Create a gist now Instantly share code, notes, and snippets.WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010.It uses EternalBlue MS17-010 to propagate.Ransom: between $300 to $600.There is code to 'rm' (delete) files in the virus.Seems to reset if the virus crashes.Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user.It also installs the DOUBLEPULSAR backdoor.It corrupts shadow volumes to make recovery harder.(source: malwarebytes) is up the virus exits instead of infecting the host.This domain has been sinkholed, stopping the spread of the worm.Will not work if proxied (source).update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out.Not done by recompile so probably not done by the original malware author.On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same.

On the other hand it is corrupt so the ransomware aspect of it doesn't work - it only propagates./en-us/library/security/ms17-010.aspx /msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ //2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html /2017/04/doublepulsar-initial-smb-backdoor-ring.html Vulnerable/Not Vulnerable To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).bitcoin faucet trickThe MS17-010 patch fixes the vulnerability.bitcoin blockchain virusWindows XP: Doesn't spread.bitcoin pump and dump twitterIf run manually, can encrypt files.litecoin hash rate vs difficulty

Windows 7,8,2008: can spread unpatched, can encrypt files.Windows 10: Doesn't spread.Even though Windows 10 does have the faulty SMB driver.If run manually with wine, can encrypt files.bitcoin linux distributionInfections NHS (uk) turning away patients, unable to perform x-rays.bitcoin homeland security(list of affected hospitals) Nissan (uk) http://www.chroniclelive.co.uk/news/north-east-news/cyber-attack-nhs-latest-news-13029913 /SkyNews/status/863044193727389696) power firm Iberdrola and Gas Natural (spain) /jeancreed1/status/863089728253505539) University of Waterloo (ontario canada) /dabazdyrev/status/863034199460261890/photo/1 /vassgatov/status/863175506790952962 /vassgatov/status/863175723846176768 Portugal Telecom Сбербанк - Sberbank Russia (russia) Shaheen Airlines (pakistan, claimed on twitter) Train station in frankfurt (germany) Neustadt station (germany) the entire network of German Rail seems to be affected (@farbenstau) in China secondary schools and universities had been affected (source) A Library in Oman (@99arwan1) /95cnsec/status/863292545278685184) Renault (France) (http://www.lepoint.fr/societe/renault-touche-par-la-vague-de-cyberattaques-internationales-13-05-2017-2127044_23.php) (http://www.lefigaro.fr/flash-eco/2017/05/13/97002-20170513FILWWW00031-renault-touche-par-la-vague-de-cyberattaques-internationales.php) /Damien_Bancal/status/863305670568837120 University of Milano-Bicocca (italy) /nkl0x55/status/863340271391580161 /95cnsec/status/863382193615159296 norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245 STC telecom (saudia arabia, more, more) All ATMs in india closed /Forbes/status/864850749225934852 /wiki/WannaCry_cyber_attack#List_of_affected_organizations they seem to be cataloguing the infections faster/better.

Informative Tweets /the_ens/status/863055007842750465 /the_ens/status/863069021398339584 /kafeine/status/863049739583016960 /laurilove/status/863065599919915010 /laurilove/status/863066699888824322 /laurilove/status/863072240123949059 /PayloadSecurity/status/863024514933956608 /CTIN_Global/status/863095852113571840 /laurilove/status/863107992425779202 /hackerfantastic/status/863105127196106757 /hackerfantastic/status/863105031167504385 FedEx infected via Telefonica?/jeancreed1/status/863089728253505539 /hackerfantastic/status/863070063536091137 /hackerfantastic/status/863069142273929217 /hackerfantastic/status/863115568181850113 /laurilove/status/863116900829724672 /0xSpamTech/status/863058605473509378 /bl4sty/status/863143484919828481 /e55db081d05f58a/status/863109716456747008 /neelmehta/status/864164081116225536 /shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition /research/wcry-ransomware-analysis Cryptography details Each infection generates a new RSA-2048 keypair.

The public key is exported as blob and saved to 00000000.pky The private key is encrypted with the ransomware public key and saved as 00000000.eky Each file is encrypted using AES-128-CBC, with a unique AES key per file.Each AES key is generated CryptGenRandom.The AES key is encrypted using the infection specific RSA keypair.The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key) https://haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob dumped from the DLL by blasty./aaW2Rfb6 even more in depth RE information by cyg_x1!!Bitcoin ransom addresses 3 addresses hard coded into the malware.https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn C&C centers gx7ekbenv2riucmf.onion 57g7spgrzlojinas.onion xxlvbrloxvriy2c5.onion 76jdd2ir2embyv47.onion cwwnhwhlz52maqm7.onion Languages All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese File types There are a number of files and folders wannacrypt will avoid.

Some because it's entirely pointless and others because it might destabilize the system.During scans, it will search the path for the following strings and skip over if present: "Content.IE5" "Temporary Internet Files" " This folder protects against ransomware.Modifying it will reduce protection" "\Local Settings\Temp" "\AppData\Local\Temp" "\Program Files (x86)" "\Program Files" "\WINDOWS" "\ProgramData" "\Intel" "$" The filetypes it looks for to encrypt are: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der credit herulume, thanks for extracting this list from the binary.

/xZKU7Ph1 thanks to cyg_x11 Some other interesting strings BAYEGANSRV\administrator Smile465666SA /0LrH05y2 Encrypted file format typedef struct _wc_file_t { char sig[WC_SIG_LEN] // 64 bit signature WANACRY!uint32_t keylen; // length of encrypted key uint8_t key[WC_ENCKEY_LEN]; // AES key encrypted with RSA uint32_t unknown; // usually 3 or 4, unknown uint64_t datalen; // length of file before encryption, obtained from GetFileSizeEx uint8_t *data; // Ciphertext Encrypted data using AES-128 in CBC mode } wc_file_t; credit for reversing this file format info: cyg_x11.Vulnerability disclosure The specific vulnerability that it uses to propagate is ETERNALBLUE.This was developed by "equation group" an exploit developer group associated with the NSA and leaked to the public by "the shadow brokers".Microsoft fixed this vulnerability March 14, 2017.They were not 0 days at the time of release./msrc/2017/04/14/protecting-customers-and-evaluating-risk/ /en-us/library/security/ms17-010.aspx Sign up for free to join this conversation on GitHub.