McAfee Labs Threat Advisory

Ransom-WannaCry

May 13, 2017

McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent
malware. This Threat Advisory contains behavioral information, characteristics, and symptoms that may be used to
mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs.

To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and
Threat Reports” at the following URL: https://sns.snssecure.mcafee.com/content/signup_login.

Summary
Ransomware-WannaCry is a detection for a family of ransomware that on execution encrypts certain file types present in the
user’s system. The compromised user has to pay the attacker with a ransom to get the files decrypted.

McAfee products detect this threat under the following detection name:

 Ransom-WannaCry, Trojan-FMMA, TRO-FMNN, Ransom-WNCry

Detailed information about the threat, its propagation, characteristics and mitigation are in the following sections:

 Infection and Propagation Vectors

 Mitigation
 Characteristics and Symptoms
 Restart Mechanism
 Remediation
 McAfee Foundstone Services

Infection and Propagation Vectors

Even though this has not been confirmed, the malware’s initial vector is Spam. The malware also spreads through removable
drives, open network shares and also using the EternalBlue (MS17-010 Echo Response - SMB vulnerability) vulnerability. It
connects to the IPC$ tree and attempts a transaction on FID 0

Affected systems: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7, Windows 8.1, Windows
RT 8.1, Windows Server 2012 and R2, Windows 10, Windows Server 2016

Characteristics and Symptoms

The following section describes various components of the malware:

 Dropper Component: 84C82835A5D21BBCF75A61706D8AB549

The initial executable is a dropper that contains multiple components in the form of a password protected ZIP file in its Resource
section. The password is hardcoded “WNcry@2ol7”. The dropped components are responsible for other activities on the
system. The dropper uses command line below to remove any existing shadow volumes and backups:

Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures
& bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

The dropper component executes the following commands:

attrib +h .
icacls. /grant Everyone:F /T /C /Q
taskdl.exe
@[email protected] fi
148131494626672.bat
@[email protected] co
cmd.exe /c start /b @[email protected] vs
taskse.exe C:\Users\[User]\AppData\Local\Temp\@[email protected]
 @[email protected]
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vlyxsemjujkp530" /t REG_SZ /d
"\"<Install Dir>\tasksche.exe\"" /f
cscript.exe //nologo m.vbs

The ransomware is granting full access to all files by using the command:
 icacls. /grant Everyone:F /T /C /Q

The various componentsdropped to disk are listed below :

 taskdl.exe – Initial cleaner component used before the actual encryption begins. Looks for file in the install dir of the
ransomware and RecycleBin and removes any files with extensions ".WNCRYT"
 taskse.exe – Component that attempts to synchronize execution between machines. It waits for a signal and runs
scripts concurrently. Use to connect to remove desktops by WTSEnumerateSessionsA, and create process.
 b.wnry – contains the wallpaper that is displayed
 c.wnry – BitCoin Wallets, CNC, etc
 r.wnry – Ransomware note
 m.wnry – RTF containing the decryption instructions
 s.wnry – An archive that contains a TOR client, used for payments
 t.wnry – An encrypted file that contains the encryption routine used by malware for file encryption
 u.wnry / @[email protected] – Encryptor/Decryptor component of the ransomware. Loads t.wnry and executes
it in memory
 m.vbs – Used to create a shortcut to the decryptor on the desktop.
 <Random_filename>.bat: - BAT file that is used to create the .vbs file.
 Msg Folder – contains language-specific decryption instructions

Network Activity

The dropper component is a 3.4-3.6MB file which contain several files in its resource section. One of these files is a Zip file
containing the Tor Browser binaries. Tor browser is used to access the Onion URLs used by the malware to collect payments.
The following Onion are used:

 gx7ekbenv2riucmf.onion
 57g7spgrzlojinas.onion
 xxlvbrloxvriy2c5.onion
 76jdd2ir2embyv47.onion
 cwwnhwhlz52maqm7.onion

The Payment is collected through Bitcoin. The following addresses are found in the samples
 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

The malware also reports the infection to this URL with a POST

 http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

the malware infects files with specific extensions on the local machine, any removable drive connected to it, and any network
share mounted locally.

It then attempts to find machines on the local network via NetBios broadcast messages and Master Browser queries. Once a
machine is found, the malware connects to IPC$ default share and attempts to log in. If it is successful it tries to list all available
shares and will attempt to infect them

It does so by copying itself to the remote share first, then encrypting all files with specific extension it can find there.

Dropper Component: DB349B97C37D22F5EA1D1841E3C89EB4

This dropper contains the exact same files as the variant above. The difference in this variant is that it contains code to exploit
the vulnerability MS17-010 Echo Response. The exploit code used is publicly available and is known as Eternal Blue.

This dropper does an initial check to see if the domain below is active:

 http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

If the domain is active, the malware simply quits without doing anything else.
The dropper installs itself as a service called MSSECSVC2.0 with description “Microsoft Security Service (2.0)” so it can restart
after reboot.

Once rebooted the malware starts to generate random IP addresses and tries to exploit these machines using the exploit above.
When the machine is infected it drops the components as described in the previous dropper description.

Target File Types

.der .pfx .key .crt .csr .p12

.pem .odt .ott .sxw .stw .uot
.3ds .max .3dm .ods .ots .sxc
.stc .dif .slk .wb2 .odp .otp
.sxd .std .uop .odg .otg .sxm
.mml .lay .lay6 .asc .sqlite3
.sqlitedb .sql .accdb .mdb .db
.dbf .odb .frm .myd .myi .ibd .mdf .ldf
.sln .suo .cs .c .cpp .pas
.h .asm .js .cmd .bat .ps1
.vbs .vb .pl .dip .dch .sch
.brd .jsp .php .asp .rb .java
.jar .class .sh .mp3 .wav .swf
.fla .wmv .mpg .vob .mpeg .asf
.avi .mov .mp4 .3gp .mkv .3g2
.flv .wma .mid .m3u .m4u .djvu
.svg .ai .psd .nef .tiff .tif
.cgm .raw .gif .png .bmp .jpg
.jpeg .vcd .iso .backup .zip .rar
.7z .gz .tgz .tar .bak .tbk
.bz2 .PAQ .ARC .aes .gpg .vmx
.vmdk .vdi .sldm .sldx .sti .sxi
.602 .hwp .snt .onetoc2 .dwg .pdf
.wk1 .wks .123 .rtf .csv .txt
.vsdx .vsd .edb .eml .msg .ost
.pst .potm .potx .ppam .ppsx .ppsm
.pps .pot .pptm .pptx .ppt .xltm
.xltx .xlc .xlm .xlt .xlw .xlsb
.xlsm .xlsx .xls .dotx .dotm .dot
.docm .docb .docx .doc

Restart Mechanism

The ransomware done via the Run key in HKLM:

 cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vlyxsemjujkp530" /t REG_SZ /d

"\"<Install Dir>\tasksche.exe\"" /f

It also installs the service MSSECSVC2.0 under the following key:

 HTLM\SYSTEM\CurrentVersion\Services\mssecsvc2.0

Indicators of Compromise

Hashes
 509C41EC97BB81B0567B059AA2F50FE8
 9C514CAB458488A082070560C40D9DAB
 DB349B97C37D22F5EA1D1841E3C89EB4
 4362E287CA45A4862B7FE9ECAF46E985
 4FEF5E34143E646DBF9907C4374276F5
 B27F095F305CF940BA4E85F3CB848819
 7BF2B57F2A205768755C07F238FB32CC
 7F7CCAA16FB15EB1C7399D422F8363E8
  8495400F199AC77853C53B5A3F278F3E
 84C82835A5D21BBCF75A61706D8AB549
 86721E64FFBD69AA6944B9672BCABB6D
 9C7C7149387A1C79679A87DD1BA755BC
 4DA1F312A214C07143ABEEAFB695D904
 D6114BA5F10AD67A4131AB72531F02DA
 F0D9FFEFA20CDADF5B47B96B7F8D1F60
 F107A717F76F4F910AE9CB4DC5290594

IP Addresses
 212.51.134.123 :9001
 5.199.142.236 : 9001
 197.231.221.221:9001
 128.31.0.39:9191
 149.202.160.69:9001
 46.101.166.19:9090
 91.121.65.179:9001
 2.3.69.209:9001
 146.0.32.144:9001
 50.7.161.218:9001

Mitigation
 Update patch MS17-010
 Refer to the KB published by McAfee with more information on mitigation actions:
https://kc.mcafee.com/corporate/index?page=content&id=KB89335
 Mitigating the threat at multiple levels like file, registry & URL could be achieved at various layers of McAfee products.
Browse the product guidelines available here to mitigate the threats based on the behavior described below in the
Characteristics and symptoms section.

Example:

VIRUS SCAN ENTERPRISE Generic buffer overflow protection is expected to cover code execution exploits.

HOST IPS Signature 2846, "InformationCardSigninHelper ActiveX Control Vulnerability" provides

coverage.
NETWORK SECURITY PLATFORM Signature 1158754048, "HTTP: InformationCardSigninHelper ActiveX Control Memory
Corrupt Vulnerability," provides coverage for code execution exploits.
VULNERABILITY MANAGER The FSL/MVM package of November 12 includes a vulnerability check to assess if your
systems are at risk.
WEB GATEWAY Under analysis
REMEDIATION MANAGER Out of scope
POLICY AUDITOR An upcoming SCAP content release will contain coverage for this issue.
NETWORK ACCESS CONTROL An upcoming SCAP content release will contain coverage for this issue.
FIREWALL ENTERPRISE Under analysis
APPLICATION CONTROL Run-Time Control locks down systems and provides protection in the form of Execution
Control and Memory Protection.
DATABASE ACTIVITY MONITORING Out of scope
VULNERABILITY MANAGER FOR Out of scope
DATABASES

EPO
 To block the access to USB drives through EPO DLP policy refer this tutorial.

VSE
 Refer the article KB53346 to use Access Protection policies in VirusScan Enterprise to protect against viruses that
can disable regedit.
 Refer the article KB53355 to use Access Protection policies in VirusScan Enterprise to protect against viruses that
can disable Task Manager.
 Refer the article KB53356 to use Access Protection policies in VirusScan Enterprise to prevent malware from
changing folder options.

HIPS
 To blacklist applications using a Host Intrusion Prevention custom signature refer KB71329.
 To create an application blocking rules policies to prevent the binary from running refer KB71794.
  To create an application blocking rules policies that prevents a specific executable from hooking any other executable
refer KB71794.
 To block attacks from a specific IP address through McAfee Nitrosecurity IPS refer KB74650.

Others
 To disable the Autorun feature on Windows remotely using Windows Group Policies refer this article from
Microsoft.

Getting Help from the McAfee Foundstone Services team

This document is intended to provide a summary of current intelligence and best practices to ensure the highest
level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of
strategic and technical consulting services that can further help to ensure you identify security risk and build
effective solutions to remediate security vulnerabilities.

You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx

This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy,
relevance, and timeliness of the information and events described; they are subject to change without notice.

Copyright 2017 McAfee LLC. All rights reserved.