How does wanacrypt ransomware work?

How does Wanacrypt ransomware work?

Something that catches the attention of this ransomware is that it not only searches within the local network of the affected machine, but also proceeds to scan public IP addresses on the internet.

All these actions are carried out by the service that ramsonware itself installs after its execution. Once the service is installed and executed, 2 threads are created which are in charge of the replication process to other systems.

In the analysis, experts in the field have observed how it uses exactly the same code used by the NSA. The only difference is that they have no need to use the DoublePulsar exploit since their intention is simply to inject themselves into the LSASS (Local Security Authority Subsystem Service) process.

For those who do not know what LSASS is, it is the process that makes Windows security protocols work correctly, so this process should always be executed. As we can know, the EternalBlue payload code has not been altered.

If you compare with existing analyzes you can see how opcode is identical to opcode…

What is an opcode?

An opcode, or opcode, is a fragment of a machine language instruction that specifies the operation to be performed.

We continue…

And this ransomware makes the same function calls to finally inject the.dll libraries sent in the LSASS process and execute its "PlayGame" function with which they start the infection process again on the attacked machine.

By using a kernel-code exploit, all operations performed by malware have SYSTEM or system privileges.

Before starting the encryption of the computer, the ransomware verifies the existence of two mutexes in the system. A mutex is a mutual exclusion algorithm, this serves to prevent two processes in a program from accessing its critical sections (which are a piece of code where a shared resource can be modified).

If these two mutex exist, it does not perform any encryption:

'Global \ MsWinZonesCacheCounterMutexA'

'Global \ MsWinZonesCacheCounterMutexW'

The ransomware, for its part, generates a unique random key for each encrypted file. This key is 128bits and uses the AES encryption algorithm, this key is kept encrypted with a public RSA key in a custom header that the ransomware adds to all encrypted files.

Decryption of files is only possible if you have the RSA private key corresponding to the public key used to encrypt the AES key used in the files.

The AES random key is generated with the Windows function "CryptGenRandom" at the moment it does not contain any known vulnerabilities or weaknesses, so currently it is not possible to develop any tool to decrypt these files without knowing the RSA private key used during the attack.

How does Wanacrypt ransomware work?

In order to carry out all this process, the ransomware creates several execution threads on the computer and begins to carry out the following process to carry out the encryption of the documents:

Read the original file and copy it by adding the extension.wnryt Create a random AES 128 key Encrypt the file copied with AESA Add a header with the key AES encrypted with the key

publishes RSA that carries the sample. Overwrites the original file with this encrypted copy Finally renames the original file with the extension.wnry For each directory that the ransomware has finished encrypting, it generates the same two files:

@ Please_Read_Me @.txt

@ WanaDecryptor @.exe

We recommend reading the main reasons to use Windows Defender in Windows 10.