WannaCry: Evolving History from Beta to 2.0

The WannaCry malware was responsible for a massive infection beginning that affected organizations and systems around the world. FortiGuard Labs has been monitoring this malware carefully. We have provided an analysis of this attack, along with how to protect your organization here.  In this blog post I’ll briefly describe some of the distinct characteristics of each version of this malware, from beta to the latest 2.0 version, and share some interesting findings.

Beta Version:

We discovered this beta version around Feb 9th, 2017.  The author’s basic idea was to encrypt the “important” files (including smb sharefolders’ file) using AES-128. The file encryption routine is almost the same except for the encrypted file format. It didn’t have any propagation method yet.

Bitcoin wallet address:

1G7bggAjH8pJaUfUoC9kRAcSCoev6djwFZ

Tor:

rphjmypwmfvx6v2e.onion

The encrypted file format is the following:

DWORD – 0x8F701CD3, Magic Header

DWORD – key_Length

BYTE[key_length] – AES Key encrypted with RSA

QWORD – encrypted_data_length

BYTE[encrypted_data_length] – encrypted data

WannaCry 1.0

We found this version around Mar 28th, 2017. It has some improvement from the beta version, including:

Password protected compressed resources, it tasked the encryption routine as a single payload (which is encrypted), updated the encrypted file format, it attempted to access the SMB share folders file using a hardcoded dictionary, it put the Tor download link into the cfg file, and it changed the hardcoded RSA key.

Bitcoin wallet address:

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Tor:

sqjolphimrr7jqw6.onion

WannaCry 2.0

The most critical improvement was that it included a propagation method.

Bitcoin wallet address:

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Tor:

gx7ekbenv2riucmf.onion

57g7spgrzlojinas.onion

xxlvbrloxvriy2c5.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

During this investigation, I Found out the fact that the author tried to hide some information not related to this malware in the config file, c.wry.

So, let’s go through the c.wry backwards.

What you can see in the highlighted lines from these screenshots is that the author is trying to remove data with some information related to the host, and that could possibly generate this config file. And from the last one, you can see the data “KDMS/bitu.skaria.” KDMS is the name of a known hacker group.  Is the name of the author Bitu Skaria? I’ll keep looking and keep you posted.