WannaCry is not a thing of the past, but surfaces as a different and serious threat of data leakage.  Recently, NTT has found that WannaCry mutants were accidently generated and contained internal data, such as user credentials, of infected computers.  If the mutants are in the wrong hands, the data will be abused in many ways.  By analyzing 861 WannaCry mutant binaries, we confirmed that they contained the data of infected computers, including the NTFS master file table and the payloads transferred in web transactions.  This investigation was led by Makoto Iwamura, a distinguished security researcher at NTT Secure Platform Laboratories.  

Let’s look back at the WannaCry outbreak in 2017.  WannaCry is ransomware with worm-like spreading capabilities that brought massive damage worldwide in May 2017. It was reported that more than 300,000 computers in 150 countries were infected, and approximately 60,000 mutants of the original malware were found in three months. 

Makoto wondered why there were so many mutants considering that WannaCry was not designed to spontaneously mutate itself.  Since the outbreak, the mechanisms and capabilities of WannaCry have been well analyzed yet no one has found such self mutating capabilities in WannaCry.  The mystery was bugging Makoto day and night.  Finally, Makoto and the team started investigating how the WannaCry mutants were spawned. The investigation unexpectedly led them to “inconvenient truth”, which is that the mutants contained the data being processed in infected computers.  

More specifically, the binaries of the mutants contain the victim’s data being processed on the memory space of her/his computer and they were not encrypted.  If attackers get the binaries through, for example, binary sharing portals and honeypots, they may obtain the victim’s internal data unencrypted.  The data may not be critical but may be so, such as user credentials, because mutants came to existence not by design but rather by accident.  To make the matter worse, WannaCry and its mutants act as “worm”, which is still spreading across the globe.  Your data may end up residing at every corner of the internet.

How does this happen?  Through painstaking and thorough investigation, the team discovered that, under a specific condition, the uninitialized area of the kernel memory of an infected computer was mixed into the binaries of WannaCry.  This is because DoublePulsar, backdoor malware, operating in kernel mode does not properly process the payload received from WannaCry. Conveniently (or inconveniently), the existence of this special condition not only explains the mutation of WannaCry but also implies leakage of confidential data triggered by infection with WannaCry. Also the team found that the mutation disabled the encryption function of original WannaCry – remember WannaCry is ransomware designed to encrypt your data! All in all, secretly the unencrypted confidential data may be spread all over the world along with the mutants.

To avoid the aftermath of the mutants, we strongly recommend to change credentials, such as passwords, private keys and API keys if your computers were infected by WannaCry and/or its mutants.  Lessons learned from this investigation are:

  • The analysis of malware by its own is not enough however thorough it is.  If you are lucky, you can dictate what attackers intend to do with malware, but not real impacts it may cause beyond their intention. 
  • Treat malware binaries even more carefully. Malware binaries may include confidential data.
  • Follow your curiosity and it may lead you to new discovery. Do not let mystery stand.

For further details, please visit https://www.slideshare.net/secret/8zVq5ki2An47la