Friday, May 12, 2017

Your Ransomeware Reader

This is live with continuous updating.
From GitHub:

/Wannacrypt0r-FACTSHEET.md forked from Epivalent/Wannacrypt0r-FACTSHEET.md
Last active 3 minutes ago

WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. (source: malwarebytes)
  • Infections: NHS (uk), Telefonica (spain), FedEx (us), University of Waterloo (us), Russia interior ministry & Megafon (russia), Сбера bank (russia), Shaheen Airlines (india, claimed on twitter), Train station (germany)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes)
SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

Malware samples

Binary blob in PE crypted with pass 'WNcry@2ol7', credits to ens!

Informative Tweets

Cryptography details

  • encrypted via AES-128-CBC (custom implementation in the binary)
  • AES key generated with a CSPRNG, CryptGenRandom
  • AES key is encrypted by RSA-2048 (windows RSA implementation)
  • https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the aes keys)
  • https://haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob dumped from the DLL by blasty.

Bitcoin ransom addresses

3 addresses hard coded into the malware.

...MUCH MORE