Akhir-akhir ini, dunia cyber telah kedatangan malware baru yang sangat masif, yaitu Ransomware Wannacry. Konon katanya sudah terdeteksi menyebar di 90-an negara. Di luar negeri yang sudah menjadi korban diantaranya berbagai rumah sakit di USA, beberapa Bank di Rusia, jaringan komputer kereta di Jerman dll. Bahkan, negara ratu elisabeth (inggris) sudah menjadi target serangan. Untuk indonesia sendiri gimana? Indonesia yang sudah melapor kena infeksi ransomware ini beberapa komputer rumah sakit dan beberapa komputer di pemerintah daerah. Bahkan Kominfo (kementerian komunikasi dan informatika ) di hari libur ini juga mengeluarkan press release tentang malware ini.

Malware ini kerjanya mengenkrip file di komputer korban, sehingga file kita gak bisa dibuka. Yah mungkin analoginya kayak file kita dizip oleh malware terus dikasih password. Untuk ngedapatin password tersebut kita harus bayar dulu uang tebusan (ransom) ke penjahat yang bikin malware ini. Tipe malware seperti ini disebut Ransomware.

Ransomware wannacry ini menginfeksi lewat email phishing. Jadi misalnya kita dapat email gak jelas kemudian di email tersebut ada attachment atau sebuah link website, ya sebaiknya jangan dibuka. hanya selain itu dia bisa menyebar lewat smb (buat file sharing). Jadi misalnya ada satu komputer terinfeksi malware ini, maka malware ini bisa nyebar ke seluruh komputer yang ada di jaringan.

Cara pencegahan

Menurut microsoft, hampir semua versi windows kecuali windows 10 rentan terhadap serangan ransomware ini. Microsft juga telah mengeluarkan update untuk mengatasi masalah ini. Ada beberapa langkah pencegahan yang bisa dilakukan supaya tidak terinfeksi malware ini:

Install MS17-010 Patch
Disable SMBv1
Block Ports 139/445 & 3389

Untuk menginstall patch MS17-010 bisa dilihat pada link berikut:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Untuk mematikan SMBv1 bisa dilihat pada link berikut:
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Tulisan lengkap tentang malware ini bisa dilihat pada site berikut: (Bahkan ada sampel malwarenya juga)

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Infections

NHS (uk) turning away patients, unable to perform x-rays. (list of affected hospitals)
Nissan (uk) http://www.chroniclelive.co.uk/news/north-east-news/cyber-attack-nhs-latest-news-13029913
Telefonica (spain) (https://twitter.com/SkyNews/status/863044193727389696)
power firm Iberdrola and Gas Natural (spain)
FedEx (us) (https://twitter.com/jeancreed1/status/863089728253505539)
University of Waterloo (us)
Russia interior ministry & Megafon (russia) https://twitter.com/dabazdyrev/status/863034199460261890/photo/1
VTB (russian bank) https://twitter.com/vassgatov/status/863175506790952962
Russian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768
Portugal Telecom
Сбербанк - Sberbank Russia (russia)
Shaheen Airlines (india, claimed on twitter)
Train station in frankfurt (germany)
Neustadt station (germany)
the entire network of German Rail seems to be affected (@farbenstau)
in China secondary schools and universities had been affected (source)
A Library in Oman (@99arwan1)
China Yanshui County Public Security Bureau (https://twitter.com/95cnsec/status/863292545278685184)
Renault (France) (http://www.lepoint.fr/societe/renault-touche-par-la-vague-de-cyberattaques-internationales-13-05-2017-2127044_23.php) (http://www.lefigaro.fr/flash-eco/2017/05/13/97002-20170513FILWWW00031-renault-touche-par-la-vague-de-cyberattaques-internationales.php)
Schools/Education (France) https://twitter.com/Damien_Bancal/status/863305670568837120
University of Milano-Bicocca (italy)
A mall in singapore https://twitter.com/nkl0x55/status/863340271391580161
ATMs in china https://twitter.com/95cnsec/status/863382193615159296
norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245

Malware samples

hxxps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
hxxps://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE (main dll)

Binary blob in PE crypted with pass 'WNcry@2ol7', credits to ens!

parents https://pastebin.com/quvVH5hS (all known variants of the Wcry launcher containing eternalblue)
children https://pastebin.com/A2pxw49F (all variants of Wcry, the actual ransomware, being currently observed in the wild)

essentially the full known catalogue of samples. credit to errantbot and @codexgigassys

Informative Tweets

Sample released by ens: https://twitter.com/the_ens/status/863055007842750465
Onion C&Cs extracted: https://twitter.com/the_ens/status/863069021398339584
EternalBlue confirmed: https://twitter.com/kafeine/status/863049739583016960
Shell commands: https://twitter.com/laurilove/status/863065599919915010
Maps/stats: https://twitter.com/laurilove/status/863066699888824322
Core DLL: https://twitter.com/laurilove/status/863072240123949059
Hybrid-analysis: https://twitter.com/PayloadSecurity/status/863024514933956608
Impact assessment: https://twitter.com/CTIN_Global/status/863095852113571840
Uses DoublePulsar: https://twitter.com/laurilove/status/863107992425779202
Your machine is attacking others: https://twitter.com/hackerfantastic/status/863105127196106757
Tor hidden service C&C: https://twitter.com/hackerfantastic/status/863105031167504385
FedEx infected via Telefonica? https://twitter.com/jeancreed1/status/863089728253505539
HOW TO AVOID INFECTION: https://twitter.com/hackerfantastic/status/863070063536091137
More of this to come: https://twitter.com/hackerfantastic/status/863069142273929217
C&C hosts: https://twitter.com/hackerfantastic/status/863115568181850113
Crypted files will be deleted after countdown: https://twitter.com/laurilove/status/863116900829724672
Claim of attrib [take with salt]: https://twitter.com/0xSpamTech/status/863058605473509378
Track the bitcoins: https://twitter.com/bl4sty/status/863143484919828481
keys in pem format: https://twitter.com/e55db081d05f58a/status/863109716456747008

Cryptography details

Each infection generates a new RSA-2048 keypair.
The public key is exported as blob and saved to 00000000.pky
The private key is encrypted with the ransomware public key and saved as 00000000.eky
Each file is encrypted using AES-128-CBC, with a unique AES key per file.
Each AES key is generated CryptGenRandom.
The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)
https://haxx.in/key2.bin (the dll decryption privkey) the CryptImportKey() rsa key blob dumped from the DLL by blasty.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip
m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it's entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

"Content.IE5"
"Temporary Internet Files"
" This folder protects against ransomware. Modifying it will reduce protection"
"\Local Settings\Temp"
"\AppData\Local\Temp"
"\Program Files (x86)"
"\Program Files"
"\WINDOWS"
"\ProgramData"
"\Intel"
"$"

The filetypes it looks for to encrypt are:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
credit herulume, thanks for extracting this list from the binary.
more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

Some other interesting strings

BAYEGANSRV\administrator Smile465666SA wanna18@hotmail.com
credit: nulldot https://pastebin.com/0LrH05y2

Encrypted file format

<64-bit signature="">        - WANACRY!
 - 256 for 2048-bit keys, cannot exceed 4096-bits
           - 256 bytes if keys are 2048-bits
<32-bit value="">            - unknown
<64 bit="" file="" size="">        - return by GetFileSizeEx
          - with custom AES-128 in CBC mode

credit for reversing this file format info: cyg_x11

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.
This was developed by "equation group" an exploit developer group associated with the NSA and leaked to the public by "the shadow brokers". Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

Hasil analisa malware ini menurut McAFee
Hasil analisa lainnya menurut Cisco Talos

Catet : Jangan Nyalakan PC Kantor Anda Besok Pagi....Cegah terlebih dahulu.

sumber : https://gist.githubusercontent.com

Search This Blog

Brillian Kharisma

Kegaduhan Ransomware wannacry