Quick overview of the WannaCry ransomware

Olivier Chatail Etude - Recherche, Forensics


A massive ransomware infection has recently been reported in the news : WannaCry has contaminated more than 230 000 hosts in close to 150 countries, with a larger focus on Europe.

The malware has spread via several vectors : from mails to the exploitation of a relatively new vulnerability in SMBv1.

Devoteam’s CERT recommends upgrading supported Microsoft Windows’ operating systems with the MS17-010 patches, published on the 14th of March 2017.

It also recommended to apply the KB4012598, exceptionally published by Microsoft for obsolete systems (Windows XP, Windows Server 2003, Windows 8, Windows Vista, Windows Server 2008, WES09 et POSReady 2009).

On top of these patches, it is advised to deactivate SMBv1 and filter SMB ports (TCP 139, 445 and UDP 137, 138) on servers directly connected to the outside.

WannaCry infection map © MalwareTech


WannaCry particularity

Along with the number of compromised hosts, WannaCry differs from common ransomwares because it uses an aggressive replication technique.

On the 14th of April, 2017 the ShadowBrokers group published offensive tools used by the NSA’s security team. This leak disclosed publicly unknown vulnerabilities and their associated exploits :

The corresponding patches (MS17-010) have been published a month before this disclosure.

The WannaCry ransomware uses an exploit published in this leak to spread itself automatically (worm behavior), the current version cannot duplicate in this way on patched hosts.

Once a host is compromised by the malware, it scans IP addresses from its local network then addresses on the Internet in order to find other vulnerable targets and increase the spread.

There is a Metasploit module to detect hosts without MS17-010 patches within a subnet. It is useful for a quick check without access to the operating systems’ patch-level.

Using traditional spreading vectors and vulnerability exploitation gives WannaCry a strong cover of the enterprise perimeter, well known for its delayed operating systems’ upgrades.


One must remember

On the 12th of May, 2017 a MalwareTech researcher discovered a behavior that might help in containing WannaCry propagation.

While reversing the malware, he found that the executable had a “stop” function, checking the existence of a static domain via DNS request.

If the domain exists, the malware does not activate its main components.

This functionality, probably implemented to check for sandboxes (which answers all DNS requests) and emergency stop, suffers from a little mistake… The domain has not been reserved before spreading the malware. MalwareTech researcher has then been able to shut down a part of the WannaCry samples just buying and activating this domain.


The WannaCry sinkhole illustrated


This version of WannaCry has then been partly stopped (because it only concerns hosts with direct access to the net) by this simple operation.

A future article will explore the ransomware’s internals, result of forensics work from Devoteam CERT.

Recent reports have stated a “patched” version of WannaCry, without this killswitch, is spreading but such a news has not been confirmed yet, samples are missing.