WannaCry Attack

Introduction
The WannaCry attack was one of the largest scale ransomware attacks that was first reported on 12 May 2017. By having worm-like capabilities, it was able to rapidly spread across networks on a global scale and infect Windows systems vulnerable to the EternalBlue exploit. Once a computer was infected, the files would be encrypted and a ransom note would appear demanding a ransom be paid in Bitcoin in order for the victim to retrieve the encrypted files.

WannaCry 1.0
WannaCry version 1.0 (beta) was first observed in February 2017 by Check Point undefined and a number of other security firms. However this version was noted to have limited functionality and may have been a test version. At this stage it's believed that WannaCry had no propagation methods yet, which means it would not be able to spread across networks by itself undefined. The beta version was found to make use of AES-128 encryption to encrypt the victim's files with some reports of the AES keys being hard-coded.

WannaCry 2.0
WannaCry 2.0 was the final version of the ransomware and the same version that had a devastating impact on organizations around the world. This version included the propagation method that allowed the ransomware to spread in the same manner as a computer worm, thereby affecting thousands of machines with minimal (if not any) user interaction to trigger the infection. The encryption was also improved in this version by making use of RSA-2048 encryption, and removing the hard-coded AES-128 thereby making it extremely difficult to decrypt without paying.

Technology
Although so some may regard WannaCry to be a relatively amateur malware, it still made use of sophisticated tools and methods.

Encryption
WannaCry encrypts files by loading a key from the 00000000.pky file. If the key does not exist, it will try to import and generate a public RSA-2048 key, which it will store in the 00000000.pky file undefined. The corresponding private key that will be used to decrypt the victim's files is then generated and stored on the 00000000.eky file. This private key will then be stored to the 00000000.eky file and encrypted.

A thread is triggered and it will write 136 bytes to the 00000000.res file every 25 seconds, and if the file does not exist, the thread will create the file. Then another thread will run that will determine if a file can be encrypted and decrypted using the keys found in the 00000000.pky and 00000000.dky files undefined. A third thread is then launched which will scan for any new drives that are connected to the infected computer every 3 seconds. If a new drive (such as a flash drive or external hard drive) is connected, WannaCry will begin encrypting the files on these drives as well.

WannaCry will scan the file directories on the infected computer and encrypt virtually all file types with RSA-2048 encryption undefined except those ending in .exe, .dll, and .wncry. The files that can be encrypted are undefined:

Decryption
WannaCry will communicate with an Onion server by means of a Tor server running on TCP port 9050 undefined. It will register the infected computer with the Onion server and when the ransom has been paid, WannaCry will retrieve the RSA private keys necessary to decrypt the victim's encrypted files. After the user presses the 'Check Payment' button, WannaCry will first determine if the 00000000.dky file exists on the affected computer. If the file is there, it will test the key by encrypting a file with the public key used to encrypt the other files on the computer and then try decrypting it with the private key in the 00000000.dky file.

However, if the 00000000.dky file does not exist, WannaCry will send the contents of the 00000000.eky file to the Onion server and the server response will be stored in the 00000000.dky file undefined.

EternalBlue
EternalBlue was one of the tools stolen from the National Security Agency (NSA) by a hacker group called the Shadow Brokers and leaked to the public. EternalBlue exploited a critical vulnerability in the Windows Server Message Block version 1 (SMBv1) protocol. This protocol is used for sharing files over a network and allows computers on a network to read and write files, and also make requests for services undefined.

WannaCry used this tool as an infection vector and this gave it the ability to spread so rapidly through organizations' networks in a worm-like manner. Given that organizations are globally interconnected, WannaCry was able to propagate across from networks in one country and onto networks in another country.

DoublePulsar
DoublePulsar is a backdoor tool designed by the NSA and one of the tools leaked by the Shadow Brokers. It runs in the kernel mode of the affected computer and can grant attackers a very high level of access to the computer. This allows them to gain a lot of control and perform various actions, one of which is executing applications. WannaCry used this tool to install itself on vulnerable machines with administrative privileges and without the victim's input to launch the installation undefined.

The Attack
On the 12th of May 2017, reports of WannaCry started coming in from India and South-East Asia undefined. Shortly afterwards there were reports in Europe and the United States as well. Unlike most ransomware attacks, WannaCry was not launched via phishing emails, but instead the attackers had been probing the internet and scanning for machines that weren't patched against the SMBv1 vulnerability. Therefore it's speculated that the initial infections were launched on some of these computers by the attacker's themselves, and WannaCry's use of EternalBlue and DoublePulsar allowed it to spread and infect further on its own.

Once infected, the victim would have their files encrypted and they would be faced with a ransom note. The ransom note would inform the user what has happened gave instructions on what to do in order to retrieve encrypted files again. WannaCry would demand a ransom be paid to the value of $300 worth of Bitcoin. If the victim failed to pay the ransom within 3 days, the ransom would double to $600 worth of Bitcoin. If after 7 days the victim has not paid the ransom, WannaCry threatened to permanently delete all the encrypted files undefined.

An interesting characteristic about the first wave of the WannaCry ransomware, the malware would first try to communicate with an unregistered domain, and if it couldn't reach it, then it would carry out the ransom attack the computer. If it could reach the domain, then it would not do anything to the infected computer. This was a kill switch discovered by cyber researcher, Marcus Hutchins. He registered the domain that WannaCry would try communicating with and once it went live, it was able to communicate with the domain which ultimately stopped further successful attacks around the world undefined.

But it seems as though there were already enhanced versions of WannaCry already spreading as infections still took place with these versions not having a kill switch. A WannaCry version 2.0a tried communicating to a different domain which was also registered, and a WannaCry version 2.0b had no kill switch at all, however it had difficulty deploying its payload and was significantly unsuccessful in encrypting computers undefined.

By the end of the week, an estimated 200 000 computers were hit in 150 countries, and more than $140 000 in Bitcoin was paid to the attackers. The estimated cost in damages was around $4 - $5 billion undefined as many large organizations around the world had to shut down their services due to the attack. The attackers have never been identified or apprehended, however there was a potential lead to one of the attackers. The c.wry file (WannaCry's configuration file) was analyzed and an attempt to hide some of the data was documented. A line of data, "KDMS/bitu.skaria" was found in the file, where KDMS is the name of a recognized group of hackers and there is speculation that bitu.skaria could be the attacker responsible. However nothing conclusive has come up.

The attacker's Bitcoin wallet was under strict surveillance as authorities were attempting to trace the attacker when they emptied the wallet out. The wallet sat dormant for 3 months with over $140 000 worth of Bitcoin in it and there was rumor that the attack may not have been financially motivated. On the 3rd of August 2017, the wallet was emptied in a very cunning manner. The Bitcoin was moved from three accounts linked to WannaCry into another nine accounts, rather than move all of it to a single account undefined. This was part of a technique to make it harder for authorities to follow the movement of the Bitcoin. It was then believed that the Bitcoin was sent to ShapeShift.io, an online cryptocurrency converter undefined. ShapeShift does not require a user account in order to use its services and only requires the respective addresses of the user's existing cryptocurrency and the wallet of the cryptocurrency they will be converting to undefined. The attacker's Bitcoin is speculated to have been converted to Monero, a much more anonymous and harder to track cryptocurrency than Bitcoin undefined. As a result, the attackers have never been caught and authorities may have lost the trace on the cryptocurrency.

Organizations Affected by WannaCry
Here is a list of some of the organizations that were hit by WannaCry and had their services virtually grind to a halt as a result:
 * Chinese Public Security Bureau - China
 * Deutsche Bahn - Germany
 * FedEx - United States
 * Government of Gujarat/Kerala/Maharashtra/West Bengal - India
 * Hitachi - Japan
 * Honda - Japan
 * Ministry of Internal Affairs of the Russian Federation - Russia
 * Ministry of Foreign Affairs - Romania
 * National Health Services - England
 * National Health Services - Scotland
 * Nissan Motor Manufacturing UK - United Kingdom
 * O2 - Germany
 * PetroChina - China
 * Portugal Telecom - Portugal
 * Renault - France
 * Russian Railways - Russia
 * São Paulo Court of Justice - Brazil
 * Saudi Telecom Company - Saudi Arabia
 * Telefónica - Spain
 * Telenor - Hungary
 * Telkom - South Africa
 * University of Montreal - Canada
 * Vivo - Brazil

Additional Facts

 * Microsoft released a Windows patch for the SMBv1 vulnerability (CVE-2017-0144) in March. This was two months before the WannaCry attack had taken place, but due to the fact that many people and organizations disregard the importance of security updates, WannaCry was able to spread the way it did.
 * Windows XP and Windows Server 2003 had reached their end of life and no longer received support from Microsoft as of 8 April 2014. Many organizations were still using these legacy systems even though they were aware that they were no longer supported. But the impact of WannaCry was so severe that Microsoft made an exception during the attack and released patches for XP and Server 2003 as well to try prevent the malware from spreading onto more networks and computers.
 * The National Health Services (NHS) in the United Kingdom was one of the worst affected organizations as they were mainly using Windows XP machines. More than 70 000 of their computers were infected (35% of the total affected computers worldwide) undefined.
 * Microsoft blamed the NSA for discovering the vulnerability and not notifying them about it. This has resulted in speculation that the NSA has a stockpile of vulnerabilities for various devices and software that the respective vendors are unaware of. This controversial theory has made many to believe that the NSA may keep these vulnerabilities secret in order to keep exploiting them for their surveillance operations.
 * If every infected computer's ransom of $300 was paid, the attackers would have made between $60 - $90 million (roughly 33 000 - 50 000 Bitcoin)