Facebook Twitter Instagram YouTube LinkedIn
    Facebook Twitter Instagram LinkedIn YouTube
    Trending
    • Rajiv Kulkarni Talks about the Malware Analysis Pipeline
    • IDS Alliance Raises Awareness of IAM Fundamentals with the ‘CISO Chronicles’
    • Building Digital Accessibility: AI Requires Human Oversight to Cut Down on Algorithmic Biases
    • BlackBerry Ivy: Enabling a New Age of Electric Secure Autonomous Vehicles
    • Security Automation Cuts Down Expenses and Saves Time for IT Teams
    • IBM Think 2022 – Embracing the Present, Preparing for the Future
    • A Game of Numbers: The Correlation Between Technology and Sports Betting
    • Software-based Enterprise Solutions for Navigating the “Too Much Information” Age
    TechSpective
    • RSS
    • Facebook
    • Twitter
    • Google+
    • LinkedIn
    • Instagram
    • Pinterest
    • Technology
      Featured
      March 1, 20216

      Could Home Study Be Better for Education? Using Technology to Craft a Better Tomorrow

      Recent
      May 20, 2022

      Building Digital Accessibility: AI Requires Human Oversight to Cut Down on Algorithmic Biases

      May 20, 2022

      BlackBerry Ivy: Enabling a New Age of Electric Secure Autonomous Vehicles

      May 15, 2022

      A Look At The Last Generation Of Internal Combustion Engines

    • Reviews
      Featured
      March 4, 20211

      Dell’s UltraSharp 40 – Improving Work and Workplaces with Monitor Innovations

      Recent
      April 7, 2022

      Dell’s Latitude 5430 Rugged – Redefining the Extremes of Mobile Computing

      October 12, 2021

      Innovating Home Video Conferencing: Dell’s New 27 Video Conferencing Monitor – S2722DZ

      September 22, 2021

      Review: Intrusion Shield

    • Podcasts
    • Security
      Featured
      March 7, 20212

      Pandemic Unmasks Vulnerability to Automated Bot Attacks

      Recent
      May 25, 2022

      Rajiv Kulkarni Talks about the Malware Analysis Pipeline

      May 23, 2022

      IDS Alliance Raises Awareness of IAM Fundamentals with the ‘CISO Chronicles’

      May 14, 2022

      Ransomware is Indiscriminatory – Prepare for Everything to Fail

    • Microsoft
      Featured
      September 12, 20201

      The Microsoft Surface Duo: The Communications Device for Those That Think Different

      Recent
      April 8, 2022

      AI and Why Windows 12 Could Be a Far Bigger Advance than Windows 95 Was

      October 11, 2021

      The Surface Laptop Studio: Building a Windows 11 Targeted Laptop

      August 28, 2021

      Why Microsoft’s Hardware Baseline for Windows 11 Is Important

    • News & Analysis
      Featured
      March 6, 20212

      Fixing The World One Person At A Time: Cisco Networking Academy

      Recent
      May 25, 2022

      Rajiv Kulkarni Talks about the Malware Analysis Pipeline

      May 20, 2022

      BlackBerry Ivy: Enabling a New Age of Electric Secure Autonomous Vehicles

      May 20, 2022

      IBM Think 2022 – Embracing the Present, Preparing for the Future

    • Business
      Featured
      March 6, 20212

      Fixing The World One Person At A Time: Cisco Networking Academy

      Recent
      May 20, 2022

      Building Digital Accessibility: AI Requires Human Oversight to Cut Down on Algorithmic Biases

      May 20, 2022

      Security Automation Cuts Down Expenses and Saves Time for IT Teams

      May 18, 2022

      Software-based Enterprise Solutions for Navigating the “Too Much Information” Age

    TechSpective
    You are at:Home»Security»APT (Advanced Persistent Threats)»WannaCry Ransomware: A Detailed Analysis of the Attack
    Wannacry
    Image from Pixabay

    WannaCry Ransomware: A Detailed Analysis of the Attack

    9
    By Rohit Langde on September 26, 2017 APT (Advanced Persistent Threats), Data Protection, Encryption, Patches & Updates, Ransomware, Remote Access Trojan

    Unless you’re living under a rock, you must be familiar with the massive ransomware attack called WannaCry that targeted more than 200,000 systems on its first day and spread worldwide very rapidly. In this article, I’ll share an in-depth analysis of this worldwide attack covering all aspects for you.

    What is WannaCry Ransomware?

    WannaCry Ransomware was a cyber attack outbreak that started on May 12 targeting machines running the Microsoft Windows operating systems. It affected companies and individuals in more than 150 countries, including government agencies and multiple large organizations globally. One such organization affected was National Health Services(NHS) in England and Renault-Nissan, which halted production in some areas as a result. The affected systems had all data encrypted and a message from the attacker demanding payment of a ransom within 3 days using bitcoins or else the cost would increase. Anyone who refused to pay would eventually lose access to their files and information stored in them.

    How WannaCry Ransomware Spread and Infected the Windows OS

    While initially, the experts thought the sudden spread was distributed by mass email spam campaign, the reality was quite different. The Malwarebytes Threat Intelligence Team discovered how it actually spread and wrote a detailed piece on the malware shared how the WannaCry Ransomware spread.

    The NSA had discovered a vulnerability called EternalBlue in Windows systems but didn’t disclose it. After the massive attack, they were heavily condemned for it. However, Microsoft discovered this vulnerability in March and promptly issued a patch to fix it.

    Most Windows users either didn’t take the update seriously or got lazy installing the necessary patch. As a result, the WannaCry Ransomware attack was able to exploit the SMB (Server Message Block) protocol on Windows machines that remained vulnerable.

    What is EternalBlue?

    EternalBlue is a leaked NSA exploit of the SMB protocol in Microsoft Windows that is used to propagate the malware in affected systems. EternalBlue leverages a technique called pool grooming—which is a type of heap spray attack on kernel memory structure. Targeting vulnerable Windows systems, it injects a shellcode that enables the attacker to use the IP address of the machine to directly communicate with the SMB protocol.

    Further, without user interaction, it runs a script to check for a tool called DoublePulsar to verify if it is already installed and running on the system. DoublePulsar is a backdoor implant tool that was also developed by the NSA.

    According to Malwarebytes Labs:

    “The ability of this code to beacon out to other potential SMB targets allows for propagation of the malicious code to other vulnerable machines on connected networks. This is what made the WannaCry ransomware so dangerous. The ability to spread and self-propagate causes widespread infection without any user interaction.”

    The DoublePulsar Malware infiltrated the vulnerable systems, enabling remote access and left the control of systems in the hands of the hacker who could then easily install any virus or malware, such as the WannaCry ransomware, on the systems.

    Technical Analysis of WannaCry Ransomware and the Payload

    As noted above, the hacker and creator of the WannaCry ransomware targeted vulnerable Windows PCs around the globe using the EternalBlue SMB exploit and DoublePulsar backdoor malware developed by the NSA to install WannaCry on the systems.

    Eternal Blue – Piggybacking System

    As mentioned above, EternalBlue is a piggybacking system and an SMB protocol exploit in Windows systems. This is how it all starts with EternalBlue exploit.

    EternalBlue.exe runs a script on the target Windows computer executing the following commands:

    • Send an SMB echo request to the target machine
    • Setup the environment to exploit the vulnerable system
    • Complete SMB protocol fingerprinting
    • Attempt the exploit attack
    • If successful, check for DoublePulsar malware
    • Ping DoublePulsar for an SMB reply

    DoublePulsar Malware

    The DoublePulsar tool bypasses the authentication measures of a system and creates a backdoor to allow remote access. This means that without any user intervention, DoublePulsar successfully transfers the control of your system in the hands of the hacker.

    DoublePulsar establishes a connection which allows the attacker to exfiltrate information or install any malicious code they choose—like WannaCry—on the exploited system.

    Kill Switch Domain

    One of the most interesting elements of the WannaCry ransomware attack is the highly-cited and publicized kill switch domain. This domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was included in the WannaCry script, and was designed to halt execution if it could connect with a hostname. However, since the domain was not registered, the attack continued to execute and spread.

    As a personal opinion and analysis, I think the kill switch was kept in the code so that it could go undetected in high authority systems that maintain a sort of “sandbox environment” to trap the malware. In essence, it seems the inclusion of the kill switch was a mechanism to differentiate between a real and sandbox environment allow it to go unnoticed by cybersecurity tools and professionals.

    Impact of WannaCry

    The Wanancry ransomware infected millions of Windows systems in around 150 countries. The most affected countries were Russia, Ukraine, Taiwan and India. The worm also infiltrated many NHS systems across England halting their services as well. The Wikipedia entry for this attack contains more details on the affected organizations.

    Once a system was compromised by WannaCry and the data was encrypted, victims were asked to pay a fee of $300 in the form of bitcoins in less than 3 days. After 3 days, the amount is doubled to $600. If the ransom was not paid within seven days, the attacker threatened to delete the files altogether.

    Tweet from Actual_Ransom

    According to a tweet from @actual_ransom, the three Bitcoin wallets received around 256 transactions amounting to $76,233.26 USD. Not a bad income for a week or so of effort!

    How was the WannaCry Ransomware Stopped?

    Marcus Hutchins became an overnight hero when he accidentally saved the Internet from this malicious malware.

    How did he stop it? As a cybersecurity researcher, Hutchins—who goes by @MalwareTechBlog on Twitter—was researching the WannaCry code when he discovered the kill switch in the script.

    He discovered that before WannaCry infected a system or demanded the ransom to allow the owner to access the files, the script made a request to the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

    Marcus discovered the domain was unregistered. So, he went ahead and registered the domain name for $10.69 at NameCheap.com and pointed it to a sinkhole server he was hosting in Los Angeles to get more information about the malware.

    Suddenly, the rapidly spreading WannaCry ransomware attacks dropped off and this accidental save made Marcus Hutchins a Hero who saved the Internet from an impending doom.

    FYI: The 23 year old Marcus Hutchins was later arrested while attending the Def Con security conference in Las Vegas. Authorities have pressed charges alleging that Hutchins is responsible for developing malware designed to capture the online banking sessions of users. Working under the pseudonym “Kronos”, Hutchins is said to have developed and maintained this code to sell as kits for online cybercrimes.

    Summing Up the WannaCry Ransomware Attack

    The main thing that was reinforced by the speed and success of the WannaCry ransomware attack is the importance of keeping systems patched and up to date. If you’re using outdated, vulnerable software, it is time to either update it or replace it entirely.

    You should also uninstall or disable unnecessary services and protocols. Malware attacks often exploit these services and protocols as an attack vector.

    The most important less when it comes to ransomware is to back up your data. Always ensure you have a recent / current backup of your files on a remote system or housed in cloud-based storage. You should never be forced to pay the ransom or risk losing your data. Even if your system is compromised by ransomware, you can just restore your backed up data and resume normal operations.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleFireEye Uncovers New APT33 Cyber Espionage Attack
    Next Article How to Get Your Employees Thinking about Cyber Security
    Rohit Langde
    • Website

    Rohit is a blogger and entrepreneur who now runs an antimalware product called MalwareFox.

    Related Posts

    Ransomware is Indiscriminatory – Prepare for Everything to Fail

    Cybersecurity Myths that are Compromising Your Data and How to Address Them

    Ransomware Response: 5 steps to Protect Your Business

    Comments are closed.

    Site Sponsors
    Intel
    DevOps.com
    Adobe
    PopSpective
    • Technology
    • Popular
    • Top Reviews
    May 20, 2022

    Building Digital Accessibility: AI Requires Human Oversight to Cut Down on Algorithmic Biases

    May 20, 2022

    BlackBerry Ivy: Enabling a New Age of Electric Secure Autonomous Vehicles

    May 15, 2022

    A Look At The Last Generation Of Internal Combustion Engines

    9.0
    July 14, 2016

    Review: Lenovo Yoga 900S

    9.5
    March 2, 2015

    Review: Asus Zenbook UX305 ultrabook

    8.0
    February 9, 2015

    Review: Burg 12 smartwatch

    9.7
    November 16, 2018

    Review: BlackVue DR900S-2CH Vehicle Dash Cam

    9.5
    September 2, 2015

    Review: Microsoft Band

    May 27, 2014

    Protect your family photos with ScanMyPhotos

    Coffee and Politics
    Popular Posts
    9.0
    July 14, 2016

    Review: Lenovo Yoga 900S

    9.5
    March 2, 2015

    Review: Asus Zenbook UX305 ultrabook

    8.0
    February 9, 2015

    Review: Burg 12 smartwatch

    PopSpective
    Coffee and Politics
    PopSpective
    • RSS
    • Facebook
    • Twitter
    • Google+
    • LinkedIn
    • Instagram
    • Pinterest
    About

    TechSpective covers technology trends and breaking news in a meaningful way that brings value to the story, and provides you with information that is relevant to you. We offer in-depth reporting and long-form feature stories, as well as breaking news coverage, product reviews, and community content in plain English terms, and with a unique perspective on technology.

    PopSpective

    © 2020 Xpective, Inc.

    • About
    • Privacy
    • Advertise
    • Subscribe
    • Contact
    © 2021 Xpective, Inc.
    • About
    • Privacy
    • Advertise
    • Subscribe
    • Contact

    Type above and press Enter to search. Press Esc to cancel.