
WanaCrypt0r Ransomworm - r0xz
http://baesystemsai.blogspot.com/2017/05/wanacrypt0r-ransomworm.html
======
Macuyiko
> The initial infection vector is still unknown. Reports by some of phishing
> emails have been dismissed by other researchers as relevant only to a
> different (unrelated) ransomware campaign, called Jaff. There is also a
> working theory that initial compromise may have come from SMB shares exposed
> to the public internet. Results from Shodan show over 1.5 million devices
> with port 445 open – the attacker could have infected those shares directly.

I think this is an important take-away. I found it strange that so many media
outlets and IT departments were jumping on the "do not open suspicious emails"
bandwagon even although there hasn't been a lot of evidence of such phishing
emails. That is: screenshots of infected devices have been popping up all
across the world, but almost no examples of a particular entry email have been
shown.

Of course, it might be easier for an IT dep. to state: "it must have been
unleashed by someone clicking on some email they got" rather than "oops, we
still had unpatched Windows machines exposed to the public internet". Why go
through the trouble of sending out emails when your worm already contains a
replication/infection mechanism. Just use a botnet to scan those 1 million IPs
and see if SMB is open.

That being said, it does not surprise me to see yet again an issue in SMB.
This has been a particularly weak point in Windows for decades now. I remember
"hacking tutorials" from 15 years ago where you'd just go out and nmap public
IP ranges to see if you could access hidden shares (e.g. like so:
[http://www.madirish.net/59](http://www.madirish.net/59)). Also there was this
issue of Windows keeping weak NetBIOS password hashes around which could be
trivially unhashed
([https://vuldb.com/?id.13824](https://vuldb.com/?id.13824)), years ago.

~~~
tomlong
A fair amount of ransomware is distributed via email, so it's not such a bad
idea when this issue is front and centre and all over the news to reinforce
good behaviour amongst users.

It's not like 'stop clicking random shit in emails' is bad advice.

~~~
paulddraper
Why the hell can't I click shit in random emails?

It's a friggin email and data transfer for crying out loud.

Stop blaming users.

~~~
Piskvorrr
Oh, you _can_. Just like you _can_ inject any random substance given to you by
a stranger.

Being aware that both are _high risk activities_ is the point, methinks.

~~~
sp332
There's absolutely no reason that sending a link to someone should be able to
pwn their box. There's no reason to make such fragile email systems.

~~~
ihattendorf
What if they click the link, run the downloaded invoice.EXE, and enter their
password when prompted? At a certain point, the user needs to be educated
enough to avoid this.

PDF/Office macros are a whole other topic though.

~~~
sp332
There's a really big gap there. Look at chromeOS - you can click a lot more
email links on that OS without getting ransomware'd.

~~~
Piskvorrr
Is it because the OS is inherently more secure, or because the malicious code
is not written for that OS?

~~~
sp332
Yeah, the sandboxing helps a lot. I mean look at iOS - super popular, huge
target for malware, but it hardly ever gets hacked.

------
simias
I'm surprised by how carefully the worm seems to be coded. They make sure they
have an internet connection, they check for disk space in order not to run out
while encrypting, they save a backup copy of the "tasksched" executable before
replacing it, they shutdown databases (I assume in order to prevent
corruption?) etc...

I guess they want to make sure the decryption process will work without any
issue so that the victim will be more likely to pay other ransoms or spread
word of mouth that it does actually work.

I wish all software devs were as thorough as these people...

~~~
robinwassen
I would guess the shutdown of apps are not of good intent, rather to release
file locks so they can delete the unencrypted database and exchange files.

------
RichardHeart
Evil Ransomware improvements we may see:

1\. New address per machine (easier to detect payments made, hides profit
total.)

2\. Deterministic wallet stores all profit in a simple 12 word seed
"password."

3\. Phone numbers directly to bitcoin vendors. (people running insecure
systems love phones.)

4\. Phone number to tech support company that bills your credit card to walk
you through paying the ransom.

5\. Delayed symptoms. Secretly encrypt backups (windows efs might be able to
do it nonobviously) Then once all your backups are secretly encrypted, it
encrypts the key, and now you can't use backups to save yourself.

6\. Advertise affiliated antivirus (I hear this is what cloudflare does by
hosting bad actors, they inflate their demand from protection from bad actors,
just a rumor though.)

7\. Infect a friend. Get a discount on your ransom if you infect a friend and
they pay.

It doesn't seem reasonable that 300k infections= less than 1 in 1000 payments.
Are peoples files really so worthless, or bitcoin really so hard, or people so
untrusting of unencrypt. I imagine they could have sold their 0 day idea for
more money to a whitehat perhaps? Maybe more generalized bug bounties could be
deployed to offer financial incentive to harden systems and be non evil.

~~~
sp00ls
I don't know a single person who would pay upwards of $300 to get their files
back if they got hit with ransomware. Hell, I've got something like 10 years
of personal files on my machine and I wouldn't pay that much for them. I would
bet a lot more people would be willing to pay if the fee was more like $50.
That takes it out of the category of 'a lot of money for computer files' for a
lot of people and puts it in the category of 'minor inconvenience'.

I sometimes fix friends & older family members computers as a favor and I've
noticed that they usually don't really have any files anyway. I always make a
backup before reformatting them and usually it includes their bookmarks and
maybe 2-3 random files scattered in their 'Documents' folder, none of which
are important. Their machines are more like just gateways to the internet than
anything.

Through machines moves over the years I'm sure I have multiple copies of the
most important ones anyway (keys, etc). If not oh well, life goes on. Shoulda
made backups in the first place if they were that important to me.

~~~
RichardHeart
Sounds like it would be more profitable to just lock out the device than
encrypt the files, for its internet browsing value may exceed its file storage
value.

~~~
paradite
It's much easier to recover from lock out (without losing data) than
decrypting the file.

~~~
RichardHeart
You can do both.

------
nissimk
I always say that visual studio 6 was the best version they ever made. At
least somebody out there agrees with me.

"As noted in our attribution post last year, use of Visual Studio 6.0 is not a
significant observation on its own – however, this development environment
dates from 1998 and is rarely used by malware coders. Nonetheless, it has been
seen repeatedly with Lazarus attacks."

~~~
frik
1998 was still a great year in Windows world. In 1999 the DotNet vision made
lot's of things kind of legacy - kind of, because despite all odds Win32 and
shell32/Explorer are still thriving where as DotNet Framework is now
officially legacy tech. And UWP hasn't caught on, as mobile is dead end for MS
and their Store is incredible bad.

True Visual Studio was really great. And like many, one had a VS6 and VB6
install still around. Even if VS6 C++ is really outdated nowadays, it doesn't
contain this spy-home feature that shipper with VS 2015 and VCredist 2015
(RTM, patch 1, patch 2). Back in the 1990s MS was a good company.

~~~
hvs
"Back in the 1990s MS was a good company."

Umm, isn't that precisely the period when they were charged with antitrust
violations? Such a short memory we have.

~~~
SamUK96
I think the OPs context for "good company" is "good company _for
coders/hackers_". You can have a company behaving in an anti-trustworthy way,
but their software still be _good_.

Also, their antitrust violations was due to the Windows OS and anti-
competitive behaviours, if i'm not mistaken? If so, then this is not really
relevant to their software or OP's post, but more their business approach of
locking out competition, which is a question of legality and economics.

~~~
hvs
Part of the anti-competitive behaviors were anti-Linux and open source which I
feel is "bad for coders".

[http://catb.org/~esr/halloween/](http://catb.org/~esr/halloween/)

------
raffomania
according to the article, the balances of the bitcoin addresses collecting the
ransoms are

15.13562354 BTC = $26410 13.78022431 BTC = $24045 5.98851225 BTC = $17361

Assuming $300 per ransom, this works out to a total of 226 victims who paid.
this seems a little low compared to the huge amount of infected devices.

~~~
Belphemur
Did you check the transactions?

They could have already moved a part of the coins to an exchange.

~~~
ConfucianNardin
According to blockchain.info, no coins have been moved from the addresses in
the article.

------
throw2016
Isn't it curious that folks like kim dotcom who do not hold hospitals or
anyone to ransom earn global notoriety, are raided by swat teams and face the
full force of the law while those that hold hospitals to ransom can operate
with impunity with people reduced to tracking their bitcoin earnings on
twitter.

Is it the job of NSA and all the global security services with their
overarching reach, resources and power to warn, track and disable these
activities or is to spy on citizens?

Half or more of these activities are used by agencies to shut down or sabotage
unfriendly interests and I suspect that's the only reason these shady figures
are allowed to exist, treated with kid gloves, operate with near impunity and
rarely see consequences. They serve as 'assets' to provide cover. Without
consequences these activities will spiral.

Things like ddos ultimately benefit companies like cloudflare. And the
preponderance of these kind of worms force people to move their data to the
cloud or give up more control to large companies who promise security. This is
a subtle form of extortion. We don't know the extortionists but we do know the
beneficiaries.

This slowly but surely disempowers individuals and takes control away and
shifts it to large companies.

Holding a hospital ransom whatever its security policies is a serious crime
and treating it as just another hack rather than extreme criminality and
blaming the victims is an extremely self serving technical perspective.

~~~
Kenji
_Isn 't it curious that folks like kim dotcom who do not hold hospitals or
anyone to ransom earn global notoriety, are raided by swat teams and face the
full face of the law while those that hold hospitals to ransom can operate
with impunity with people reduced to tracking their bitcoin earnings on
twitter._

It's a very classic and widespread law enforcement problem: They catch those
who are easiest to catch. There's an anecdote that so beautifully displays
this fallacy.

 _A police officer sees a drunken man intently searching the ground near a
lamppost and asks him the goal of his quest. The inebriate replies that he is
looking for his car keys, and the officer helps for a few minutes without
success then he asks whether the man is certain that he dropped the keys near
the lamppost.

“No,” is the reply, “I lost the keys somewhere across the street.” “Why look
here?” asks the surprised and irritated officer. “The light is much better
here,” the intoxicated man responds with aplomb._

------
piqufoh
Does anyone else find it a little odd that something as big (and corporate as
BAE) are running a blog from blogspot on an unsecured domain?

Is this site legitimate?

~~~
justusthane
Yes. There's a link to that blog on
[http://www.baesystems.com/en/cybersecurity/home](http://www.baesystems.com/en/cybersecurity/home)

------
krabpaaltje
How does payment work? Seeing as how there are 3 addresses to send to.. Maybe
the amount of satoshis identifies a certain machine?

------
MrQuincle
Quote: "The initial infection vector is still unknown. Reports by some of
phishing emails have been dismissed by other researchers as relevant only to a
different (unrelated) ransomware campaign, called Jaff."

Would it be easy to find it if the initial attack vector uses some semi-
obscure torrent? Would people find out quickly?

------
gwu78
Notable that he calls the "kill-switch" a "mistake". For example, Chrome does
the same thing. When it starts it checks for some presumably non-existant
domain name.

~~~
mistaken
Yes, but the key difference is that chrome uses a randomly generated domain
name, while the ransomware has it hardcoded.

~~~
gwu78
Yes, this sounds right. It has been a while since I looked at it. Is it just
one name? I have a faint recollection it tried more than one.

Anyway, how is the difference significant?

A localhost cache can point at a custom root.zone. The user can make her own
authoritative nameserver assignments for any given zone or domain. Zone files
can contain wildcards.

Responses can also be rewritten on the fly.

The end user can exercise full control over what is and is not a "valid"
domain name. She can prevent her applications from ever receiving an
"NXDOMAIN" response.

Maybe I am missing something but this "test" seems brittle; it only tests
ICANN DNS.

------
pksadiq
Did these happenings had any effect on windows market share? Hope somebody
will blog on that too.

I hope many people have understood to not have public windows servers at
least. It could most probably affect their business in the long run (Not
saying that GNU/Linux is safe. But it is _safer_ ).

~~~
13of40
If you think about it, it's actually safer, from a malware perspective, to use
Windows Phone instead of Android. And for the same reason.

