Ransomware is nothing new, since 2012 it has been wreaking havoc on the world. The TTPs for delivering and infecting victims has changed over the years but the end goal remains the same, give me your money or you’ll never see your files again. Some of the first ransomware campaigns used mechanisms such as exploit kits, blackhole was the popular choice along time. Blackhole was created by the now incarcerated “Paunch” a Russian crimeware coder pictured below:
Blackhole web based exploit kit would deliver malware by exploiting vulnerabilities such as flash, java, silverlight and IE. After exploiting your system it would issue a command to download whatever malware the person renting the botnet or owner of it chooses.
After the arrest and seven year sentence of Paunch exploit kits have simmered down, however ransomware infections and variations of them have remained on the steady rise. New methods for infecting victims focused on malspam e-mail campaigns which used attachments and malicious links to trick victims into clicking. Once e-mail spam filters caught on to the obvious .zip/.exe files they switched to macro documents and PDF files which still to this day seems to be the preferred method of infection. Once a user opens a .docm file that loads malware a macro will run which downloads the ransomware in this case. If macros are disabled (obviously a best practice) you will see a blank page that reads “if you want to see this content please enable macros” with a nice click here button that many individuals don’t think twice about clicking because they are looking at a blank page.
WannaCry botnet C2 servers using a generated domain name algorithm has been sinkholed which for now will prevent an infected user from reaching the malicious command and control servers. Here is one such domain name that was being used in the campaigns:
which now redirects you to the sinkhole
Domain name: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Registry Domain ID: 2123519849_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2017-05-15T21:57:30.00Z Creation Date: 2017-05-12T15:08:04.00Z Registrar Registration Expiration Date: 2018-05-12T15:08:04.00Z Registrar: NAMECHEAP INC Registrar IANA ID: 1068 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +1.6613102107 Reseller: NAMECHEAP INC Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: addPeriod https://icann.org/epp#addPeriod Registry Registrant ID: Registrant Name: Botnet Sinkhole Registrant Organization: Registrant Street: Botnet Sinkhole Registrant City: Los Angeles Registrant State/Province: CA Registrant Postal Code: 00000 Registrant Country: US Registrant Phone: +0.00000000000 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: BotnetSinkhole@gmail.com
As I write this e-mail new infection sites are still popping up that would be called within a malicious attachment or after clicking on a click to one of the domain names now sinkholed to infect you. Below are some live examples (VISIT AT YOUR OWN RISK – MOST ARE ACTIVE) of WannaCry ransomware loading links. The files are not executable and the macro uses a powershell script to issue commands on your machine to use these files.
Date URL MD5 IP Tools
05-15 [D] tutmacli[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 220.127.116.11 PED UQ
05-15 [D] rooana[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 18.104.22.168 PED UQ
05-15 [D] ppapmoozamiz[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 22.214.171.124 PED UQ
05-15 [D] hrlpk[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 126.96.36.199 PED UQ
05-15 [D] hncdc[.]org/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 188.8.131.52 PED UQ
05-15 [D] dovahosting[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 184.108.40.206 PED UQ
05-15 [D] boolas[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 220.127.116.11 PED UQ
05-15 [D] bianshop[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 18.104.22.168 PED UQ
05-15 [D] byydei74fg43ff4f[.]net/af/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 22.214.171.124 PED UQ
05-15 [D] 5hdnnd74fffrottd[.]com/af/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 126.96.36.199 PED UQ
05-15 [D] sjffonrvcik45bd[.]info/af/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 188.8.131.52 PED UQ
05-15 [D] fotografikum[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 184.108.40.206 PED UQ
05-15 [D] dcfarbicka[.]sk/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 220.127.116.11 PED UQ
05-15 [D] bizcleaning.co[.]uk/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 18.104.22.168 PED UQ
05-15 [D] dsintergrated[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 22.214.171.124 PED UQ
05-15 [D] vbplan[.]de/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 126.96.36.199 PED UQ
05-15 [D] diasgroup[.]sk/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 188.8.131.52 PED UQ
05-15 [D] ecbuyjp[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 184.108.40.206 PED UQ
05-15 [D] urachart[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 220.127.116.11 PED UQ
05-15 [D] ecuamiaflowers[.]com/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 18.104.22.168 PED UQ
05-15 [D] energybalancecenter[.]nl/hHGFjd F5EBB00E1FB9BBCFE5AE742082E2002F 22.214.171.124 PED UQ
The reason WannaCry is creating so much noise and attention is that not only does it infect your computer but once on your system it will install a module that will scan your network for machines that have ports 139 and 445 open. Once machines have been identified the malware will attempt to exploit a known SMB exploit dubbed ETERNALBLUE/MS17-010 and spread throughout the network as a worm. Hence the panic and news related to this ransomware, entire organizations running SMBv1 can become owned rapidly.
Why are so many hosts vulnerable to this SMB exploit? Many organizations have not patched the vulnerability because SMB is almost always firewalled off from the outside world which means someone would have to be inside the network in order to use the exploit. The creators of this ransomware have taken advantage of this laziness to patch and created a very dangerous ransomware worm.
Sample infection pop-up:
File names the first variant were associated with:
Anti-Virus vendors detection of the first variant:
|Endgame||malicious (high confidence)||20170503|
|K7AntiVirus||Exploit ( 0050d7a31 )||20170515|
|K7GW||Exploit ( 0050d7a31 )||20170515|