The Initial Attack
At approximately 3:00pm (UTC) 12/05/17 it was reported that several Spanish based organisations, were the victim of a ransomware attack. Among the organisations that fell victim to such an attack were high profiles businesses such as Telefonica, Iberdrola, and Gas Natural.
It is uncertain at this time whether the Spanish based organisations were specifically picked to be the first victims of the ransomware attack during the adversaries reconnaissance phase (where the selection of targets takes place), or whether the ransomware was simply released and organisations like Telefonica was the first victim the ransomware package found. It is assumed, however, that multiple organisations were targeted on a global scale and the ransomwares ability to exploit SMB protocols in order to propagate led to its swift escalation.
It is conjecture at this point in regard to the delivery system used for the ransomware, however, the most common methods would be files such as ZIP, PDF, or word documents sent to the victims email addresses, to then execute once opened and replicate through the victims network.
This attack spread quickly through their systems, infecting networked systems resulting in a ransomware note being displayed upon each compromised system. The demand for the decryption key of each system was $300 in bitcoin to be sent to one of three possible bitcoin wallets in use.
Upon further analysis it was discovered that the Ransomware was able to spread so quickly due to the use of exploits found within the recently leaked NSA cyber weapon cache. The tools that were specifically used as a part of the Wcry attack campaign were ETERNALBLUE, which exploits SMB protocol to a drastic extent in order to propagate further. DOUBLEPULSAR, which establishes a Command and Control (CnC) channel to facilitate the use of further exploits/hacking tools, was also used.
The attack stage of Wcry ransomware.
The Wcry ransomware was launched as part of an initial attack on 12/05/17 upon European based systems, which was successful in its attack by progressing through the in the following stages:
- The file “Dropper EXE” is housed upon the victim system and checks if the kill switch domain is present, if this domain was to be registered and active then the attack would have been stopped at this stage. The registering of this domain was how the initial attack was halted on 16/05/17, thanks to the efforts of Malware Tech (www.malwaretech.com).
- The Dropper EXE file then proceeds to create a new service titled “tasksche.exe” in order to further the phase of the attack from delivery and exploitation to installation.
- Finally, the Dropper EXE file then checks for a SMB vulnerability is possible using the ETERNALBLUE exploit. The file also checks if the installation of a CnC channel is possible using DOUBLEPULSAR exploit. If one or either of these vulnerabilities are found then the relevant payload is executed.
- Now that the “tasksche.exe” is installed then the file executes several processes, which are as follows:
- Creation of a configuration file in order to prepare the tor information used and load the bitcoin wallets that a ransom payment would be submitted to.
- Creates a folder titled “attrib +h /icacls ./grant Everyone:F /T /C /Q” which is a command in regard to the systems Access Control List and grants all users full access.
- An AES (which is encrypted) file, accompanied with a DDL (also encrypted), are housed within a file called t.wnry.
- Lastly the “tasksche.exe” runs an export task titled “TaskStart” which decrypts the DLL and AES key and prepares the public key for use.
- Now the encrypted DLL is active, a number of processes are then undertaken in order to achieve installation of the Wcry ransomware, which are:
- The preparation of an encryption key in file “%08x.oky”.
- The creation a Mutex file in the Global Directory (in order for multiple files to share the DLL’s resources) and titles it “Global\\MsWinZonesCacheCounterMutexW”.
- The process of encrypting the victim’s systems files then begins, each encrypted file is then appended with the suffix “.WNCRYT” extension.
- Finally a file titled “taskdl.exe” is executed.
- The ransomware now begins to establish persistence within the victims system by checking token membership and then running and command in order to add a registry entry, with the id “taskse.exe” to the windows registry program.
- An executable file titled “@WanaDecryptor@.exe” runs a set of commands in order to create a Wscript shell file and shortcut for the @WanaDecryptor@.exe file. This stage fulfils the installation stage of the attack as persistence has been established.
- A readme file is created with instructions on what has taken place along with how the ransom can be paid.
- The following processes are then killed:
- @WanaDecryptor@.exe then writes the date/time to the ransomwares .res (which houses resources) file.
- The attack finally ends with the deletion of the Windows shadow copy volumes and disables the service. At this point the accomplishment of the Command and Control phase of the attack, with the probable installation of a CnC channel, has been successful. Action on Objectives phase of the attack has been accomplished. Ending with the Action on Objectives phase also being successfully completed.
These processes culminated in the Wcry ransomware spreading through Windows systems that had not yet installed Microsoft’s May security patch (MS17-010) or are using Windows XP operating system and are using the SMBv1 (Server Message Block) protocol with internet connectivity . This is due to such systems being vulnerable to the ETERNALBLUE and DOUBLEPULSAR exploits, making the WannaCry attack a success.
Expansion of the Wcry Ransomware to the United Kingdom’s National Health Service.
From Wcry’s initial debut within Spain’s Infrastructure they quickly jumped to multiple countries within Europe, and later on a global scale to countries such as Russia, USA and China.
One of the most severely effected organisations was the United Kingdom’s NHS (National Health Service), with news of the attack breaking at around 3:20pm 12/05/17. Hospitals and services located in East and North Hertfordshire were among the first to be infected from the initial infection. This was then shortly followed by hospitals and services within Nottingham, Cumbria, London, Blackburn and Cumbria amongst many others.
At 4:24pm 12/05/17 it was discovered that the ransomware infection had spread to the NHS’s N3 backbone network, which connects all NHS locations and employees together. Such an infection meant that any unpatched or out of support systems within the NHS’s entire IT network infrastructure were at risk. As a result of such an infiltration all NHS employees were directed to disconnect from the N3 network immediately along with all hospitals and services.
Whilst out of support, operating systems are under no obligation to be issued security patches by Microsoft. However, as a gesture of good will and due to the severity and scale of the attack, they have issued a security patch for its out of support operating systems, from Windows XP onwards. They have also encouraged the installation of its May security patch as soon as users are able to.
Approximately 25 NHS organisations and 99 countries were compromised as of 5:30pm 12/05/17, such the attack was initially halted, however, with the discovery and registration of a domain address hidden within the ransomware package. Once the ransomware was halted the attack was believed to have been stopped. However this was short-lived, as of 15/05/17 the ransomware package was re-launched without the inclusion of the kill switch, making the ransomwares resilience and impact upon susceptible systems extremely high.
At this point the identity of the creators of the ransomware being used to carry out this attack have not been revealed, however with approximately 56,000 (a number still increasing) computer systems being adversely affected (system such as those within the Russian Interior Ministry) it is assumed that this would not be the case indefinitely.
In regard to the ransomware penetrating NHS infrastructure it is shown that the ease in which the ransomware spread through the NHS’s systems can primarily be attributed several NHS trusts reliance on Windows XP Operating Systems, which is out of support and therefore not would not be receiving Microsoft security patches, along with existing in support systems not being updated with the MS17-010 fix when it was released. This could potentially be attributed to the NHS’s IT department being underfunded and therefore having neither the man power nor monetary expenditure to carry out the necessary updates.
Finally such possibly underfunded departments however are of particular concern as the General Data Protection Regulation (GDPR) is expected to be applied for by 25th May 2018. Under such a regulation the NHS could face millions of pounds in fines. At this point the NHS are unable to guarantee that patient data was secure during the attack and that along with the fact that some of GDPR’s accountability principles centre around ensuring that technical and organisational measures are in place to project sensitive data, means that the NHS could face heavy consequences should such as attack happen again with GDPR in effect.
If you are concerned that you may potentially be at risk of the Wcry ransomware or other cyber threats currently in circulation then please do not hesitate to contact us at: firstname.lastname@example.org.