WannaCry Ransomware Analysis: Lateral Movement Propagation

Acalvio Threat Research Labs

The WannaCry ransomware attack has made front page news around the world, with at least 150 countries and 200,000 customers affected [2]. Because WannaCry makes use of a largely unpatched Windows exploit for lateral movement, it is able to spread rapidly once it penetrates an organization’s network. In this blog we detail the lateral movement technique used by the WannaCry ransomware. For  details about other types of lateral movement techniques which have been employed by malware, we would encourage readers to refer to published paper [1] in Virus Bulletin.

Lateral Movement Technique used by WannaCry Ransomware.

WannaCry uses SMB (Windows Server Message Block) for spreading within a network, operating over TCP 445 and 139. The malware’s propagation functionality over SMB is in the “mssecsvc2.0” ServiceHandler function. This function performs WSAstartup functionality and cryptographic initialization. The ServiceHandler will spawn two threads specifically for SMB exploitation; one to infect internal targets and another to infect external targets.

In the internal target infection function, the infected host’s network adapters are enumerated. For each adapter, the local subnet X.X.X.[1-254] is used in an SMB spreading attempt.

Additionally, the local DNS servers and gateways are all enumerated by the malware in an attempt to spread to them.

The malware checks the IP addresses of local DNS servers to eliminate the possibility that they are public servers. Only the following DNS server ranges are attempted, and if the DNS server does not fall in these ranges it will not attempt to infect:

10.0.0.0    – 10.255.255.255

172.16.0.0  – 172.31.255.255

192.168.0.0 – 192.168.255.255

In the external spreading function, random IP subnets are enumerated and infection is attempted by the malware. IP addresses will be enumerated as follows X.Y.Z.[1-254]. The SMB spreading function is used in both internal and external spreading function.It performs an SMB negotiation and sends an SMB::Trans_Request packet to check for the presence of an implant indicating that the target has already been compromised.

The error code returned from the DOUBLEPULSAR implant in an SMB trans response is STATUS_INVALID_PARAMETER (0xc000000d), while a normal host as shown in Figure 5.0, would respond with STATUS_INSUFF_SERVER_RESOURCES (0xc0000205) as an example.

If the malware determines that the target is not already infected, it will proceed with the SMBv1 exploit by sending massive Trans2 Requests. After the exploitation attempt, the malware will again perform an SMB negotiation and request another trans response to check if exploitation succeeded or not.

If exploitation is successful the malware will then use the exploited host to propagate itself via the implant.

Conclusion

The severity and impact of the WannaCry ransomware was multiplied by its lateral movement technique. In this blog we have shared lateral movement techniques employed by the ransomware which resulted in broad infection in organizations with unpatched Windows computers and limited internal segmentation.

ShadowPlex-R detects WannCry ransomware and isolates the infected endpoint using deception technology. As the video below shows, detection is extremely fast (under 8 milliseconds), which is crucial to stopping ransomware from encrypting your data and spreading to other devices.