wannacry evolution

Members of hackers.mu — a security group — thought that it was going to be a peaceful weekend in Mauritius. Unfortunately, we got news of wannacrypt0r 2.0 which targets a vulnerability disclosed by the ShadowBrokers a while ago. We’ve been keeping a close eye , and helping people in Mauritius to the best we can to protect their IT infrastructure.

One of the questions we keep getting is “Did the DNS hack that the accidental hero discovered stop the malware for good ?”. Our answer is a definitive “NO”.

This is the second version of the ransomware. It’s entirely possible that there will be another version with a more elaborate kill switch which will be hard to find, even for seasoned security practitioners. Every ransomware needs a kill switch so that once the victim pays, his files are decrypted. In version 2.0, the kill switch was discovered, somewhat accidentally.

There are ways to obfuscate the kill switch, and here lies the danger of unpatched windows computers who are behind firewalls. To demonstrate our theory, we developed a simple test to show the kill switch could be hidden even on the wire.

Here is wannacry ransomware doing a DNS request to www.wannacrytor.com for its “kill switch”. Here, a network engineer could capture the DNS traffic.

May 14 11:36:21.858621 44:8a:5b:5c:14:07 c4:e9:84:7b:27:3e 0800 80: 192.168.1.143.9852 > 192.168.1.1.53: 1370+ A? www.wannacryptor.com. (38)
 0000: c4e9 847b 273e 448a 5b5c 1407 0800 4500 …{‘>D.[\….E.
 0010: 0042 d1e8 0000 4011 0000 c0a8 018f c0a8 .B….@………
 0020: 0101 267c 0035 002e 8420 055a 0100 0001 ..&|.5… .Z….
 0030: 0000 0000 0000 0377 7777 0c77 616e 6e61 …….www.wanna
 0040: 6372 7970 746f 7203 636f 6d00 0001 0001 cryptor.com…..

As we can see, it’s fairly easy to capture the domain that a kill switch could be looking for, as It’s NOT HIDDEN IN ANY WAY.

We developed a simple way to hide it, even on the wire, for the same exact DNS query for www.wannacryptor.com.

May 14 11:35:18.145271 44:8a:5b:5c:14:07 c4:e9:84:7b:27:3e 0800 373: 192.168.1.143.2672 > 111.111.111.111.443: udp 331
 0000: c4e9 847b 273e 448a 5b5c 1407 0800 4500 …{‘>D.[\….E.
 0010: 0167 8bed 0000 4011 0000 c0a8 018f d043 .g….@……..C
 0020: dcdc 0a70 01bb 0153 70bc 7131 5677 4457 …p…Sp.q1VwDW
 0030: 306e 1b78 bb29 2e7a 173c fdcb 51e4 8c3e 0n.x.).z.<..Q..>
 0040: 0d2c 3be1 23f5 18b2 1fe4 a577 e3a0 4175 .,;.#……w..Au
 0050: 2517 565d bba6 5b92 ee4e be20 ca0a b363 %.V]..[..N. …c
 0060: 5185 e86e 8fd0 e87b 5de0 f58e b9e3 751e Q..n…{]…..u.
 0070: 5e2d ff24 ^-.$
May 14 11:35:18.210594 c4:e9:84:7b:27:3e 44:8a:5b:5c:14:07 0800 538: 111.111.111.111.443 > 192.168.1.143.2672: udp 496 (DF)
 0000: 448a 5b5c 1407 c4e9 847b 273e 0800 4500 D.[\…..{‘>..E.
 0010: 020c 1e53 4000 3411 b736 d043 dcdc c0a8 …S@.4..6.C….
 0020: 018f 01bb 0a70 01f8 6575 7236 666e 7657 …..p..eur6fnvW
 0030: 6a38 565d bba6 5b92 ee4e be20 ca0a 042e j8V]..[..N. ….
 0040: 4af2 e8da 1300 ba41 f73c 1956 c0ae e227 J……A.<.V…’
 0050: 8f67 dddf 3c34 9019 a3dc 64b6 50ed 1117 .g..<4….d.P…
 0060: 8e3a cbb0 1b34 a116 8623 7c63 f611 ae8a .:…4…#|c….
 0070: ba66 8f7c .f.|

As we can see here, it’s hard for the network engineer as the DNS has been scrambled. Even if the network engineer were to block requests to 111.111.111.111, the ransomware would keep the files encrypted, and not stop working.

In summary, it’s possible for new version of wannacry ransomware to have more elaborate kill switches that are hard to find, and therefore cause more havoc. We urge everybody in Mauritius to patch in a timely manner.

Like what you read? Give Loganaden Velvindron a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.