Wanna Decryption Ransom Screen
Wanna (also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r) ransomware exploded onto the ransomware scene on May 12, 2017, with a mass campaign impacting organizations in many countries. This second variant of the ransomware has been leveraging the EternalBlue (MS-17010) vulnerability, released by the Shadow Brokers actors, in order to spread over victim networks via the Windows file sharing protocol, Server Message Block (SMB), following an initial infection.
CrowdStrike Falcon Prevent offers protection for this variant through two types of coverage. Falcon Prevent has a Machine Learning layer (at the “Moderate Level”) and a Behavioral IOA layer (“Suspicious Process”). To ensure this ransomware is prevented, the Prevention Policies must be enabled. For additional details on how to configure CrowdStrike Falcon Prevent to stop Wanna ransomware and its variants, please visit the blog, “CrowdStrike Falcon Prevents WannaCry Ransomware.”
Wanna ransomware targets 177 file types for encryption. Victim files are appended with .wncry.
Unlike other ransomware families, Wanna continues to encrypt victim files following any name changes, and any new files created following infection. A ransom note is displayed on the victim machine, which is completed using text from a library of Rich Text Format (RTF) files, in multiple languages and chosen based on machine location. A similar text based ransom note named @Please_Read_Me@.txt is added to each folder containing encrypted victim files.
Observed ransom demands have been either $300 or $600 USD worth of Bitcoin (BTC) and the decryption software shows one of the following three possible Bitcoin wallet addresses:
Wanna contains a resource name XIA, which is a password-protected ZIP archive file using the password WNcry@2ol7. This contains the following additional resource files:
Executing the main module directly drops files and folders into the directory in which it was run and causes further processes to be launched from those folders. However, executing the main module with the command line argument /i installs the malware as a service named uebdpwbdm529. When installed as a service, files and folders are installed to C:\ProgramData\uebdpwbdm529\. The service is started when the user logs on and executes the file C:\ProgramData\uebdpwbdm529\tasksche.exe.
In order to utilize the SMB shadow broker exploitation capability, a process named winsecsvc.exe is installed in the Wanna directory. From current samples of Wanna, the file winsecsv.exe performs a check to the domain www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, which has now been sinkholed by an unknown entity. Should the victim machine make a successful connection to this domain, the process will not perform SMB exploitation. However, if the domain is not reachable, the process tasksche.exe will be launched with the /i parameter to initialize the service installation. If the service is created successfully, Wanna will perform its usual file encryption operations as well as seek to exploit vulnerable SMB shares. The registration of the domain has disabled the SMB exploitation capability.
The resource file named s.wnry is another ZIP file that contains a folder called TaskData. This contains a TOR bundle to communicate with the command-and-control (C2) servers, which is required for the victim to make the ransom payment. At present, observed C2s are:
A file named 00000000.pky contains an RSA 2048-bit key, and file encryption is performed using the Microsoft Cryptographic Service Provider with a mix of AES with randomly generated 128-bit key and RSA, which occurs regardless of the network’s connectivity status.
CrowdStrike Intelligence will continue to monitor the development of this ransomware and continue to provide more in-depth technical analysis.
Watch a video to learn more: How To Stop WannaCry Ransomware with CrowdStrike Falcon Endpoint Protection