:a6:12:
    cb:75:26:f2:38:db:4e:d9:e8:ca:1f:d4:ea:07:0b:
    a0:75:d0:d7:0c:03:62:2d:a7:46:20:96:00:28:af:
    bd:17:c1:d8:30:2c:f5:65:d2:f5:b5:36:bb:d2:9f:
    6e:5b:c6:39:3a:a3:9e:ad:6b:59:ad:7d:a5:94:4d:
    61:f2:da:40:7a:da:bf:67:7d:f2:1b:26:0b:7b:7b:
    74:91:31:ed:29:23:cb:62:29:b9:52:4c:60:98:9f:
    7e:c5:79:86:c5:b8:65:ae:7f:ae:71:1d:0a:4b:ac:
    74:63:09:6c:24:70:17:b1:70:00:75:da:c8:e4:fb:
    67:b1:5b:be:1c:f8:04:f6:1d:c1:be:5a:08:57:a7:
    e3:27:a3:1d:be:51:2b:db:af:ff:f3:2b:ad:7b:b1:
    c2:93:18:91:80:90:ac:41:9e:b2:27:a2:f1:7f:55:
    92:04:f7:7c:8f:8d:70:6a:34:82:13:1e:92:d4:d7:
    da:6d:cd:c0:5d:a8:95:f4:2a:2c:de:46:84:3b:4c:
    97:75
Exponent: 65537 (0x10001)

No chance for Wiener's attack 😞

@Toxyl

Them making a mistake somewhere is the only hope we have, I guess.

I think so - I've just taken a quick look at the code snippets / images but as far as I can see (and if the description of the crypto of this gist is correct) there's no exploitable weakness within the encryption process itself. So we must hope they made a mistake...
Okay, third-party code may give us further research options - maybe it's rarely used and gives us a hint about the authors...

Toxyl commented May 15, 2017 edited

@aead I'll see if I can find some obvious examples (now where was that in these 30k lines...)

On a different sidenote, does anyone know what f_socket_conn_shutdown does? The documentation for the shutdown() function states one can also remotely shutdown a computer with it. And else it would log the current user out. But I don't recall that happening.

zqqw commented May 16, 2017 edited

https://msdn.microsoft.com/en-us/library/windows/desktop/ms740481%28v=vs.85%29.aspx
The shutdown function disables sends or receives on a socket.
SD_BOTH 2 Shutdown both send and receive operations.
On that page it looks like shutdown() just shuts the socket given in it's first arg?

a9d737 commented May 16, 2017

@vladimirc81 How to debug out / track out the email address "wanna18@hotmail.com" ? Thank you.

Toxyl commented May 16, 2017

@zqqw That does make more sense indeed, thx.
Btw, is this whole thing compiled on Linux or Windows? Because the included libs are the Linux variety not the Windows version.

If anyone interested, here's the memory dump of wannacrypt. captured from Wine under Linux VM using gcore. https://github.com/Lakshmipathi/WannaCrypt_memcore

Any idea on what the 00000000.res contained in the payload directory is for?

http://i.imgur.com/k9al53B.jpg

sergixPT commented May 16, 2017 edited

Work Around to use kill Switch on Proxy environments (or with country blocking, or no internet at all)

Create a new forward lookup zone called iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Create a new A record inside that zone called www pointing to 127.0.0.1

Let DNS propagate
If you want to test, do IPconfig /flushdns on your host to be quicker (Depending on OS version, elevated privileges is needed)

You can also play with the Hosts file, either changing it host-by-host or using a GPO under Active Directory. In that case the host file should include:
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 127.0.0.1

P.S - yes, i know the kill Switch is obsolete right now. But...

Sizzl commented May 16, 2017 edited

@sergixPT - don't think hosts files are a good idea. Doesn't InternetOpenUrl() require the destination to actually connect on a port, i.e. for http connections, port 80 would need to be open for it to be deemed successful?

If that's true, it means that host files aren't much use unless a web server is running on the local machine.

Owner

rain-1 commented May 16, 2017

@srcastro I think it's log of c2 communication.

@rain-1 ah, thank you.

Riatre commented May 16, 2017

@srcastro The first 8 bytes of 00000000.res is a randomly-generated identifier which will be send to C&C server. There are also various timestamps. I don't know the purpose of other fields as they are not referenced in the code I've checked.

It would be better if we could decrypt files encrypted by WannaCrypt, but as I have observed, after files are encrypted, WannaCrypt delete them all at once, without overwriting. Therefore data undeletion software has a very good chance to recover them.
My advice is when your computer is infected with WannaCrypt, turn off the computer and move the hard drive to another clean computer, or boot to WinPE from usb flash drive (such as Gandalf’s Win10PE, Kaspersky Rescue Disk) to begin data recovery and malware removal process.
http://www.toptenreviews.com/software/backup-recovery/best-data-recovery-software/

tommls commented May 16, 2017 edited

Would someone experienced please be willing/able to comment about whether if the Konica Minolta "Crypto Mitigation Tool" is any good, worth installing?? An IT company is pitching it to us (as are all IT consultants pitching products now!!).
I can see installing it for people's peace of mind...??
It does this (reactively, I know) "The CMT script triggers a set of preventive actions when a file type is discovered as a known ransomware file set. Additionally, the CMT automatically downloads the latest copy of the infected file set on an hourly basis, creating a library of known crypto infections to search against. The CMT is deployed as an extra layer of protection against the consistent offensive launched by ransomware hackers."
We already keep servers and PCs etc. patched and up to date as possible, though user training could be a lot better.
Thank you, Tom

tommls commented May 16, 2017

What are the potential implications of disabling SMB v1 on Windows servers?? Thank you, Tom

@tommls, Windows XP and Windows Server 2003 cannot anymore connect that server after you disable SMB v1. Starting from Vista/Srv 2008 SMB v2 have been included and used by default when server and client supports it and starting from Win 8/Srv 2012 SMB v3 have been included and used by default. More info: https://en.wikipedia.org/wiki/Server_Message_Block

tommls commented May 16, 2017

Would you please clarify this sentence: "Windows XP and Windows Server 2003 cannot anymore connect that server after you disable SMB v1."
If I disable smb v1 on our win2k3 servers they will not connect to what?? One of them is a sharepoint server, another is a citrix server, another is a legacy HR/PR system....

They cannot connect to any file share on any server where SMB v1 is not supported. Example if have file server where you normally connect like this \\fileserver or this \\10.10.10.11 and if you disable SMB v1 from it then any XP or Srv 2003 cannot connect to it.

To sharepoint you can still connect through web, citrix should be ok and legacy HR/PR system you probably connect using some other protocol (web, client app, etc) so it should be OK too.

Only place where you probably need leave SMBv1 enabled are domain controllers because domain joined w2k3 will not work correctly if they cannot connect to domain controllers but you still of course have option to install hotfixes there and make sure that anti-virus is up-to-date so it is not should not be issue with WannaCry.

tommls commented May 16, 2017

OIC -- thank you!! Your 2nd paragraph answers all my questions.
I'll review the domain controllers. I found information how to do this. They are all already patched through May 2017.
The existing win2k3 servers are indeed domain-joined and we are updating them this year to win2k16 and I can review this topic with the consultant doing the work. Thank you, Tom

dev commented May 16, 2017 edited

00:34 < nulldot> 0x1000efc0, 19, wanna18@hotmail.com

If the email wanna18@hotmail.com is correct, then our hacker must be "WaanJeab Theinsuwan" from Thailand.
At least, if WaanJeab didn't get hacked.
Also works at STATravel, if you do a password forgot on the hotmail account, you will see wa***@statravel.com.

Found this by doing password forgot on Facebook

Owner

rain-1 commented May 16, 2017 edited

I believe that wanna18 email address is a red herring. Thank you for your research.

Toxyl commented May 16, 2017

@Lakshmipathi thanks, this might prove useful.

Toxyl commented May 16, 2017

@rain-1 if not, then it's a blatant mistake. either it's created for the purpose or it's hacked.

gotitbro commented May 16, 2017 edited

@rain-1 Shaheen Airlines is a Pakistani airline and I could find nothing on twitter about the ransomware claim or anywhere else for that matter. I recommend removing this "incident".

Edit: @rain-1 I see that you have updated the claim with proper attribution, thanks. The incident reported though is from Pakistan as the user is from Pakistan himself.

arivero commented May 17, 2017

All time UTC. Trying to document the first expansion.

      06:08-06:18 first search for "wana decrypt0r 2.0" from Taiwan Very Early.... error in google trends data?
     https://twitter.com/arivero/status/864162383446638593

around 08:00 Symantec Endpoint hit count increases https://twitter.com/GossiTheDog/status/864526481967521792
2017-05-12 07:24 first hit in openDNS cisco umbrella http://blog.talosintelligence.com/2017/05/wannacry.html
about 08:07 first google search from spain
about 08:08 first from Ucrania
about 08:16 first check for an bitcoin address 115p...
about 08:32 second search from taiwan
about 08:40 first from russia
2017-05-12 11:07:13 465970 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
2017-05-12 12:33:55 466044 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
about 13:00 Telefonica acknowledges hit. https://twitter.com/Telefonica/status/863017139543973888
2017-05-12 14:27:24 466052 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

arivero commented May 17, 2017

image
Times in GMT+2 in this image

Just infected the system and it is communicating to 194.109.206.212 that points to tor.dizum.com

Other domains :

  • tor1e1.digitale-gessellschaft.ch
  • lon.anondroid.com

dev commented May 17, 2017

Thank you @Toxyl :)

thez3r0 commented May 17, 2017

I come up with a lame but yet solid working Idea. why don't we change the ext of important files to something else. something like. document.org or scancopy.image

because having something unique ext will make your file/ doc out of scope from traditional ransomware extension list.
I tried to do this for my lab & it's works.

have a look.
whatsapp image 2017-05-17 at 15 07 34

Is there any public tool for decrypting .wncyr files?

Owner

rain-1 commented May 17, 2017 edited

The theory is that .wncyr (as opposed to .wncry) can be decrypted as the AES key is stored inside it, plain. I have not seen any samples of .wncyr files though so nobody has built a tool to decrypt it yet. Do you have samples of .wncyr?

booy92 commented May 17, 2017

@rain-1 will look tonight, don't know for sure

idslash commented May 17, 2017

I have some .wncyr files
it looks like
image

and after that unencrypted content begins

LarBob commented May 17, 2017

I'm experimenting with this ransomware (the new killswitchless variant that uses .test instead of .com), and with Wireshark I see it's sending a bunch of requests to addresses through port 445. Obviously they aren't going through as the router it's connected to isn't connected to the outside world. It's making requests, but I don't think it's doing anything in terms of the local network as I've had it running for over 24 hours and it hasn't done anything malicious to the only other machine that's on the network (it's running unpatched Windows 7 SP1 installed from a disk that's years old). Is there something else that needs to happen before it starts infecting local machines or what? I'm not doing this for anything malicious, but I think it would be pretty cool to see it spread through a network I have set up (that isn't facing the outside world as I'm not evil). Thanks guys.

7h3rAm commented May 17, 2017 edited

@LarBob It might be possible that encryption or/and propagation mechanism is broken. There were reports of such samples being circulated in wild. If you can share sample, I will try it out in my setup to verify.

@rain-1 It would be better if items under https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168#some-other-interesting-strings are formatted as a bulleted list or separated by commas. I got confused and thought it was a continuous string.

@idslash Does your .wncyr sample files have the same structure as the one defined at https://github.com/gentilkiwi/wanadecrypt/ for .wncry files?

typedef struct _WANA_FORMAT {
ULONGLONG magic; // 0x21595243414e4157 // WANACRY!
ULONG enc_keysize; // RSA_2048_ENC
BYTE key[256];
ULONG unkOperation; // 4
ULONGLONG qwDataSize;
BYTE data[ANYSIZE_ARRAY];
} WANA_FORMAT, *PWANA_FORMAT;

7h3rAm commented May 18, 2017

@LarBob I found the sample performing following activities:

  1. Drops tasksche.exe in %SystemRoot%
  2. Creates services: mssecsvc2.0 and <random_string_generated_from_computer_name>
  3. Tries connecting to hosts in subnet over SMB/445

It has in-memory string for a killswitch domain "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.testing" although no connection attempt was made. It didn't encrypt any files although its components were dropped working directory was added to registry.

So it did search for victims over SMB1 but couldn't propagate. Like you mentioned, it did not infect any files on my test machine.

Toxyl commented May 18, 2017

So a broken version of wannacry.

7h3rAm commented May 18, 2017 edited

@Toxyl Yes, most probably. There's no wanacry specific killswitch domain lookup or mutexes either. I didn't find anti* tricks that might have skipped these checks so it indeed seems broken. It will be interesting to know about origins of this variant.

LarBob commented May 19, 2017

@7h3rAm thank you. Do you have one like this that isn't broken? I think it'd be cool to see it spreading over a local network I have set up (not outwardly connected)

mrpnkt commented May 19, 2017

A Timeline (work in progress)

@srcastro
The res file contains 8 byte random data, the frist file encrypt time and the last file encrypt time, and the number of files encoded.

Decryption of wannacry files is now possible for windows versions from XP to Win7
Details and download: https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d

Toxyl commented May 19, 2017

@7h3rAm I wonder why, while using sophisticated exploits and so on, they did not take care of stuff like detecting if it's being run in a VM. AFAIK it's not hard and it would have thwarted a lot of valuable research done.

alk2git commented May 19, 2017

@Toxyl - it is said that kill-switch domains were actually for that detection, to protect from running in sandbox which is ready to reply on any senseless request. But because of an error in virus code it appears to be kill-switch instead.

robre commented May 19, 2017

Apparently, wannacrypt didn't spread automatically to windows XP machines. The exploit (Eternalblue) itself would work for xp, but wannacrypt failed to exploit it correctly for xp. If you run a sample directly on a XP machine, it will work tho, but it can't get infected over the net.
Failed infections may result in BSOD.
https://twitter.com/cybergibbons/status/864786228490756096

@rain-1
I finally got some samples of .wncyr files. By checking key length, looks like the AES-128 is ciphered as with .wncry files. So I was wondering which RSA pair is used for ciphering demo files.

image

Toxyl commented May 19, 2017

@alk2git that's an interesting point, I didn't think about it from that perspective.

Toxyl commented May 19, 2017

is there a reliable map or list of the countries that were hit by wannacry?

sickick commented May 19, 2017

From @tunguyen6 post:
wanakiwi can decrypt WannaCrypted files. It finds prime numbers in RAM, and generates decryption key. Users must not restart their computers, otherwise they cannot get the prime numbers needed. Also this utility should be used ASAP before these numbers are lost.

It is based on wannakey which extracts the prime keys from RAM.

7h3rAm commented May 19, 2017 edited

@Toxyl this doesn't seem like a sophisticated attack. ETERNALBLUE and its patch were available but authors tried leveraging the fact that most Windows systems will still be unpatched. This made the attack as effective as using a 0-day. They didn't use spam campaigns for initial vector or to spread further. As mentioned by @alk2git and @robre, the rasnsomware probably failed at implementing an anti* trick and pivoting mechanism for XP.

Nevertheless, it paid them being quick rather than spending time fixing bugs as the attack relates to NSA, ShadowBrokers and Microsoft.

Toxyl commented May 19, 2017

Does anyone know the sample 7759ef6474c7b1781ed42b1e06dfcf7d2d07cb303610b8a80a48afc7ad838bc2, according to VirusTotal it contains an "audio/mpeg" PE resource.

Toxyl commented May 20, 2017

@7h3rAm the exploits themselves are, but they're not the work of wannacry's authors.

not sure of how much use these payments will be, tho. the btc accounts are now under full scrutiny and no-one will want to have anything to do with them. so far they haven't even withdrawn anything from the version 1.0 account.

Toxyl commented May 20, 2017

Could Lazarus Group be behind it? Interestingly North Korea didn't get any hits on Wcrypt Tracker.

Owner

rain-1 commented May 20, 2017

@Toxyl North Korea doesn't have enough computer

Toxyl commented May 20, 2017 edited

@rain-1 if Lazarus Group really operates from N-Korea then there are computers around that can access resources outside. I would bet that the elite does have internet access. Slim infection chances indeed, so this would not prove anything, but it might be an indicator.

What I would find more interesting is to analyze the ransom notes. At least those written in the three languages I can read had a lot of mistakes. Theoretically the ransom note in the language of the authors should be the one that has the fewest grammar mistakes as a Google translation pretty much always adds more grammar mistakes and every now and then a very odd sounding sentence. And the original note could contain slang or regional dialect that might be a give away.

Btw, I've mapped the languages to a world map, taking into account where a language is spoken as native, official or regional language. What struck me is that they cover almost all countries, except for the Arab speaking world. Why do they exclude them?

marksteward commented May 20, 2017 edited

@Toxyl from what I can tell, all translations were from the English version, using Google Translate almost entirely, except for the Chinese and Japanese. The Japanese looks like it's been fixed up using Google Translate's "Suggest an edit" because there's a difference between translating the full text and only parts of it (one of the differences was a grammatical error, but that's now disappeared). It also translates "bitcoin" as "bitcore" in one case. The Chinese (Simplified) is apparently a fluent translation of the English but with an added sentence, and Chinese (Traditional) is a Google Translation of that. Bulgarian, Croatian and Korean also differ slightly, but I don't know how significant those changes are. It seems likely to me that these people used English as a primary language for developing the malware, but have Chinese and some Japanese knowledge.

Here are the translations, sorted by last edit time https://pastebin.com/1s0WPk2y. Note that Chinese is the last one edited, and has the most revisions. Also note that for Czech and Danish, and then Bulgarian and Croatian, they've gone back and edited them slightly - all others are in alphabetic order.

Toxyl commented May 22, 2017

@marksteward How did you get the edit time and revisions? I had a look at the files, but all have fake dates for creation and modification time.
What's the added sentence in Chinese (Simplified)?
I wonder if we can safely assume that the amount of revisions tells us something about the language proficiency of the authors. So basically every revision 3 is a language translated with Google Translate and not further adjusted, i.e. the author may not be able to read that language. Those with few edits (version4) may be because of obvious mistakes in translation like words that were not translated. Higher revision counts then either had more fixes because of obvious translation errors or because the authors know that language and can correct translation errors properly.

Any info on the .WNCRYT files recovered from ntfsundelete?
They don't seem to be encrypted at all, if this can be a ray of hope for someone else out there.

iam need source wanaacry iam have wannacry.exe 2.0 but iam need source only to learn more

Toxyl commented May 24, 2017

@dangerhacker toxyl.ddns.net/wcry - the results come with the decompiled C source

marksteward commented May 25, 2017 edited

@Toxyl it's from the metadata in the translation files themselves - they're saved from Microsoft Word, so include various features you wouldn't usually see in an RTF file.

Additionally, now https://threatpost.com/wannacry-ransom-note-written-by-chinese-english-speaking-authors/125906/ is doing the rounds, here's the revision information from two earlier English-only versions, showing how they deliberately set their computer clock back in later versions to obscure the compile time (but without realising it affects this):

{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2017 mo3 dy4 hr17 min37}{ version28}{ edmins156}
{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2016 mo5 dy11 hr14 min40}{ version30}{ edmins157}

Toxyl commented May 29, 2017 edited

@marksteward awesome, great work, didn't even consider to check that. What pieces of data are edmins156 and edmins157? A Google search only returns results for women's leather gloves which seem to be called edmins in Russian. Is it the number of minutes since the last edit?

Toxyl commented May 29, 2017

Does anyone know where the address 17MAZ6gLmKSARyzwxskDibunkranSomYcr belongs to? I've added it to my list of addresses associated with WanaCry, but I don't remember where I got it from. Unlike the three addresses used by WanaCry this one was created at 2017-05-16 01:50:26, so 4 days after the other accounts (2017-05-12: 13:08:21, 14:43:33 and 16:34:58) and it has this glaringly obvious string DibunkranSomYcr in it.

Yeah, edmins is edit time in minutes; creatim and revtim are creation and revision time.

Another cover of the story saying Chinese is original rather than English https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/

How fast is the wannacrypt0r with all files like (200-250mb)? Did someone try it on virtual machine or real?

booy92 commented Jun 10, 2017

@phantomxe: fast. Didn't record or count it but infected a VM and it encrypted really fast. The decryption tool was also locked in no time. But needed to repartition and reinstall my laptop so don't have the VM anymore. But if you are interested I could infect it again and make a video to show the speed(won't be today, more likely wednesday or something)?

@booy92 yes, it's be good for me. 25 files get 200-250mb and 2-3 files get 1gb. Could you take a video with system specs and cpu disk monitoring?

I want to analyze malware wannacry, petya, and locky but from where I can these three malware to be analyzed? Can you guys tell me ??

Sent from my OPPO F1f using FastHub

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment