Ransomware wannacry


Di tengah ketenangan akhir pekan ini, tiba-tiba grup diskusi para peneliti malware mendadak jadi rame. Ternyata hari ini ada berita tentang penyebaran malware yang sangat masif, yaitu Ransomware Wannacry. Konon sudah terdeteksi menyebar di 90-an negara. Di luar negeri yang sudah menjadi korban diantaranya berbagai rumah sakit di USA, beberapa Bank di Rusia, jaringan komputer kereta di Jerman dll. Di Indonesia yang sudah melapor kena infeksi ransomware ini beberapa komputer rumah sakit dan beberapa komputer di pemerintah daerah. Bahkan Kominfo (kementerian komunikasi dan informatika ) di hari libur ini juga mengeluarkan press release tentang malware ini.

Malware ini kerjanya mengenkrip file di komputer korban, sehingga file kita gak bisa dibuka. Yah mungkin analoginya kayak file kita dizip oleh malware terus dikasih password. Untuk ngedapatin password tersebut kita harus bayar dulu uang tebusan (ransom) ke penjahat yang bikin malware ini. Tipe malware seperti ini disebut Ransomware.

Ransomware wannacry ini menginfeksi lewat email phishing. Jadi misalnya kita dapat email gak jelas kemudian di email tersebut ada attachment atau sebuah link website, ya sebaiknya jangan dibuka. Cuman selain itu dia bisa menyebar lewat smb (buat file sharing). Jadi misalnya ada satu komputer terinfeksi malware ini, maka malware ini bisa nyebar ke seluruh komputer yang ada di jaringan.

Langkah Pencegahan

Menurut microsoft, hampir semua versi windows kecuali windows 10 rentan terhadap serangan ransomware ini. Microsft juga telah mengeluarkan update untuk mengatasi masalah ini. Ada beberapa langkah pencegahan yang bisa dilakukan supaya tidak terinfeksi malware ini:

  • Install MS17-010 Patch
  • Disable SMBv1
  • Block Ports 139/445 & 3389

Untuk menginstall patch MS17-010 bisa dilihat pada link berikut:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Untuk mematikan SMBv1 bisa dilihat pada link berikut:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Tulisan lengkap tentang malware ini bisa dilihat pada site berikut: (Bahkan ada sampel malwarenya juga)

 

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn’t work – it only propagates.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Exploit details: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

Vulnerable/Not Vulnerable

To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).

The MS17-010 patch fixes the vulnerability.

  • Windows XP: Doesn’t spread. If run manually, can encrypt files.
  • Windows 7,8,2008: can spread unpatched, can encrypt files.
  • Windows 10: Doesn’t spread. Even though Windows 10 does have the faulty SMB driver.
  • Linux: Doesn’t spread. If run manually with wine, can encrypt files.

Infections

Informative Tweets

Cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it’s entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

  • “Content.IE5”
  • “Temporary Internet Files”
  • ” This folder protects against ransomware. Modifying it will reduce protection”
  • “\Local Settings\Temp”
  • “\AppData\Local\Temp”
  • “\Program Files (x86)”
  • “\Program Files”
  • “\WINDOWS”
  • “\ProgramData”
  • “\Intel”
  • “$”

The filetypes it looks for to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

credit herulume, thanks for extracting this list from the binary.

more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

Some other interesting strings

credit: nulldot https://pastebin.com/0LrH05y2

Encrypted file format

typedef struct _wc_file_t {
    char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
    uint32_t keylen;             // length of encrypted key
    uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown;            // usually 3 or 4, unknown
    uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

credit for reversing this file format info: cyg_x11.

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.

This was developed by “equation group” an exploit developer group associated with the NSA and leaked to the public by “the shadow brokers”. Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

Hasil analisa malware ini menurut McAFee

https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/

Hasil analisa malware menurut Cisco Talos

http://blog.talosintelligence.com/2017/05/wannacry.html

Tulisan lainnya tentang malwre ini:

https://www.ward.ie/2017/immediate-action-required-critical-security-advisory-wannacry-ransomware/

https://support.microsoft.com/en-sg/help/4013389/title


7 tanggapan untuk “Ransomware wannacry”

    • saat ini belum mas, karena secara teknis arsitekturnya beda. Saat ini yang saya tahu untuk android tipe ransomwarenya baru bisa lock tombol home dan back. Tapi nanti bisa aja ada yang buat untuk smartphone

  1. Mas julismail, kemarin di indepth udah ada ransomware yg di pasang di chip hp :(
    serem, entah lah kalau sampai di pasang di chip laptop juga, apalagi produksi perangkat bukan dari negara sendiri, melainkan para negara yg ingin menjajah dan ambil data orang di negara kita.
    itu yg bahaya ya -.-

    • serem nya sebuah malware tidak didasar pada penyerangan melalui hp, jika ada yang mengatakannya, kemungkinan itu merupakan fear yang diulang ulang yang berpotensi menciptakan hoax jadi hanya sedikit saja hp yang terkena virus sebagai ngeris sisanya adalah fear yang panikan

Tinggalkan Balasan ke MSI JanuariBatalkan balasan