A Case Study of WannaCry Ransomware

1. Introduction

With the rapid advancement of information technology, cyberspace has become an indispensable component of modern society. Yet, this progress brings new security challenges, including the evolving threat landscape of cyber-attacks. Among these, worm-like ransomware stands out due to its unique propagation methods and destructive capabilities. These worms can swiftly spread across networks and encrypt victims’ files, demanding ransom and inflicting significant financial and data security risks to individuals and organizations alike.

In recent years, the frequency of ransomware attacks has increased, with their methods and tactics becoming ever more sophisticated. Initially, these attacks simply encrypted files, but they have evolved to exploit advanced persistent threats (APTs) and zero-day vulnerabilities after enhancing their stealth and complexity(Constantin; Hill). The 2017 WannaCry incident is a classic example, which exploited a vulnerability leaked from the NSA and rapidly caused widespread damage globally.

On May 12, 2017, the WannaCry ransomware attack caused a major outbreak, infecting a large number of computers globally. Various industries including finance, energy, healthcare, and education were impacted. This attack affected at least 150 countries and 300,000 users, resulting in damages of up to $8 billion. WannaCry is a type of worm-like ransomware propagated by using the dangerous computer exploit software EternalBlue from the leaked NSA toolkit. It exploits a vulnerability that existed in most Windows devices to obtain the highest system privilege. The vulnerability, which is named MS17-010, is addressed in the Microsoft Server Message Block (SMB) and patched by Microsoft in its security bulletin. SMB service is used for sharing files, printers, and inter-process communication over a computer network. However, the way how the server handles certain requests allows advisories to gain the ability to execute code remotely by sending “a specially crafted packet to a targeted SMBv1 server” (BetaFred). Due to a lack of awareness of the importance of security updates, the patch was not installed instantly and widely by users, leaving a risk of infecting WannaCry. Therefore, EternalBlue runs malicious code to scan for Windows systems with an open 445 port since it is the default port number for SMB service. Any systems detected in this scan are vulnerable to automatic infection by WannaCry and other malicious programs as soon as they go online, without any user action needed. Once it infects a computer, the worm implants ransomware that encrypts a vast number of files and demands payments in Bitcoin to decrypt files. If users didn’t pay them in time, their files would be removed forever.

WannaCry mainly consists of two components. One handles its propagation as a worm component, the other is the encryption part (Akbanov, V. Vassilakis, et al. 3). This project is designed to delve into this incident as a case study. To fully understand the mechanics of spreading and encryption, the rest of the paper is organized as follows. In Section II, I will pay a close visit to figure out how it spreads and infects automatically. While in Section 3, we will explore its mechanics of encryption and ransom.

2. Infection and Propagation

The worm component from an infected host will try to connect a domain by calling the InternetOpenUrlA function (see Figure 1). This domain: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (Akbanov, V. G. Vassilakis, et al. 4), acts as a kill switch. If the domain name connects successfully, then WannaCry exits directly without triggering any malicious behavior. If the domain name cannot be accessed, it is triggered and ready to operate.

First, it creates a system service named mssecsvc2.0 and starts the service, disguising itself as “Microsoft Security Center 2.0 Service”. This step is an installation of WannaCry to the infected host machine. Then it reads and releases tasksche.exe for the use of further encryption from the hardcoded R resource. The tasksche.exe is the main part of WannaCry. After booting WannaCry, to achieve persistence on infected machines, it will do the following steps (Akbanov, V. Vassilakis, et al.; Akbanov, V. G. Vassilakis, et al.):

1. Add itself to AutoRun and make sure it can restart when the computer reboots.
2. Run the icacls command “icacls . /grant Everyone: F /T /C /Q” (Chen and Bridges 8) to modify the dictionary access control list and gain privileges to visit all the files on that computer.
3. Delete all backup files and copies so that the Windows system cannot recover in its safe mode.
4. Kill Microsoft.Exchange, MSExchange, Sqlserver.exe, Sqlwriter.exe, and Mysql.exe. Those database systems have acquired locks on some files, which prevent WannaCry visit them. By doing this, WannaCry can terminate the services provided by infected machines. Also, it can modify and encrypt any file later.

In the meantime, WannaCry will also try to spread itself on both the internet and intranet, scanning vulnerable machines on Port 445 to break in. WannaCry will send three NetBIOS session setup packets. The first one contains the IP that is being exploited. The other two contain two hardcoded IP addresses: 192.168.56.20 and 172.16.99.5. They could be “used to detect the exploit using network intrusion prevention systems” (McAfee Labs). After exploiting the vulnerability of MS17-010 to obtain permissions on the target host, WannaCry does not directly send the worm itself to the target, but instead sends a payload, “which consists of exploit shellcode and the file launcher.dll” (McAfee Labs), that has been simply XOR encrypted to the target machine for execution (See Figure 2 for decrypted laucher.dll).

So far, WannaCry has completed the work of propagating. Next, it will infect the target machine with a kernel exploit.  From the report of McAfee Labs, they found that “the SMB driver srv2.sys is vulnerable in kernel module and is exploited by the malware to spread using SMB communication” (McAfee Labs). This compromised srv2.sys can inject launcher.dll to lsass.exe in the user mode. lsass.exe (Local Security Authority Subsystem Service) is a critical system process in the Windows operating

system that is responsible for enforcing the security policy on the system. Once lsass.exe is injected, the export of this launcher.dll is a function called PlayGame (See Figure 3). The function is very straightforward that it extracts the ransomware mssecsvc.exe to the infected machine and then executes the ransomware.

The new infected machine now contains the full functionality of WannaCry, which not only results in ransom demands but also continues to propagate using the MS17-010 vulnerability. This propagation expands geometrically outward, which is the main reason for the rapid large-scale outbreak of WannaCry.

3. Encryption

When WannaCry installs itself as a system service, it will release tasksche.exe from the aforementioned R resource. To avoid multiple encryption operations running simultaneously and lower the chance to be detected with patterns of encryption, WannaCry will check the existence of three mutexes (Akbanov, V. Vassilakis, et al. 4):

• GlobalnM sW inZonesCacheCounterMutexA
• GlobalnM sW inZonesCacheCounterMutexW
• MsWinZonesCacheCounterMutexA

If any mutex exists, WannaCry will stop the encryption. If not, it creates a mutex and starts the process. Within the encryption component, there is a protected zip archive. It contains the following files (Akbanov, V. Vassilakis, et al. 4):

• b.wnry: A bitmap image with instructions for the decryption of user files.
• c.wnry: Configuration file, containing onion domain names, Bitcoin addresses, TOR download addresses, etc.
• r.wnry: Q&A.
• s.wnry: ZIP file containing the Tor client.
• t.wnry: Encrypted file containing default public and private keys.
• u.wnry: Decryption program (@WanaDecryptor@.exe).
• taskdl.exe: Delete all files with .WNCRY extension.
• taskse.exe: A supporting tool for the execution of WannaCry.
• msg: Language packs.

During the encryption phase, WannaCry uses a combination of AES and RSA algorithms to form a rigorous flow. It starts with generating a new RSA-2048 session key. Prior to saving the new public and private key as 00000000.pky and 00000000.eky, WannaCry will first encrypt the RSA private key with a root RSA public key that is different from aforementioned generated public key (Kao et al. 5). For each file that needs to be encrypted, CryptGenRandom is called to randomly generate an AES key. Afterward, the original file data is encrypted using this AES key. Last but not least, the RSA public key is used to encrypt the AES key, which is stored in the header of the encrypted file followed by a “WANACRY!” string. Figure 4 shows the overall process.

Utilizing RSA and AES encryption algorithms makes it virtually impossible to decrypt private keys through brute force methods. After encryption, WannaCry ransomware offers free decryption of up to 10 files as proof that full file recovery is possible after the ransom is paid. It will also execute the following operations in order to prevent data recovery (Akbanov, V. G. Vassilakis, et al. 8): 1) Remove all shadow volumes that contain backup data without notifying the user. 2) Delete any copies associated with shadow volumes. 3) Modify the booting policy to guarantee that the machine will boot even if errors occur. 4) Disable the Windows recovery functionality to prevent users from reverting their system to an earlier version. 5) Finally, delete any backup files created by Windows Server.

4. Replicating the Exploitation of MS17-010

During this project, I also figured out that I could use Kali Linux to replicate the attack behavior of EternalBlue on a Kali Linux machine. Here is the procedure of my experiment:

Attacker: Kali (192.168.65.128)

Target: Win 7 (192.168.65.128)

1. After closing the firewall and checking the connectivity by running the “ping” command, use the Nmap scanning tool to scan the target network segment for active hosts and check if port 445 on the target machine is open (See Figure 5 and 6).
2. Start PostgreSQL service and initialize metasploit.
3. Start MSF console and run the following commands (See Figure 7 and 8)

The target is likely vulnerable to MS17-010 (See Figure 9).

Use EternalBlue module:

This module can only work for 64-bit machines. Unfortunately, my target virtual machine is 32-bit. But this process should be right if my target machine is 64-bit. Theoretically, metasploit will return meterpreter as a way to remotely control the target machine.

5. Project Reflection and Future Direction

WannaCry was the first major cybersecurity incident I experienced, leaving a mysterious and profound impression of how a computer works at a low level when I was younger. This project gave me a taste of static and dynamic analysis of malware. In the meantime, it also led me to discover some ideas and concepts of compilers and reverse engineering. The findings of this project have already satisfied my long-standing curiosity about WannaCry, particularly its propagation and encryption mechanism. One of my primary future objectives is to delve deeper into the role of DoublePulsar. Despite not covering it in this case study due to its complexity (shellcode and DLLs), understanding its functionality and exploit is crucial for comprehending the full scope of WannaCry’s mechanism. I aim to build my knowledge and skills to tackle this advanced topic. Another future objective is that I did not analyze any payment mechanism of WannaCry. The use of Tor clients and Bitcoins for payment makes it more difficult to trace and capture the author of WannaCry. This part contains C&C (remote command and control servers) that is used to trace infections and manage payments.

Still, WannaCry is a well-designed ransomware that has caused significant damage to the digital world. Its success is largely due to the combination of vulnerabilities in the SMB server’s security design and a general lack of public awareness about the importance of security updates. Currently, only some older computers have not applied the MS17-010 patch. Versions of Windows 7 and above are mostly free from this vulnerability. Despite this, the vulnerability remains a classic example, offering significant value in studying its principles and researching defense strategies. This highlights the importance of network security and reminds us that it is an urgent and ongoing priority.

Works Cited

Akbanov, Maxat, Vassilios Vassilakis, et al. Static and Dynamic Analysis of WannaCry Ransomware. 2018.

Akbanov, Maxat, Vassilios G. Vassilakis, et al. “WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms.” Journal of Telecommunications and Information Technology, no. 1, 1, Mar. 2019, pp. 113–24. jtit.pl, https://doi.org/10.26636/jtit.2019.130218.

BetaFred. Microsoft Security Bulletin MS17-010 – Critical. 1 Mar. 2023, https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010.

Chen, Qian, and Robert A. Bridges. “Automated Behavioral Analysis of Malware: A Case Study of WannaCry Ransomware.” 2017 16th IEEE International Conference on Machine Learning and Applications (ICMLA), 2017, pp. 454–60. IEEE Xplore, https://doi.org/10.1109/ICMLA.2017.0-119.

Constantin, Lucian. “APT Groups Use Ransomware TTPs as Cover for Intelligence Gathering and Sabotage.” CSO Online, https://www.csoonline.com/article/574455/apt-groups-use-ransomware-ttps-as-cover-for-intelligence-gathering-and-sabotage.html. Accessed 11 May 2024.

Hill, Michael. “Ransomware Victim Numbers Surge as Attackers Target Zero-Day Vulnerabilities.” CSO Online, https://www.csoonline.com/article/648572/ransomware-victim-numbers-surge-as-attackers-target-zero-day-vulnerabilities.html. Accessed 11 May 2024.

Kao, Da-Yu, et al. “Analyzing WannaCry Ransomware Considering the Weapons and Exploits.” 2019 21st International Conference on Advanced Communication Technology (ICACT), IEEE, 2019, pp. 1098–107. DOI.org (Crossref), https://doi.org/10.23919/ICACT.2019.8702049.

McAfee Labs. “Further Analysis of WannaCry Ransomware.” McAfee Blog, 14 May 2017, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analysis-wannacry-ransomware/.