Behaviour Analysis of Ransomware Wana Decryptor

Wana Decryptor encrypts data on computers, rendering it inaccessible without a unique decryption key. A ransom is demanded for the decryption key

Wana Decryptor is a ransomware that encrypts folders and files using RSA and AES encryption ciphers. These files can be decrypted by the adversaries by using a unique decryption key.

Non-Technical Summary
Wana Decryptor infects systems mostly through a phishing email. The data in the infected system then becomes inaccessible to the user.
After encryption, the original data files are deleted and a ransom demand sent to the user usually as a message on the desktop wallpaper.
The attackers claim to provide the decryption key once the ransom demand is met with crypto currency.

About the Threat

Wana Decryptor launched a world-wide ransomware attack in May 2017 that affected upward of 2,00,000 systems spread over 150 countries.

Initially downloaded through a phishing e-mail, it used a vulnerability in the Windows OS to gain entry. Windows Vista, 7, 8, 10 and Windows Server software versions were particularly affected.

Almost every attack was carried out using phishing emails which appeared to be authentic, leading unsuspecting users to click on dubious links or to download suspicious documents, thus launching the malware.

Wana Decryptor identifies and encrypts every file with a listed suffix such as "pdf" "doc" and "jpeg", thereby making it inaccessible to the user without the decryption key. It also has the capability to scan other systems on the network for the same Windows OS vulnerability and spread itself.

Once the encryption process is completed, the malware searches and deletes all back ups and shadow copies of the data, thus making it impossible to recover the files.

Finally the malware displays a ransom demand on the affected system.

Fig 1 Encryption Message of Wana Decryptor

Other names

Wana Decryptor also goes by the names WannaCrypt, Wana Decrypt0r 2.0, WanaCrypt0r 2.0, and Wanna Decryptor.

SecneurX’s Analysis of the Modus Operandi

SecneurX's acquisition engine gathered artifacts and examined them using SecneurX Advanced Dynamic Malware Analysis Platform. This platform provided IOCs (Indicators of Compromise), a Malware Behavioural Analysis Report and Threat Signatures for SOC Teams and Security Analysts to use. The ransomware performs its actions as explained in the following steps.

Step 1

Once launched, the Wana Decryptor file dumps the Security1.exe file into the Temp directory.

Step 2

The command attrib +h is used to hide the RarSFX0 folder.

Fig 2 RarSFX0 folder is hidden

Fig 3 Contents of RarSFX0 folder

Step 3

The payload RarSFX0 gets full control permission with the following functions -

F → Grants Full Control

/T → Runs the given action on all files in the current directory and its subdirectories

/C → Continues operations despite any file errors while error warnings continue to appear

/Q → Suppresses success messages

Step 4

All files in each folder are encrypted in a recursive manner. Once every file in a folder is encrypted, Wana Decryptor copies itself as "@WanaDecryptor@.exe" and runs it. This is started by the process “Tasksche.exe.”

Step 5

Once Wana Decryptor completes the above steps, it replaces the Windows wallpaper with instructions to begin downloading the decryptor from Dropbox. The demand for ransom in the form of cryptocurrency is made in this ransom note.

Fig 4. Ransom Note of Wana Decryptor

Fig 5. Changed Wallpaper of affected machine

Step 6

The ransomware then deletes all backups and shadow copies of the encrypted files using the Microsoft utility "vssadmin". This ensures that the encrypted files cannot be recovered from backups.

Fig 6. Ransomware deleting shadow copies

Vssadmin delete shadows /all /quiet → This launches the vssadmin.exe programme, which erases all Shadow Volume Copies on the system.

Wmic.exe shadow copy delete →. WMIC (Windows Management Instrumentation Command Line) is a command-line tool that allows users to conduct Windows Management Instrumentation (WMI) tasks, which is deleted.

bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default}

recoveryenabled no → Here, the malware disables Automatic repair diagnosing.

wbadmin delete catalog -quiet → This deletes the backup catalog on the local computer.

Step 7

The malware then automatically runs cmd /c 240881631783526.bat after executing the m.vbs file and preventing the display of popup windows.

Fig 7. Creation and termination of the batch file

cmd /c 240881631783526.bat → Executes the command supplied by string before exiting.

cscript.exe //nologo m.vbs → Prevents the display of a logo so that no banner is displayed during execution.

Step 8

@WanaDecryptor@.exe is triggered periodically by the taskdl.exe

Fig 8. Taskdl.exe runs @WanaDecryptor@.exe periodically

Step 9

Fig 9. Ransomware adds itself to the Windows startup

In order to run persistently when the Windows system starts, it adds itself to the startup registry.

Device Indicators

  • "C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX0\Security1.exe"

  • icacls . /grant Everyone:F /T /C /Q

  • cmd.exe /c start /b @WanaDecryptor@.exe vs

  • @WanaDecryptor@.exe vs

  •  cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

  • vssadmin delete shadows /all /quiet

  • reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ffblumgaie702" /t REG_SZ /d "\"C:\Users\ADMINI~1\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f

  • wmic shadow copy delete

  • cmd /c 240881631783526.bat

  • cscript.exe //nologo m.vbs

  • @WanaDecryptor@.exe

  • @WanaDecryptor@.exe co

  • TaskData\Tor\taskhsvc.exe

Behaviour report

112 views0 comments