Individuals, Institutions, Corporations and Hospitals around more than 99 countries have been affected by a recent ransomware attack know WNCry, WCry, WanaCrypt0r, Wana Decrypt0r Ransomware.
Sample : 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
Upon Execution of the Sample following behavior was observed:
The sample has an extension “.WNCRY”. Files that are dropped on the Desktop are as follows:
- Ransom Notification in Image format
- Filename: @WanaDecryptor@
- File Size: 1.37 MB
Figure: Ransomware Notification
- Ransom Note in Text format
ReadMe Instructions that clearly state the instructions the victims need to follow:
- Ransomware Application File contains the timer, Ransom Note, Instructions on Payment, Payment verification option and Decryption Option as shown in the following image below:
Here Check Payment is responsible to verify if the payment has been made or not.If there is no internet connection the screen will show the following error message:
And there is an option to contact the Malware developers using the “Contact Us” button which gives the following window:
- The ransomware also executes a command on the command prompt, this command is responsible to delete the Shadow Copy Files.
Image: Command Prompt to execute shadow copy to be deleted.
The Shadow Copy is an important feature while enables a windows user to recover his files using a backup copy which is created automatically by the windows (provided that the feature is enabled prior infection). This feature has, in the past, been used to recover files affected by ransomware.
If these backups are deleted then windows cannot retrieve the older version of files and hence the files become unrecoverable.
- The Ransomware also drops another application file. This file is in fact the decryptor. It is responsible for the verification of the payment and decrypting the files once the verification is completed.
The Sample tries to send request to the Tor Project, this is so that it can install on the victim's machine.
The connection to the SMB can be seen in the following images:
The file extensions that the ransomware infects are as follows:
.der .pfx .key .crt .csr .pem .odt .ott .sxw .stw .uot .max .ods .ots .sxc .stc.dif.slk.odp.otp.sxd.std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .dbf .odb .frm.myd .myi .ibd .mdf .ldf .sln .suo .cpp .pas .asm .cmd .bat .vbs .dip .dch .sch .brd .jsp .php .asp.java .jar .class .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mkv .flv .wma .mid .djvu.svg .psd .nef .tiff .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup.zip.rar.tgz.tar.bak.tbk .PAQ .ARC .aes .gpg .vmx.vmdk.vdi.sldm.sldx.sti.sxi.hwp.snt.onetoc2.dwg.pdf.wks.rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm.pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx.dotm.dot.docm.docb.docx.doc
An interesting observation is made during the analysis, although the extension .bmp are included in the list that is to be encrypted, only for particular paths this holds true.
Ideally, these images should have been subject to encryption however they do not seem to be encrypted, thus arriving at a conclusion that the ransomware targets only particular paths to find files for encryption.
The bitcoin address that is shown for payment is 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
However, the malware has another bitcoin address. This could be possible that multiple exchanges are taking place with the program and the ransom amount is being distributed from the beginning itself.
The other bitcoin address observed is 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.
Both addresses mentioned are currently active.
We advice our readers to take the following steps:
1. A specific advisory from Microsoft is available from
2. Security patches related to this vulnerability can be found at Microsoft KB4012598
3. Apply the MS17-010 patch from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx .
Please apply this patch across all the Windows machines. Look for machines that has not been updated.
4. If required, disable SMB protocol. Refer https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in- windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windo ws-8,-and-windows-server-2012
5. Update the antivirus signatures and detections. Look for systems that disabled Antivirus.
6. The Incident response, Firewall and IDS monitoring teams – Look for suspicious activity on port numbers TCP 139 and TCP 445.
7. Make sure the backups are kept in place and important files are copied in backup systems.
Popular posts like this: