Last Friday, May 12th 2017 cyber criminals started to spread a new ransomware. The malicious code was not highly sophisticated, it was using a recently patched SMB bug (
MS17-010 also known as ETERNALBLUE) to spread. The remotely exploitable SMB bug was part of an
NSA leaks series and affected XP up to Windows Server 2012. Windows 10 is not affected.
We got the sample on Friday around 6 PM and the initial analysis has released the following facts:
- Complex installation behavior
- Install and uses Tor for communication
- Programmed in C / C++, also uses VBS for some tasks
- Makes recovery impossible
- Encrypts files with AES 2048-bit, file appendix is WNCRYT, encrypts files everywhere
- Creates a mutex to prevent double infection, the mutex is MsWinZonesCacheCounterMutexA0
- Has a kill switch / anti sandbox trick to prevent spreading and encryption (left branch skip, right branch spreading + encryption), kill domain is http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Kill switch does not work with proxies. Kill switch was registered by the IT security blogger Malware Tech UK.
- Does not use any anti-debugging or special anti-sandbox tricks