Jaff and Wannacry Ransomware Analysis

Since Thursday, May 11, the media has been preoccupied by an unprecedented series of cyber attacks that have crippled companies worldwide. However, it has gone largely unnoticed that these are in fact two very separate waves of attacks.

The first wave, Wannacry, has already infected nearly 210,000 machines in 99 countries. It has been the primary recipient of most of the press coverage and is primarily propagating as a worm.

The second attack is also massive but has been largely ignored by many press accounts. This is a variant of the famous Locky malware, called Jaff, and it is being primarily distributed by email.

Over 48 hours on May 11 and 12, Vade blocked more than 630,000 emails containing the Jaff ransomware.

Georges Lotigier, CEO of Vade, commented: “Ransomware is back in the spotlight again with a significant global impact. However, there is some good news. According to our estimates, the ransomware Wannacry has only generated about $35,000 for its designers. Most companies have not paid up.”

Technical evangelist Sébastien Gest summarizes what Vade has seen of these attacks from the viewpoint of its 24/7 threat centers that monitor 400 million email boxes worldwide.

Jaff

The attack of the Jaff ransomware was detected on Thursday, May 11. Within 48 hours, the Vade filter detected 633,920 emails containing the Jaff ransomware. This ransomware uses a .docm file itself embedded in a PDF file. When the docm file is opened, a macro downloads the malicious payload and starts the encryption of the infected machine. According to our analysis, the similarities of Jaff with Locky are numerous, and it is essentially a mutation of Locky malware that has been reengineered to get past email filters.

Jaff uses email as its primary propagation vector. Vade successfully blocks this attack, but many email filters did not catch it in the first 48 hours of the attack.

The Jaff attacks follow the same process in encrypting files and demanding payment as Locky. Each malicious email contains a “clean” PDF that then downloads a MS Word document that in turn utilizes a macro to download and activate the main ransomware payload. This process can fool most email filters to allow it through unless they have a specific file signature that they can blacklist.

“Wannacry” (Initially Called Ransom.CryptXXX)

Following the analysis of our teams, we cannot say with certainty if the initial propagation vector of the ransomware Wannacry was email or if it is being distributed in this fashion as a second wave.

According to our observations, the first wave seems to have used a flaw of the Windows SMB protocol in its version v1. Some confusion on the malware was caused by the simultaneous attack of the Wannacry ransomware and the Jaff ransomware.

Wannacry history:

On April 14, 2017, the hacker group “Shadow Brokers” disclosed a list of computer espionage tools belonging to the entity “The Equation Group” close to the NSA department. The purpose of these tools is to target the banking infrastructures and specifically Microsoft Windows operating systems from Microsoft Windows XP to Microsoft Windows 8, as well as the “Microsoft Server” versions used by companies.

Wannacry method of propagation:

This ransomware propagates through a SMB v1 (Server Message Block) protocol that is not patched at the time of the attack. Microsoft has since released fixes for the Windows Server and Windows Desktop versions (MS17-010 -> link: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).

What is SMB?

The SMB protocol is a resource-sharing protocol for sharing printers or files over a network. It is widely used by companies, which explains the strong spread of this attack.

How does Wannacry behave?

1. The ransomware is propagated initially by the installation of a backdoor module (called DOUBLEPULSAR), thanks to the NSA[RQ1] disclosed flaw.2. In a second step, this ransomware will search for vulnerable machines on the internal network of the infected machine (module called ETERNALBLUE) and propagate its attack on other machines by the same process.

3. Finally, this ransomware goes on storage like

"C: /", "D: /" as an injury agreement. It then encrypts files using the following extensions:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlt, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .jpg, .jpg, .jpg, .jpg, .jpg, .jpg, .jpg, .jpg, .jpg, .ps, .cpp, .c, .cs, .subs, .subs, .subs, .sdb, .db, .db, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sx M, .ot, .od, .sop, .spx, .spx, .spx, .3d, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, and .der
.

4. Following the infection, a ransom request is made for a value in bitcoin of $300.

Analysis by Vade established that three addresses are present in the ransomware code:

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Attack control centers have also been identified on nodes of the TOR network:

gx7ekbenv2riucmf.onion

57g7spgrzlojinas.onion

xxlvbrloxvriy2c5.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

According to Vade analysis (confirming estimates published yesterday), the payment volume received on Sunday, May 14, 2017, at 20:30, is 20.17 Bitcoins or about $35,000 for 100 transactions.

What is the impact of the Wannacry attack?

This attack reportedly infected 209,653 machines in 99 countries. Hospitals, universities, transport infrastructure, and cash dispensers have been the victims of this attack. FedEx in the United States, the British healthcare system NHS, and the Spanish operator Telefonica have all been affected. In France, the Renault plant in Sandouville was put out of operation in order to regain control of its production tools.

Many variants have surfaced already.

How can you protect your organization from Jaff and Wannacry attacks?

  • Update your operating system to the latest patched version! This attack demonstrates once again that these updates are very important.
  • Block SMB ports so that they are not accessible on the Internet (TCP ports 137, 139, and 445 and UDP ports 137 and 138), and disable the SMB v1 protocol.
  • Use a file backup solution.
  • Use an effective filtering tool against phishing, malware, and ransomware attacks. Many of the most common email filtering tools will not protect your organization from the initial outbreak of an attack like Jaff, which is a variant of a known threat. Consider an email security solution that will protect you against both known and unknown malware.