W32/WannaCryptor.D!tr.ransom
Analysis
W32/WannaCryptor.D!tr is a generic detection for a variant of the WannaCryptor ransomware. It has the capability to encrypt a wide array of files. It appends encrypted files with the ".wncry" extension and displays a message window with instructions on how users can recover their files. Since this is a generic detection, files that are detected as W32/WannaCryptor.D!tr may have varying behaviour. For more information, please refer to the description for W32/WannaCryptor!tr.
Below are the behavior that this variant exhibits:
- It connects to the following domain:
- iuqer{Removed}.com
- It executes itself again as the service "mssecv2.0" with the name "Microsoft Security Center (2.0) Service" and with the parameter "-m security".
- It drops the file "C:\WINDOWS\tasksche.exe". This is also detected as W32/WannaCryptor.D!tr.
- It drops the file @WanaDecryptor@.exe into every folder. This is detected as W32/WannaCryptor.E!tr.
- It runs the following process to delete volume shadow copies, backups, and prevent startup repair:
-
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
- It runs the following process to change file permissions:
-
icacls . /grant Everyone:F /T /C /Q
- It uses the Microsoft Windows SMB Server Vulnerability. This vulnerability, which is also identified as CVE-2017-0144, was prominently used in the Eternal Blue exploit.
- It encrypts files with the following extensions:
- 123
- 602
- 3dm
- 3ds
- 3g2
- 3gp
- 7z
- accdb
- aes
- ai
- ARC
- asc
- asf
- asm
- asp
- avi
- backup
- bak
- bat
- bmp
- brd
- bz2
- c
- cgm
- class
- cmd
- cpp
- crt
- cs
- csr
- csv
- db
- dbf
- dch
- der
- dif
- dip
- djv
- doc
- docb
- docm
- docx
- dot
- dotm
- dotx
- dwg
- edb
- eml
- fla
- flv
- frm
- gif
- gpg
- gz
- h
- hwp
- ibd
- iso
- jar
- jav
- jpeg
- jpg
- js
- jsp
- key
- lay
- lay6
- ldf
- m3u
- m4u
- max
- mdb
- mdf
- mid
- mkv
- mml
- mov
- mp3
- mp4
- mpeg
- mpg
- msg
- myd
- myi
- nef
- odb
- odg
- odp
- ods
- odt
- onetoc2
- ost
- otg
- otp
- ots
- ott
- p12
- PAQ
- pas
- pem
- pfx
- php
- pl
- png
- pot
- potm
- potx
- ppam
- pps
- ppsm
- ppsx
- ppt
- pptm
- pptx
- ps1
- psd
- pst
- rar
- raw
- rb
- rtf
- sch
- sh
- sldm
- sldm
- sldx
- slk
- sln
- snt
- sql
- sqlite3
- sqlitedb
- stc
- std
- sti
- stw
- suo
- svg
- swf
- sxc
- sxd
- sxi
- sxm
- sxw
- tar
- tbk
- tgz
- tif
- tiff
- txt
- uop
- uot
- vb
- vbs
- vcd
- vdi
- vmdk
- vmx
- vob
- vsd
- vsdx
- wav
- wb2
- wk1
- wks
- wma
- wmv
- xlc
- xlm
- xls
- xlsb
- xlsm
- xlsx
- xlt
- xltm
- xltx
- xlw
- zip
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database./li>
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
- Download and install the patch for the Microsoft Windows SMB Server Vulnerability at https://technet.microsoft.com/library/security/MS17-010.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |