Explain like I’m a Noob
Ransomware is a relatively new type of encryption malware that has recently created headlines by wreaking havoc across well-established systems across the globe. Its method of attack is simple enough — an infected computer contacts a remote server to activate embedded malware, and proceeds to encrypt files stored on the computers with information received. It then prompts a message demanding a payment to decrypt the files – failing which, users are threatened with deletion of their precious data. The payment is done via Bitcoin, which is very difficult to trace back to the source. This type of malware can be spread through PDF, Word or any other file that can be sent as an email attachment, and once a single computer has been infected, it can spread across the entire network very fast. Recently, The cryptoworm “Wannacry” infected National Health Service systems in the UK, and Téléfonica, a telecommunications service in Spain. Following this attack, the ransomware “Petya” (Named after a satellite in the James Bond movie “Goldeneye”) was also propagated across Asia. The malware takes advantage of vulnerabilities in the older versions of Windows OS, which enables it to spread across a network. However, these vulnerabilities have since been patched, and newer operating systems seem unaffected. Of course, the danger of Ransomware attacks still remains, as the origins of this malware are still unknown, as well as the decrypting the affected data.
Explain like I’m a Geek
Ransomware is an implementation of cryptovirology, which accommodates cryptographical algorithms in creating malware. Taking the example of the “Wannacry” malware, it can effectively be split into two parts. The first part is a worm, “Wannacrypt0r” that uses an exploit to distribute itself through the network. The exploit in question, “ETERNALBLUE”, was leaked by the Shadow Brokers group, and is widely believed to have been developed by NSA for targeting financial institutions in the middle east. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows (specifically XP and Vista) mishandles specially crafted packets from remote attackers, which allows for targeted code to be executed on the victim’s computer. This vulnerability was, however, patched by Microsoft in March (MS17–010). Another backdoor implant tool, namely “DOUBLEPULSAR”, which was leaked alongside EternalBlue, is also used by attackers as the primary payload.
Moving on to the second part, the actual ransomware executable uses public-key, or asymmetric encryption as a means of encrypting the victim’s files. In symmetric encryption, the same secret key is used for both encryption and decryption methods, whereas asymmetric encryption involves a private key, which is only known by its owner, and a public key, which may be known by anyone, where the encryption method uses the public key and the decryption method uses the private key. If the attacker holds the private key, then any encrypted data can only be recovered at his/her discretion. For “Wannacry”, once the malware is running on the victim machine it will generate a new unique RSA 2048 bit asymmetric key pair. The malware exports the victim’s public RSA key to a local file called 00000000.pky using CryptExportKey API. Next, it exports the victim’s private RSA key and encrypts it with the hardcoded attacker public key from the malware and stores it as 00000000.eky on disk. Now that the key has been stored safely, the malware uses CryptDestroyKey API to destroy the private key in memory, which limits the time for recovering private key parameters from memory by any other tool. Now the malware will enumerate all interesting files based on their extension. For all these files the victim’s RSA public key, for which the private key has been securely encrypted and stored locally, will be used. This means the ransomware generates a new 16-byte symmetric key using the CryptGenRandom API for each file it wants to encrypt. This symmetric key is encrypted using one of the available RSA public keys and stored together with a copy of the original file in encrypted form.
But before actually proceeding with the infection, the package tries to connect to an IP address via an HTTP request using the port 445 (which is used by SMB). The domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – is just a random arrangement of letters, suggesting it being a human-typed address. The ransomware always tries to connect to this domain, and if it cannot, it proceeds with the infection. Further investigation has revealed that the domain it tries to connect to might be some kind of kill switch, but this domain had not been registered, hence every time the ransomware tried to connect, it failed. This ultimately led to the downfall of this extortion campaign, as this connection was noticed by a malware analyst, Malwaretech, who in turn registered the domain and sinkholed it. This basically prevented the further spread of the ransomware, as every time the connection was successful, the malware stopped executing. There is still no concrete theory on why this kill switch existed, and why it was so easily discovered.
The extortion campaign of the individuals behind Wannacry seems to have resulted in around 49 BTC (around 76,000 USD) worth of ransom amount collected. However, the disruption caused by the malware has resulted in far greater financial damage. Russia, Ukraine, Taiwan and India remain the worst hit countries, and the quick identification of the kill switch minimized the spread of Wannacry within the USA. The threat still looms, as all the attackers would have to do is release a variant of the malware which communicated with a different IP address and the attack could shift into a higher gear.