Today was a big day for the WannaCry / WanaCrypt0r ransomware as it took the world by storm by causing major ransomware outbreaks at Telefonica, Chinese Universities, the Russian Interior Ministry, and other organizations. While BleepingComputer will be covering these outbreaks in-depth, I felt it may be a good idea to take a technical dive into the WanaCrypt0r ransomware so those in the IT field who may be dealing with it can get a basic understanding of how it works.

Unfortunately, at this time files encrypted by WannaCrypt0r can not be decrypted for free. If you need help or support with this ransomware, BleepingComputer has set up a dedicated WanaCrypt0r Wana Decrypt0r Help & Support Topic.

Is this ransomware called WannaCry, WannaCryptor, WanaCrypt0r, or Wana Decrypt0r?

While the internal name given by the developer for this ransomware is WanaCrypt0r, you are going to see news articles, including mine, calling it other things. This is because the ransomware has a lock screen/decryptor that is called Wana Decrypt0r 2.0, which is what everyone will see on their desktops after being infected, a different internal name, and encrypted files that have an extension of WNCRY.

So what should we call it?  Personally, I think we should stick with WanaCrypt0r as that is its true name.  Unfortunately, most people will not call it that because the first thing they will see is the lock screen that is titled Wana Decrypt0r. As that is what most people will be searching for, we will be calling it WanaDecrypt0r or WannaCry during this article. 

How does WannaCry Spread?

MalwareHunterTeam first spotted WanaCrypt0r a few weeks ago, but the ransomware for the most part was hardly distributed. Suddenly, WannaCry exploded and began spreading like wild fire through an exploit called ETERNALBLUE, which is an alleged NSA exploit leaked online last month by hacking group called The Shadow Brokers. 

This ransomware is spreads through a Worm executable that scans the Internet for Windows servers that have the Samba TCP port 445 accessible. This port is the SMB port that the ETERNALBLUE exploit uses to gain access to a computer. When the Worm gains access to a computer it will create a copy of itself and execute the program on the infected computer.

Once the Worm is running on the computer, it will try to connect to one of the following domains depending on the variant.

http://www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com       
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
http://www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
http://www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com

If it is able to connect to this domain, then the Worm will not deploy the ransomware component and the victim's files will not become encrypted. At the same time, the worm component will remain active and continue to try and infect other computers.

Ultimately, this domain acts like a kill switch for the initialization of the ransomware and was discovered accidentally when a security researcher registered the domain to get statistics on infections. Currently this kill switch is active and the ransomware is no encrypting computers, but is still spreading to other computers. More information about this kill switch can be found in our Wana Decrypt0r Ransomware Outbreak Temporarily Stopped By "Accidental Hero" article.

If the Worm component is unable to connect to the above domain, though, it extracts a password protected ZIP file to the same folder as the Worm program. This zip file contains the ransomware, which is then executed and encrypts the files on the victim's computer. More information about how the encryption works can be found below.

As the Worm spreads by using a vulnerability in SMBv1, which Microsoft patched in March as part of security bulletin MS17-010, it is necessary that everyone update their computers.

If you have not installed the updates mentioned in the MS17-010 security bulletin, STOP WHAT YOU ARE DOING NOW AND INSTALL IT.  Yes, I did that all in caps because it is that important.  While the ransomware is no longer spreading, it is trivial for the ransomware developer to simply release a new version without this killswitch. Therefore, install your updates so you don't lose your files when you become infected!

What is this Kill Switch Everyone is Talking About?

A kill switch is an event that is used to stop a program from continuing to execute. In the case of WannaCry, the kill switch is a domain name that the Worm component of WannCry connects to when it starts. If the worm executable is able to connect to this web site, the program quits and does not spread to any other machines or drop the ransomware component. On the other hand, if it is not able to connect to the kill switch domain, then the ransomware component is dropped and executed to encrypt the victim's computer.

When the WannaCry worm was released on March 12th, the kill switch domain was set to  iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Since then, numerous other samples were released that contained other kill switches.  It is generally thought that these new releases are in fact not being released by the original malware developer, but rather by people who are looking to cause mischief or by researchers who are analyzing the ransomware and mistakenly allow it to escape their labs.

A full list of the kill switch domains is found at the end of this article.

Is it possible to Decrypt Files Encrypted by WannaCry?

Under certain circumstances, it may be possible to recover files encrypted by using the WanaKiwi program. This program will try to recreate the private decryption key from data stored in the memory of the WannaCry process. Unfortunately, this means that in order for the tool to properly work, the computer can not have been rebooted, the WannaCry process could not have been terminated at any point, and the data in memory has not been overwritten by other data.

While the chances of successfully using this tool outside of a lab environment are slim, if your files are encrypted by WannaCry then you should absolutely try WanaKiwi as you have nothing to lose.

How does WannaCry Encrypt a Computer?

When a computer becomes infected with Wana Decrypt0r, the installer will extract an embedded file into the same folder that the installer is located in. This embedded resource is a password-protected zip folder that contains a variety of files that are used by and executed by WanaCrypt0r.

Embedded Password Protected Zip File
Embedded Password Protected Zip File

The WanaDecrypt0r loader will then extract the contents of this zip file into the same folder and perform some startup tasks. It will first extract localized version of the ransom notes into the msg folder. The currently supported languages are:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese, 

WanaCrypt0r will then download a TOR client from https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip and extract it into the TaskData folder.  This TOR client is used to communicate with the ransomware C2 servers at gx7ekbenv2riucmf.onion, 57g7spgrzlojinas.onion, xxlvbrloxvriy2c5.onion, 76jdd2ir2embyv47.onion, and cwwnhwhlz52maqm7.onion.

In order to prep the computer so that it can encrypt as many files as possible, WanaCrypt0r will now execute the command icacls . /grant Everyone:F /T /C /Q in order to change give everyone full permissions to the files located in the folder and subfolders under where the ransomware was executed.  It then terminates processes associated with database servers and mail servers so it can encrypt databases and mail stores as well.

The commands that are executed to terminate the database and exchange server processes are:

taskkill.exe /f /im mysqld.exe
taskkill.exe /f /im sqlwriter.exe
taskkill.exe /f /im sqlserver.exe
taskkill.exe /f /im MSExchange*
taskkill.exe /f /im Microsoft.Exchange.*

Now, Wana Decrypt0r is ready to start encrypting the files on the computer. When encrypting files, WanaDecrypt0r will scan all drives and mapped network drives for files that have one of the following extensions:

.der, .pfx, .key, .crt, .csr, .pem, .odt, .ott, .sxw, .stw, .uot, .max, .ods, .ots, .sxc, .stc, .dif, .slk, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mkv, .flv, .wma, .mid, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .hwp, .snt, .onetoc2, .dwg, .pdf, .wks, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc, 

When encrypting a file it will add the WANACRY! string, or file marker,  to the beginning of the encrypted file,

File Marker
File Marker

It will then append the .WNCRY extension to the encrypted file to denote that the file has been encrypted. For example, a file called test.jpg would be encrypted and have a new name of test.jpg.WNCRY.

Folder of WNCRY Encrypted Files

It should also be noted that if a user uses a cloud storage service and regularly synchronizes their locate data with the cloud, the files on the cloud will be overwritten by the encrypted versions.

When encrypting files, it will also store a @Please_Read_Me@.txt ransom note and a copy of the @WanaDecryptor@.exe decryptor in every folder that a file was encrypted.  We will take a look at those files later.

Finally, WanaCrypt0r will issue some commands that clear the Shadow Volume Copies, disable Windows startup recovery, clear Windows Server Backup history. The commands that are issued are:

C:\Windows\SysWOW64\cmd.exe /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

As these commands require Administrative privileges, victims will see a UAC prompt similar to the one below.

UAC Prompt
UAC Prompt

Finally, the installer will execute the @WanaDecryptor@.exe program so that the Wana Decryptor 2.0 lock screen will be displayed. This screen contains further information as to how the ransom can be paid and allows you to select one of the languages listed above.  Once you see this screen and realize you are infected, it is important to terminate all the malware processes as Wana Decrypt0r will continue to encrypt new files as they are made.

Wana Decrypt0r 2.0 Lock Screen
Wana Decrypt0r 2.0 Lock Screen

When you click on the Check Payment button, the ransomware connects back to the TOR C2 servers to see if a payment has been made. Even If one was made, the ransomware will automatically decrypt your files. If payment has not been made, you will see a response like the one below.

Payment not made Response
Payment not made Response

There are three hard coded bitcoin addresses in the WanaCrypt0r ransomware. These bitcoin addresses are 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb9412t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn. Maybe I am missing something, but what I do not understand is if so many people are utilizing the same bitcoin address, how will the ransomware developers be able to differentiate the victims that have paid from those who have not?

For example, people have paid ransom to my assigned bitcoin address, yet the program still states I did not pay.

The Wana Decryptor 2.0 screen also has a Contact Us label that opens a form where you can contact the ransomware developer.

Contact Us Form
Contact Us Form

The ransomware will also configure your Desktop wallpaper to display another ransom note as shown below.

Desktop Wallpaper
Desktop Wallpaper

Last, but not least, a ransom note will be left on the desktop that contains more information and answers to frequently asked questions.

Ransom Note
@Please_Read_Me@.txt Ransom Note

As previously said, unfortunately this ransomware cannot be decrypted for free. Your best bet is to recover from backups, and if those do not exist, try a program like Shadow Explorer in the hopes that the ransomware did not properly delete your Shadow Volume Copies. If a user did not click Yes at the UAC prompt, then there is a chance those are still available to recover from. 

A guide on recovery files from Shadow Volume Copies can be found here: How to recover files and folders using Shadow Volume Copies.

If you need help or support with this ransomware, BleepingComputer has set up a dedicated WanaCrypt0r Wana Decrypt0r Help & Support Topic.

How can you prevent being infected by Wana Decrypt0r?

Other than having an up-to-date security software installed that utilizes behavioral protection to protect you from new threats, it is imperative that you make sure all of the latest Windows security updates are installed on your computers. I know that for some businesses, installing the latest security updates as they come out are not part of their "patch management policies", but updates that fix alleged NSA remote exploits should really take a priority.

If for whatever reason you are unable to install all Windows updates, then you must at least install the updates discussed in Microsoft Security Bulletin MS17-010. Security researcher Bart also recommends that you disable SMBv1 as it is not necessary to use it in modern Windows. Instructions on how to disable SMBv1 can be found in the MS17-010 bulletin as well.

Microsoft has also released a update for Windows XP, Windows 8, and Windows Server 2003, which typically no longer receive security updates. For more information about this update, you can read the following story: Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decrypt0r.

For a software product with great behavioral detections, I highly recommend Emsisoft Anti-Malware for their behavior blocker component. Not only do you get a great security program, but their behavior blocker has an incredible track record at preventing new zero-day ransomware from encrypting a computer.

This is what happened when I tried running the Wana Decrypt0r installer with Emsisoft Anti-Malware's Behavior Blocker enabled.

Unfortunately, the behavior blocker is only available in the paid for version, so you would need to purchase Emsisoft Anti-malware in order to benefit from this feature.

In full disclosure, we do earn a commission if you purchase Emsisoft Anti-Malware through the above link. With that said, I am only recommending Emsisoft Anti-malware because I believe in the program and that it can do a terrific job protecting you from Ransomware and other malware.

Further Reading in Chronological Order

May 12th 2017 8:40 AMTelefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak

May 12th 2017 1:07 PMWana Decryptor Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

May 13th 2017 4:14 AMWana Decryptor Ransomware Outbreak Temporarily Stopped By "Accidental Hero"

May 13th 2017 5:05 AMMicrosoft Releases Patch for Older Windows Versions to Protect Against Wana Decryptor

May 14th 2017 8:00 AM: Honeypot Server Gets Infected with WannaCry Ransomware 6 Times in 90 Minutes

May 14th 2017 9:00 PM: Microsoft Exec Blames WannaCry Ransomware on NSA Vulnerability Hoarding Program

May 15th 2017 2:01 AM: With the Success of WannaCry, Imitations are Quickly In Development

May 15th 2017 6:55 AM​: WannaCry Ransomware Version With Second Kill Switch Detected and Shut Down

May 15th 2017 1:00 PM: Someone Created a WannaCry Version That Doesn't Use a Kill Switch

 

IOCs

Hashes:

SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Files associated with Wana Decrypt0r / WanaCrypt0r:

@Please_Read_Me@.txt
[Installed_Folder]\00000000.eky
[Installed_Folder]\00000000.pky
[Installed_Folder]\00000000.res
[Installed_Folder]\@WanaDecryptor@.exe
[Installed_Folder]\@WanaDecryptor@.exe.lnk
[Installed_Folder]\b.wnry
[Installed_Folder]\c.wnry
[Installed_Folder]\f.wnry
[Installed_Folder]\msg\
[Installed_Folder]\msg\m_bulgarian.wnry
[Installed_Folder]\msg\m_chinese (simplified).wnry
[Installed_Folder]\msg\m_chinese (traditional).wnry
[Installed_Folder]\msg\m_croatian.wnry
[Installed_Folder]\msg\m_czech.wnry
[Installed_Folder]\msg\m_danish.wnry
[Installed_Folder]\msg\m_dutch.wnry
[Installed_Folder]\msg\m_english.wnry
[Installed_Folder]\msg\m_filipino.wnry
[Installed_Folder]\msg\m_finnish.wnry
[Installed_Folder]\msg\m_french.wnry
[Installed_Folder]\msg\m_german.wnry
[Installed_Folder]\msg\m_greek.wnry
[Installed_Folder]\msg\m_indonesian.wnry
[Installed_Folder]\msg\m_italian.wnry
[Installed_Folder]\msg\m_japanese.wnry
[Installed_Folder]\msg\m_korean.wnry
[Installed_Folder]\msg\m_latvian.wnry
[Installed_Folder]\msg\m_norwegian.wnry
[Installed_Folder]\msg\m_polish.wnry
[Installed_Folder]\msg\m_portuguese.wnry
[Installed_Folder]\msg\m_romanian.wnry
[Installed_Folder]\msg\m_russian.wnry
[Installed_Folder]\msg\m_slovak.wnry
[Installed_Folder]\msg\m_spanish.wnry
[Installed_Folder]\msg\m_swedish.wnry
[Installed_Folder]\msg\m_turkish.wnry
[Installed_Folder]\msg\m_vietnamese.wnry
[Installed_Folder]\r.wnry
[Installed_Folder]\s.wnry
[Installed_Folder]\t.wnry
[Installed_Folder]\TaskData\
[Installed_Folder]\TaskData\Data\
[Installed_Folder]\TaskData\Data\Tor\
[Installed_Folder]\TaskData\Tor\
[Installed_Folder]\TaskData\Tor\libeay32.dll
[Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
[Installed_Folder]\TaskData\Tor\libssp-0.dll
[Installed_Folder]\TaskData\Tor\ssleay32.dll
[Installed_Folder]\TaskData\Tor\taskhsvc.exe
[Installed_Folder]\TaskData\Tor\tor.exe
[Installed_Folder]\TaskData\Tor\zlib1.dll
[Installed_Folder]\taskdl.exe
[Installed_Folder]\taskse.exe
[Installed_Folder]\u.wnry
[Installed_Folder]\wcry.exe

Registry entries associated with Wana Decrypt0r / WanaCrypt0r:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random]	"[Installed_Folder]\tasksche.exe"
HKCU\Software\WanaCrypt0r\
HKCU\Software\WanaCrypt0r\wd	[Installed_Folder]
HKCU\Control Panel\Desktop\Wallpaper	"[Installed_Folder]\Desktop\@WanaDecryptor@.bmp"

Network Communication from Wana Decrypt0r / WanaCrypt0r:

gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
\\172.16.99.5\IPC$
\\192.168.56.20\IPC$

Known Kill Switches:

http://www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com       
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
http://www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com
http://www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com

Wana Decrypt0r / WanaCrypt0r Lock Screen Text:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

Contact
If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!

Wana Decrypt0r / WanaCrypt0r Ransom Note Text:

Q:  What's wrong with my files?

A:  Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
    If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
    Let's start decrypting!

Q:  What do I do?

A:  First, you need to pay service fees for the decryption.
    Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

    Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
    Run and follow the instructions! (You may need to disable your antivirus for a while.)
    
Q:  How can I trust?

A:  Don't worry about decryption.
    We will decrypt your files surely because nobody will trust us if we cheat users.
    

*   If you need our assistance, send a message by clicking  on the decryptor window.

Encrypted File Extensions:

.WCRY
.WNCRY