Acalvio Threat Research Labs

The WannaCry ransomware attack has made front page news around the world, with at least 150 countries and 200,000 customers affected [2]. Because WannaCry makes use of a largely unpatched Windows exploit for lateral movement, it is able to spread rapidly once it penetrates an organization’s network. In this blog we detail the lateral movement technique used by the WannaCry ransomware. For  details about other types of lateral movement techniques which have been employed by malware, we would encourage readers to refer to published paper [1] in Virus Bulletin.

Lateral Movement Technique used by WannaCry Ransomware.

WannaCry uses SMB (Windows Server Message Block) for spreading within a network, operating over TCP 445 and 139. The malware’s propagation functionality over SMB is in the “mssecsvc2.0” ServiceHandler function. This function performs WSAstartup functionality and cryptographic initialization. The ServiceHandler will spawn two threads specifically for SMB exploitation; one to infect internal targets and another to infect external targets.

Figure 1.0 Shows the code which uses  SMB for Spread

In the internal target infection function, as shown in figure 2.0 the infected host’s network adapters are enumerated. For each adapter, the local subnet X.X.X.[1-254] is used in an SMB spreading attempt.

Figure 2.0  showing the code which enumerated adapter for  local subnet infection 

Additionally, the local DNS servers and gateways are all enumerated by the malware in an attempt to spread to them.

Figure 3.0 showing the code for the DNS server check.

The malware checks the IP addresses of local DNS servers to eliminate the possibility that they are public servers. Only the following DNS server ranges are attempted, and if the DNS server does not fall in these ranges it will not attempt to infect:

10.0.0.0    – 10.255.255.255

172.16.0.0  – 172.31.255.255

192.168.0.0 – 192.168.255.255

In the external spreading function, random IP subnets are enumerated and infection is attempted by the malware. IP addresses will be enumerated as follows X.Y.Z.[1-254]. The SMB spreading function is used in both internal and external spreading function.It performs an SMB negotiation and sends an SMB::Trans_Request packet to check for the presence of an implant indicating that the target has already been compromised.

Figure 4.0 showing code for the malware checks if target is already implanted with DOUBLEPULSAR (or similar)

The error code returned from the DOUBLEPULSAR implant in an SMB trans response is STATUS_INVALID_PARAMETER (0xc000000d), while a normal host as shown in Figure 5.0, would respond with STATUS_INSUFF_SERVER_RESOURCES (0xc0000205) as an example.

Figure 5.0 showing the packet capture of the implant check.

If the malware determines that the target is not already infected, it will proceed with the SMBv1 exploit by sending massive Trans2 Requests. After the exploitation attempt, the malware will again perform an SMB negotiation and request another trans response to check if exploitation succeeded or not.

If exploitation is successful the malware will then use the exploited host to propagate itself via the implant.

Conclusion

The severity and impact of the WannaCry ransomware was multiplied by its lateral movement technique. In this blog we have shared lateral movement techniques employed by the ransomware which resulted in broad infection in organizations with unpatched Windows computers and limited internal segmentation.

Shadowplex-R detects WannCry ransomware and isolates the infected endpoint using deception technology. As the video below shows, detection is extremely fast (under 8 milliseconds), which is crucial to stopping ransomware from encrypting your data and spreading to other devices.

For additional perspective, our  Deception-centric Defense Against Ransomware blog details the advantages of a deception-centric architecture over traditional solutions. Read about why this approach should be a part of your security solution strategy, especially if you’re concerned about ransomware.

 

IOC of the analyzed sample

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

Reference

[1] Abhishek Singh, “Spreading Technique used by Malware”       https://www.virusbulletin.com/virusbulletin/2016/12/spreading-techniques-used-malware/

[2] Wann cry Ransomware, http://www.cnbc.com/2017/05/15/ransomware-wanncry-virus-what-to-do-to-protect.html