The Nuts And Bolts Of WannaCry Ransomware
Cisco's Talos Intelligence Group has a technical write-up of the WannaCry-type ransomware that is causing so much churn this week. Some of the workings of the malware are interesting, if not unique, such as deleting any existing shadow copies on the victim's system.
The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the files are being encrypted, the malware creates a new file directory 'Tor/' into which it drops tor.exe and nine dll files used by tor.exe. Additionally, it drops two further files: taskdl.exe & taskse.exe. The former deletes temporary files while the latter launches @wanadecryptor@.exe to display the ransom note on the desktop to the end user.