Friday 30 June 2017

The WannaCry-like ransomware attack against Ukraine via MEDoc preceding EternalPetya/NotPetya

This week, MalwareHunterTeam discovered next in a row ransomware clone after XData that targeted Ukrainian users presumably through MEDoc software updates this Monday (June 26, 2017) before EternalPetya/NotPetya was launched (June 27, 2017). The new ransomware is a .NET version of WannaCry. The ransomware has the ‘kill process to unlock file’ feature introduced for the first time by ransomware and a bug that reduces demolishing power allowing the cryptolocker to harm only network drives. Let us take a look under the hood.

The ransomware consists of three components:


According to VirusTotal, one of the submission was from Medoc software folder, which means the WannaCry dropper was landed into the folder. One of the way it happened is being downloaded with MEDoc software updates.


The dropper can be executed with the following command line parameters:

Parameter 1:
  • ‘-extract’ - extracts the encryptor ‘ed.exe’ from the ‘wc.exe’ resources
  • ‘-ed’ - encrypts files on drives. If ‘demo’ parameter is not specified as the second one, the encryptor generates a new RSA key pair and returns them in Base64 to the dropper.
  • ‘-dd’ - decrypts files on drives (the handler is not available for this parameter)

Parameter 2:
  • An RSA public key that will be used to encrypt a generated RSA private key
  • ‘demo’ - runs the cryptolocker in the demonstration mode with the hardcoded public and private RSA keys


The files on fixed, removable, and network drives except the Windows folder with the following extensions are encrypted:

doc, docx, xls, xlsx, ppt, pptx, pst, ost, msg, eml, vsd, vsdx, txt, csv, rtf, 123, wks, wk1, pdf, dwg, onetoc2, snt, docb, docm, dot, dotm, dotx, xlsm, xlsb, xlw, xlt, xlm, xlc, xltx, xltm, pptm, pot, pps, ppsm, ppsx, ppam, potx, potm, edb, hwp, 602, sxi, sti, sldx, sldm, sldm, vdi, vmdk, vmx, gpg, aes, ARC, PAQ, bz2, tbk, bak, tar, tgz, gz, 7z, rar, zip, backup, iso, vcd, raw, cgm, tiff, nef, psd, ai, svg, djvu, m4u, m3u, mid, wma, flv, 3g2, mkv, 3gp, mp4, mov, avi, asf, mpeg, vob, mpg, wmv, fla, swf, wav, mp3, sh, class, jar, java, rb, asp, php, jsp, brd, sch, dch, dip, pl, vb, vbs, ps1, bat, cmd, js, asm, h, pas, cpp, c, cs, suo, sln, ldf, mdf, ibd, myi, myd, frm, odb, dbf, db, mdb, accdb, sql, sqlitedb, sqlite3, asc, lay6, lay, mml, sxm, otg, odg, uop, std, sxd, otp, odp, wb2, slk, dif, stc, sxc, ots, ods, 3dm, max, 3ds, uot, stw, sxw, ott, odt, pem, p12, csr, crt, key, pfx, der

To start drives encryption with generating a new RSA key pair, the dropper should be given the ‘-ed’ parameter.
First, the dropper start encryptor with ‘-delshadowcopies’ to delete shadow copies of files by running the following command:

"cmd.exe", "/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet"

Then, it has the encryptor tool generate a new RSA key pair sending the parameter ‘-genrsa’. The encryptor returns public and private keys to the dropper. The public key is used further to encrypt AES file keys. The private key is stored to the file ‘private_key_encrypted’ and encrypted using the master public RSA key sent as an argument to the dropper. The file is deleted, and the encrypted key is stored in the system registry:

The files to be encrypted are stored in the index files created on every drive:

The file encryption process looks like:

The cryptolocker encrypts and write to the file the data in the following order:
  1. Encrypted data using AES-256-CBC with no padding, the AES key is generated for every file.
  2. The AES key encrypted by the session RSA public key.
  3. The AES initialization vector encrypted by the session RSA public key.
  4. Signature ‘WNCRY’.

If the file is locked by a process, the encryptor kills the process using PsExec tool extracted from the dropper’s resources:

The list of exception processes that are not terminated:

lsm.exe, csrss.exe, dwm.exe, smss.exe, lsass.exe, wuauclt.exe, services.exe, svchost.exe, taskhost.exe, winlogon.exe, wininit.exe, conhost.exe, explorer.exe, spoolss.exe, spoolsv.exe, system.exe, avp.exe, avpui.exe, ekrn.exe, egui.exe, mfemmc.exe, mfefire.exe, mfevtps.exe, pefservice.exe, mcsvhost.exe, msascui.exe, msmpeng.exe, mpcmdrun.exe, avshadow.exe, avguard.exe, avgnt.exe

Among which we can see the Kaspersky and Avira antivirus processes.

The ransom note

Once files have been encrypted, the ransomware drops ‘@WanaDecryptor@.exe’ and ‘@Please_Read_Me@.txt’ in the folders with encrypted files with the instructions:

Also, WannaCry sets the following wallpaper:

However, because of code mistake in the file selection algorithm, it doesn’t encrypt files on fixed and removable drives, only on network drives.

A victim is allowed decrypting images for free.


The ransomware connects to the remote server in the Tor network to verify a payment transaction:


The bitcoin address 13KBb1G7pkqcJcxpRHg387roBj2NX7Ufyf has collected 0.5 Bitcoins made by five transactions 0.1 BTC each.


We consider this piece of ransomware more like a test attack before running the main cyberweapon EternalPetya/NotPetya. One of the possible goals is to verify a MEDoc delivery channel.

XData, .Net WannaCry, and EternalPetya are not 0-day attacks and could be easily prevented by following basic security rules and standards (STIG, NIST). Some of the recommendations are:
  • Limit access to sensitive data. For example, by using ACL
  • Provide a network segmentation. For example, an accounting department should be isolated in a separate network segment
  • Filter network traffic with IDS/IPS solutions including email and web traffic
  • And do not rely on an antivirus solution
  • Educate staff and organize drills to prevent them falling a victim of social engineering tricks
Contact us for security training and protecting your enterprise network against targeted attacks and ransomware.

No comments:

Post a Comment