The most dreadful events of all times in the history of ransomware attacks that actually make youths aware of the fact what actually ransomware is and what amount of damage it cause is the WannaCry ransomware. This attack took place around three years ago and targetted systems which are using windows as their OS. Although, earlier we saw a large number of attacks taking place, but this attack is one of those that is being even remembered by other ransomware operators to launch their campaign.
One important fact about this vulnerability is that this attack use Eternal Blue vulnerability to exploit the organization’s intranet and spread the ransomware in every system. This Eternal Blue vulnerability lies in the SMB server of a particular network and because SMB server is used to exchange files in a network, every system in that network will connect to it using SMB protocol, thus hackers take the advantage of this fact and exploit this vulnerability and spread the ransomware. Very soon after this vulnerability was discovered, Microsoft released the patch after one month and alert its users to update with the vulnerability. Do you think every system who is infected, still after 3 years, all have been updated?
The answer is NO! Researchers from Tencent Security have investigated an attack by Tellyouthepass ransomware operators which are exactly spreading there malware as done by the WannaCry ransomware operators. Let’s analyze the attack
ANALYSIS OF THE ATTACK
The system in the network who is infected with this ransomware, first receive a compressed exe which upon decompressing has four different files in it namely:
- awindows_privilege.exe
- debug.exe
- lantools_exp.exe
- run_update.bat
In all of the above files mentioned above, run_update.bat is a script which will further let awindows_privilege.exe and lantools.exe come in action. The awindows_privilege is simply an exploit program for the ms16-032 kernel privilege escalation vulnerability. This will let the attacker to gain more administrative access to the system and deploy rootkits to the victim’s system so that he can cause more damage to the system and maintain a stable connection with the system.
The lantools_exp.exe is that exploit which helps WannaCry ransomware operators which is an exploit of Eternal Blue Vulnerability. This will exploit the vulnerable SMB servers and let the main virus spreads into the network.
The final debug.exe is again a compressed exe which which upon decompressing have two files
- debug.bat
- winedebug.exe
debug.bat is the script which will first executed and run the winebebug.exe. This winedebug.exe is the actual Tellyouthepass ransomware written in go language.
As the virus executes, it generates a pair of RSA-1024 local key pair to encrypt the files. Then it uses a RSA-2048 Public Key to encrypt the the local keys.
Finally, after the encryption is done, a ransom note is left in the victim’s system which is describing a method to decrypt the files and demanding a ransom in BTC. The ransom note:
CONCLUSION
There are many organization and agencies which are still vulnerable to this kind of mass attack. This type of an attack can easily shut down any organization and cause a great amount of loss to it. It is recommended that organizations to patch their loopholes soon to prevent any mass attack due to these vulnerabilities.