Welcome Back To
TheHackerzWorld!!!
As you all are very well aware
of the ransomware attacks happening now a days in the CyberWorld and in
comparison to the last year, these attacks have done a lot of damage this year.
Consider the biggest hits till now and many more to come, you have come across
these well-known names i.e.:
1. CryptXXX
2. Dogspectu
3. Crypto Locker
4. Petya
5. Cerber
6. Locky
7. Crysis
8. CryptoWall
9. CTB Locker
10. Jigsaw
11. TeslaCrypt
12. TorrentLocker
13. Zcryptor
Now we have WCry/WannaCry.
In the Last Month, Many Big Giants were affected with the ransomware based malware known as “WCry/WannaCry”. Based on the phenomena of this ransomware, we can also name it as “CryptoWorm”.
This Ransomware has a capability
to scan & spread over network as Worm using Windows vulnerability (TCP port
445-SMB), imitates and compromise vulnerable hosts, encrypt files stored on
Host Machine. The worst part is that it also deletes shadow copies by using
vssadmin.exe, WMIC.exe & cmd.exe (which will make difficulty in recovery of
encrypted files).
Note: Based on NSA’s Leaked
Exploits by Shadow Broker specifically related to SMB services for Windows.
For initial exploitation of SMB
vulnerability, it primarily utilizes “ETERNALBLUE”. Implantation
of “DOUBLEPULSAR” backdoor happened on successful exploitation
of victim’s machine for further utilization in malware installation. What If
the “DOUBLEPULSAR” backdoor is already present then it has the
power to install ransomware payload which makes WCry or WannaCry as “CryptoWorm”.
Detail Understanding:
Let’s start with the psychiatry based on little machinery like execution *&* encryption flow of this ransomware.
Let’s start with the psychiatry based on little machinery like execution *&* encryption flow of this ransomware.
Encryption Based Analysis
WCry / WannaCry used two
encryption algorithms for ransomware infection. Below are the details:
– AES (Advanced
Encryption Standard)
– RSA (Ron Rivest,
Adi Shamir and Leonard Adleman)
AES considered to be the
well-built ciphers & would not be able to decrypt until or unless the
author makes a mistake in the encryption code. Whereas RSA is also in
combination with AES for unique public & private keys generation
specifically for each file.
Steps for encryption by WCRY /
WannaCry are;
I. Each file is encrypted by
Random AES-128 Key.
II. The key is further
encrypted by an RSA-2048 public key and stored in 0000000.py file.
III. Private RSA key of the
above public RSA key is further encrypted by RSA Master public key.IV. The
private RSA key of the RSA Master public key is known only by the “Ransomware
Authors”.
Targeted files;
Execution Based Analysis
It begins with an initial
bonfire or a killswitch (High-level view as reported other researchers too),
now execution begins when a user downloads the attachments having (.js, .exe).
In some circumstances, they are also related with malicious macros which can be
activated when the user enables the content on a document.
Steps for encryption by WCRY / WannaCry are;
1. Exploit ETERNALBLUE & spread to other hosts.
II. The damaging process starts with laying the foundation.
III. Starts encrypting files with above-mentioned algorithms in combination with RSA and AES.
Graphical Presentation:
Stay In Touch for More Information on Hacking!!!
No comments:
Post a Comment