Have you heard about Ransomware the past weeks ? If not, I would not like to be your boss !
Improving cybersecurity knowledge about Ransomware attacks and cyber security best practices is more than ever a must... for all kind of organization !
If you have been connected to the Internet for the last months, you must have heard about Locky,Wannacry and Peyta. Ransomwares which infected hundreds of thousands of computers around the world.
Let's answer a simple question : What is Wannacry ?
Basically, Wannacry was targetting all the Windows releases, even if Windows 10 has been quickly patched. It encrypts the files hosted in your computer and asks you for paying a ransom of $300 in order to get the decryption key.
Wannacry is a powerful ransomware that emerged on May 12th, 2017. Transmitted by a pdf file sent in a phishing mail, it has infected more than 200,000 computers in nearly 100 countries around the world.
It is a malware composed of two separated modules. The first one exploit a vulnerability in Microsoft's SMB (Server Message Block) protocol called EternalBlue, got from the NSA leaks, which permits it to spread on every reachable machine in the local network. Then a second module encrypts all the files it fouds in the computer and renames them with a .WNCRY extension and places a lock screen with the ransom image as you can see below.
What are the differences between Wannacryptor & Peyta ?
With Peyta, a single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC. The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools. The unfortunate victims discovered the following screen :
Wannacry : A kill switch found in the worm
It turns out that, before trying to spread through the local network, Wannacry first tries to reach this initially unregistered domain name: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, and spreads only if it is not reachable. When it has been found out, this domain name has been registered, what temporary prevented the worm to propagate himself on the network, but not to encrypt the files in the initial targeted machine. Several hypothesis exist on why Wannacry creators integrated this kill switch in their malware. One of them is that they deliberately make it to be able to stop their own "monster" in case of problem.
Although this kill switch contributed to slow the expansion of the worm, we must be carefull because a new version of the malware, Wannacry 2.0 was quickly released without this domain name check.
Does it exist a Wannakey ? And the answer is ... Yes !
If your computer runs on Windows XP, Seven, 2003, Vista or Windows Server 2008 and you see the lock screen above, you should look at this link. Developped by the French researcher Adrien Guinet, Wannakey is a tool that will retrieve the private key by looking for the file wcry.exe in your computer.
Actually, Wannacry uses the RSA (Rivest, Shamir and Adleman) encryption algorithm, which is based on the mathematic problem about the factorisation of big prime numbers. For that, it uses the Windows Crypto API and it turns out that CryptDestroyKey and CryptReleaseContext do not remove the two prime numbers used to generate the couple of encyrption/decryption keys before freeing the memory.
So Wannakey could be able, if you did not restart your computer yet, to find those prime numbers in wcry.exe file and to decrypt your computer.
Many thanks to our expert Samuel Campos for his feedback.
More info on www.HTTPCS.com
Currently victim ? Response team available at any time : +33185 091 509 / incident@httpcs.com
Do not hesitate to contact us for any information related to HTTPCS CONSULTING, ZIWIT ACADEMY, HTTPCS TECHNOLOGIES. Our experts will be happy to support your cybersecurity proactive policy and to train your team to best practices !