Authors: Nick Griffin and Elad Sharf 

Date: 17 May, 2017

Over the last few days the WannaCry epidemic has sparked a media frenzy, with many jumping on the publicity bandwagon. There is a lot of information out there, but how do we separate the truth from the fiction? In this blog we will document the known facts and provide evidence for our conclusion that the original malware author and/or attacker is only responsible for the first variant of WannaCry 2.0, which was first observed on May 12, 2017.

Timeline

Here is the most concise breakdown of events that we know have occurred.

May 12, 2017 - Variant I (“WannaCry 2.0”)

The first wave of attacks occurred, hitting multiple organisations which included the NHS in the UK and Spanish telecommunications giant Telefonica. There was only one variant of the WannaCry malware used in these attacks (SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c) which was first seen at 08:57:51 (UTC) on VirusTotal (VT)Other variants with identical code but corrupted embedded ZIP files resources were uploaded to VT shortly afterwards, one as soon as an hour after the original sample. It is possible that these corrupted versions are as a result of incorrect propagation by the malware itself when it leverages the ETERNALBLUE exploit, although this has not been confirmed.

The “kill-switch” domain used for all of these identical samples is www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.

It is important to note that variant I is in fact WannaCry 2.0. Previous versions of WannaCry were seen as early as February 2017. Several media articles appear to be incorrectly referring to variant IV (see below) as WannaCry 2.0.

May 14, 2017 - Variant II

A new variant of the malware appeared with a new kill-switch domain, again seen in the wild and with a global impact, but mostly affecting Russia this time. Again there was only one variant of the malware used in these attacks (SHA256 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf), although similarly corrupted versions of this variant containing identical code also started appearing on this date.

The difference between the first variant and the second variant is just two bytes in the entire file, which appear in the kill-switch domain:

Variant I: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
Variant II: www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Variant III

A third variant was also seen on this date with a third kill-switch (SHA256 bd927d915f19a89468391133465b1f2fb78d7a58178867933c44411f4d5de8eb). Contrary to other opinions we believe that it is very unlikely that this variant has been seen in the wild. The first filename that it was uploaded to VT under was “testing.exe”, and the second time it was uploaded was under the name “sample.exe”.

The variant is identical to the first and second variants, differing only in its kill-switch domain:

Variant I: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
Variant III: www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]testing

Variant IV

A fourth variant was uploaded to VT containing no kill-switch (SHA256 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd). This variant has never been seen in the wild and in fact is simply a patched version of one of the earliest corrupted samples uploaded to VT (SHA256 f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85). This is almost certainly the work of a researcher or hobbyist.

Other Variants

Many other variants also started appearing from this point onwards with different kill-switches and BitCoin wallets. These are all seemingly patched versions created for the purposes of self-promotion, and none have been seen in the wild.

Variants Explained

After a thorough analysis the evidence suggests that all variants of WannaCry 2.0 originate from one original sample (SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022cand).

All variants contain identical portable executable (PE) compilation timestamps, entry points, and code, with the exception of the kill-switch domain changes. If the other variants had been created (i.e. compiled) by the original author(s) then we would certainly expect to see a different combination of timestamps, entry points, and/or PE section hashes. It is worth noting that the timestamp used in all variants matches the timestamp of a legitimate Microsoft Windows executable called “lhdfrgui.exe”, and this also appears to be the filename used by the malware. It is likely that the WannaCry malware author(s) copied the timestamp to more closely match the Microsoft binary.

Two comparison tables of the variants described in this blog can be found below.

Variant (SHA256)Kill-switch DomainConfirmed in the Wild?Notes
I (24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c)www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]comYesFirst and original sample
II (32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf)www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]comYesDiffers by 2 bytes compared to original sample
III (bd927d915f19a89468391133465b1f2fb78d7a58178867933c44411f4d5de8eb)www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]testingNoDiffers by 7 bytes compared to original sample
IV (07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd)N/ANoResource hash is identical to one of the first known corrupted samples, code section differs to original sample only by 1 byte, data section only differs by having no kill-switch

 

Variant (SHA256)Entry PointImport Hash MD5Resource Hash MD5
I (24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c)0x9A169ecee117164e0b870a53dd187cdd717412e1bd7375d82cca3a51ca48fe22d1a9
II (32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf)0x9A169ecee117164e0b870a53dd187cdd717412e1bd7375d82cca3a51ca48fe22d1a9
III (bd927d915f19a89468391133465b1f2fb78d7a58178867933c44411f4d5de8eb)0x9A169ecee117164e0b870a53dd187cdd717412e1bd7375d82cca3a51ca48fe22d1a9
IV (07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd)0x9A169ecee117164e0b870a53dd187cdd7174a19437cf29a158eae9109b8ecb75975d

(Please scroll to the right if the entire table is not visible)

BitCoin Wallets

A key aspect of WannaCry 2.0 that should be considered is the ransomware payment. In a typical ransomware operation a unique BitCoin wallet ID is created for each victim. Using a unique wallet ID per victim ensures that the ransomware operators know who has paid.

The WannaCry 2.0 malware author decided only to use three hard-coded BitCoin wallets, with no unique wallet generated per victim. This makes it extremely difficult for the WannaCry operator(s) to know who has paid the ransom and who has not. A victim would have to tell the operator(s) the BitCoin wallet ID they paid from. However, due to the BitCoin ledger being publicly viewable it would be possible for anybody to claim ownership of a wallet ID which has sent a payment. Indeed to date we know of no reports where somebody has even made contact with the WannaCry operator(s), and certainly none who have had their files decrypted.

Attribution

WannaCry shares a connection with the “Contopee” malware attributed to the Lazarus Group. The group are thought to originate from North Korea and in the past have been tied to the attacks on Sony Pictures Entertainment, as well as large scale attacks on banking systems across the world.

A Contopee sample from 2015 shares code with an early February 2017 variant of WannaCry. The link is, however, tentative as this could simply be a case of two malware authors reusing the same third-party source code.

Conclusion

Based upon our findings outlined in this blog, the most logical conclusion is that the original malware author and/or attacker is only responsible for the first variant of WannaCry 2.0 first observed on May 12, 2017. All subsequent variants to date are most likely to simply be spin-offs created by other parties.

We also believe there is a reasonable chance the original attack on May the 12th was an accident. The existence of a kill-switch may have been to protect the author(s) in their own analysis environment, and the absence of any newly compiled versions of WannaCry 2.0 shows a lack of commitment from the author(s) to cause more damage or increase their profits.

It remains unknown who the author(s) and/or attacker(s) are behind WannaCry. A question also remains as to whom are responsible for creating and distributing variant II and for what benefit, although the likelihood is simply nothing more than wanting to contribute to the chaos and destruction.

Frequently Asked Questions

What is the initial infection vector for WannaCry?

At the present time the only infection vector known is through SMB, which exploits the “ETERNALBLUE” vulnerability CVE-2017-0145. There has been no evidence that WannaCry has been seen in any e-mails to date.

How many “waves” of attack have there been?

There are two known waves of attack, the first one occurring on May 12, 2017 and the second occurring on May 14, 2017. Both attacks each originated from one malware sample.

How many WannaCry samples are in the wild?

We can currently confirm that there are two fully-functioning samples in the wild, 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022cand 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf. There are also hundreds of corrupted samples which are derived from these two parent samples, being identical in code and possibly corrupted due to a bug in how the malware propagates. The corrupted versions will fail to extract and execute the ransomware component.

How many “kill-switch” domains are there?

At present there are only two kill-switches known to be in the wild, “www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” and “www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com”. Organisations should ensure that they do not rely on these kill-switches to protect against this threat.

Is there a version of WannaCry without a kill-switch? Is that WannaCry 2.0?

There is a version of WannaCry that does not have a kill-switch, yes, but this has not been distributed in the wild. It appears to be a test version likely created by a researcher or hobbyist. There is always a chance that a variant such as this could appear in the wild, however, so it is important to ensure protection without relying on a kill-switch.

Many media outlets are incorrectly referring to this as “WannaCry 2.0”. WannaCry 2.0 is in fact the first variant seen on May 12. Previous versions of WannaCry date back to at least February 2017.

How do I protect myself from WannaCry?

It is important to ensure that Microsoft Windows machines have the MS17-010 security update applied. It is also important to ensure that SMBv1 is disabled across the organisation.

If I pay the ransom will I get my files back?

There are reports that some people have had their files decrypted after paying. However, we believe that it still remains unlikely that you will get your files decrypted if you pay the ransom. The way the ransomware is designed makes it impossible for the WannaCry operator(s) to know for sure who has paid.

Who is responsible for WannaCry?

It is not known who created and/or distributed WannaCry at the present time. Attribution is very difficult, and may not be possible at all. There is a possible link to the Lazarus Group through a common use of code, but this link is far too tentative to draw any conclusions from.