Since Thursday, May 11, the media has been preoccupied by an unprecedented series of cyber attacks that have crippled companies worldwide. However, it has gone largely unnoticed that these are in fact two very separate waves of attacks.
The first wave, Wannacry, has already infected nearly 210,000 machines in 99 countries. It has been the primary recipient of most of the press coverage and is primarily propagating as a worm.
The second attack is also massive but has been largely ignored by many press accounts. This is a variant of the famous Locky malware, called Jaff, and it is being primarily distributed by email.
Over 48 hours on May 11 and 12, Vade blocked more than 630,000 emails containing the Jaff ransomware.
Georges Lotigier, CEO of Vade, commented: “Ransomware is back in the spotlight again with a significant global impact. However, there is some good news. According to our estimates, the ransomware Wannacry has only generated about $35,000 for its designers. Most companies have not paid up.”
Technical evangelist Sébastien Gest summarizes what Vade has seen of these attacks from the viewpoint of its 24/7 threat centers that monitor 400 million email boxes worldwide.
The attack of the Jaff ransomware was detected on Thursday, May 11. Within 48 hours, the Vade filter detected 633,920 emails containing the Jaff ransomware. This ransomware uses a .docm file itself embedded in a PDF file. When the docm file is opened, a macro downloads the malicious payload and starts the encryption of the infected machine. According to our analysis, the similarities of Jaff with Locky are numerous, and it is essentially a mutation of Locky malware that has been reengineered to get past email filters.
Jaff uses email as its primary propagation vector. Vade successfully blocks this attack, but many email filters did not catch it in the first 48 hours of the attack.
The Jaff attacks follow the same process in encrypting files and demanding payment as Locky. Each malicious email contains a “clean” PDF that then downloads a MS Word document that in turn utilizes a macro to download and activate the main ransomware payload. This process can fool most email filters to allow it through unless they have a specific file signature that they can blacklist.
Following the analysis of our teams, we cannot say with certainty if the initial propagation vector of the ransomware Wannacry was email or if it is being distributed in this fashion as a second wave.
According to our observations, the first wave seems to have used a flaw of the Windows SMB protocol in its version v1. Some confusion on the malware was caused by the simultaneous attack of the Wannacry ransomware and the Jaff ransomware.
On April 14, 2017, the hacker group “Shadow Brokers” disclosed a list of computer espionage tools belonging to the entity “The Equation Group” close to the NSA department. The purpose of these tools is to target the banking infrastructures and specifically Microsoft Windows operating systems from Microsoft Windows XP to Microsoft Windows 8, as well as the “Microsoft Server” versions used by companies.
This ransomware propagates through a SMB v1 (Server Message Block) protocol that is not patched at the time of the attack. Microsoft has since released fixes for the Windows Server and Windows Desktop versions (MS17-010 -> link: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
The SMB protocol is a resource-sharing protocol for sharing printers or files over a network. It is widely used by companies, which explains the strong spread of this attack.
1. The ransomware is propagated initially by the installation of a backdoor module (called DOUBLEPULSAR), thanks to the NSA[RQ1] disclosed flaw.2. In a second step, this ransomware will search for vulnerable machines on the internal network of the infected machine (module called ETERNALBLUE) and propagate its attack on other machines by the same process.
3. Finally, this ransomware goes on storage like
"C: /", "D: /" as an injury agreement. It then encrypts files using the following extensions:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlt, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .mdb, .jpg, .jpg, .jpg, .jpg, .jpg, .jpg, .jpg, .jpg, .jpg, .ps, .cpp, .c, .cs, .subs, .subs, .subs, .sdb, .db, .db, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sx M, .ot, .od, .sop, .spx, .spx, .spx, .3d, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, and .der
.
4. Following the infection, a ransom request is made for a value in bitcoin of $300.
Analysis by Vade established that three addresses are present in the ransomware code:
https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Attack control centers have also been identified on nodes of the TOR network:
gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion
According to Vade analysis (confirming estimates published yesterday), the payment volume received on Sunday, May 14, 2017, at 20:30, is 20.17 Bitcoins or about $35,000 for 100 transactions.
This attack reportedly infected 209,653 machines in 99 countries. Hospitals, universities, transport infrastructure, and cash dispensers have been the victims of this attack. FedEx in the United States, the British healthcare system NHS, and the Spanish operator Telefonica have all been affected. In France, the Renault plant in Sandouville was put out of operation in order to regain control of its production tools.
Many variants have surfaced already.