5. 5McAfee Foundstone Services
The Increasing Malware Threat
§ Today the malware threat is really increasing
and lot of stolen data are sold in the
underground markets.
§ Malware are new weapons used by a lot of
actors:
§ Governments
§ Spies
§ Hacktivist
§ Mafia
§ Even kids
§ The challenge is huge for attackers and
defenders
6. 6McAfee Foundstone Services
The Increasing Ransomware Threat
§ Ransomware is an increase threat.
§ The first ransomware was pretty much Scarewares
(Without encryption).
§ Today Ransomware is more powerfull and encrypts with a
solid algorithm your data or even used exploit code.
§ Wannacry was very mediatic due to this automatedand
quick spreading.
Introduction
8. 8McAfee Foundstone Services
Wannacry Presentation
§ WannaCry is a ransomware that hit the World in
May 2017.
§ It combined Ransomware capabilities with Worm
techniques to spread automatically across the
network.
§ The Worm exploits a vulnerability into SMB that was
discovered previously by the NSA (EquationGroup).
§ More than 230 000 computers in over 150
countries were infected.
§ Big companies like the NHS, FedEx or Renault were
impacted by it.
12. 12McAfee Foundstone Services
The Shadow Brokers
§ The Shadow Brokers is a hacker group who first
appeared in the summer of 2016.
§ They published several leaks containing hacking
tools from the National Security Agency,
including several zero-day exploits.
§ First message appeared in August 2016
§ The leak with all the zero day was publicly available
for free in April 15th 2017
The Story about the Exploit Code
13. 13McAfee Foundstone Services
The Exploit Code used by Wannacry
Exploit Code Used by Wannacry
The Story about the Exploit Code
§ WannaCry used the exploit code EternalBlue.
§ EternalBlue exploits a vulnerability in the Server Message Block (SMB) protocol.
§ This vulnerability is denoted by entry CVE-2017-0144.
§ The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft
Windows accepts specially crafted packets from remote attackers, allowing them to execute
arbitrary code on the target computer.
§ The Windows security update on 14 March 2017 resolved the issue via security update MS17-010.
14. 14McAfee Foundstone Services
Exploit Code used by Wannacry
Exploit Code Used by Wannacry
The Story about the Exploit Code
§ In addition to EternalBlue exploit, Wannacry used the
DoublePulsar Implant.
§ The implant using a Kernel DLL injection technique
allowing the attacker the full right on the compromised
system.
§ Payload in memory was XORed to remain undetected.
§ Then the shellcode was injected directly into lsass.exe.
16. 16McAfee Foundstone Services
Key Characteristic
§ Uses the MS17-010 “EternalBlue” exploit to spread to
other machines through SMB
§ Malware generates random target IP addresses, not
limited to the local network
§ Hardcoded IP addresses.
§ Payload delivered by the SMB packets is encrypted
§ Malware dropper contains code to check for two specific
domains before executing its ransomware or the network
exploit codes.
§ Dropper variants do not exhibit this same behavior –no “kill
switch”, no exploit, target mounted networkshares
§ 3 Bitcoin wallets being used to receive payment from
victims - Tor browser used for anonymous payment
Wannacry Technical Overview
17. 17McAfee Foundstone Services
Content
Wannacry Technical Overview
§ msg -This folder contains the RTF describing the
different instructions for the ransomware. Totaling 28
languages.
§ b.wnry - BMP ransom image used as a background
image replacement by the malware.
§ c.wnry - configuration file containing the target
address, but also the tor communication endpoints
information.
§ s.wnry - Tor client to communication with the above
endpoints.
§ u.wnry - UI interface of the ransomware, containing
the communications routines and password
validation.
§ t.wnry - “WANACRY!” file — contains default keys
• The initial file is a ZIP protected (Password: WNcry@2ol7)containing several other files that
are dropped into the infected system.
18. 18McAfee Foundstone Services
§ Wannacry has a kill switch function to stop the spreading.
§ hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
§ hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
Kill Switch Function
Wannacry Technical Overview
19. 19McAfee Foundstone Services
§ Wannacry spreads across the network by scanning a range of IP dynamically generated.
How Wannacry Spreads
Wannacry Technical Overview
22. 22McAfee Foundstone Services
§ Extract resource zip file XIA with hardcoded password “WNcry@2ol7”
§ Get c.wnry, which includes the Tor configuration used by the malware used by the malware
§ Extract the configuration from c.wnry to get the Tor browser and onion sites to be used for communication and
onion sites to be used for communication:
§ gx7ekbenv2riucmf.onion;
§ 57g7spgrzlojinas.onion;
§ xxlvbrloxvriy2c5.onion;
§ 76jdd2ir2embyv47.onion;
§ cwwnhwhlz52maqm7.onion;
§ Load Bitcoin wallets which have been previously set up by the attackers for payment for file
restoration and update c.wnry
§ “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94”
§ “12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
§ “115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
Ransomware Behavior
Wannacry Technical Overview
23. 23McAfee Foundstone Services
§ Hide Extract Zip Directory and Modify Security Descriptors
§ Create process: Runs command to hide current directory: attrib +h
§ Runs command:
§ icacls . /grant Everyone:F /T /C /Q. This grants all users full access to files
in the current directory and all directories below.
§ Prep Encryption Public Key, AES Key…
§ Creates Mutex for all threads: GlobalMsWinZonesCacheCounterMutexW
Ransomware Behavior
Wannacry Technical Overview
24. 24McAfee Foundstone Services
§ Creates a new thread to overwrite files on disk
§ Generate a key
§ Generate Data Buffers for each file
§ Call thread for function StartAddress to begin writing encrypting file contents
§ Tack on extension ".WNCRYT”
§ Run new process taskdl.exe in a new thread
§ Set Up the Decrypter Persistence
§ Create process "taskse.exe @WanaDecryptor@.exe”
§ Set persistence key to run itself on reboot HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
§ CheckTokenMembership, GetComputerName Info
§ Run: cmd.exe /c reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun” /v
"<rand>" /t REG_SZ /d “"tasksche.exe"" /f
Ransomware Behavior
Wannacry Technical Overview
29. 29McAfee Foundstone Services
§ Wannacry uses AES encryption to encrypt files.
§ Then the AES key is encrypted in RSA.
§ The RSA private key is generated dynamically
in memory.
§ The keys are immediately destroying.
Wannacry Encryption
How to Recover Your Files
30. 30McAfee Foundstone Services
§ Wannacry uses 2 functions to destroy the keys in memory:
§ CryptDestroyKey: free the memory that the key used.
§ CryptReleaseContext: release the Cryptography Service Provider (CSP).
§ French Security Researcher discovered that these functions does not release the prime numbers into
the memory.
§ Allowing the victim to generate the private key if the memory is not freeing.
§ Wannakiwi is a tool that looks for the prime number in the memory.
https://github.com/gentilkiwi/wanakiwi
The bug
How to Recover Your Files
32. 32McAfee Foundstone Services
§ Wannacry inspired several other attackers.
§ After this attack we saw many other variants that
spread the same manner and use the EternalBlue
Exploit.
§ New variant of Wannacry were used (no kill
switch…).
§ Adylkuzz which used the same exploit to spread.
§ EternalRocks
§ UIWIX Ransomware
Wannacry Legacy
34. 34McAfee Foundstone Services
§ Threat intelligence is a key to know what’s happened in the Infosec World!
§ Shadow Brokers was known since one year.
§ The leak was published in April 2017
§ Patch Management is crucial!
§ Wannacry exploited a known vulnerability CVE-2017-0144.
§ Microsoft published the March 14 the security update MS17-010
§ Disable unnecessary services!
§ The SMB is not use everywhere
§ Disable if not needed.
Vulnerability
Lessons Learned
35. 35McAfee Foundstone Services
Security
§ Teach your people!
§ Train your security team for Malware Analysis
§ Perform user awareness training for users
§ Follow the best practices against Ransomware
threat!
§ Backup file
§ Manage the user and admin right
§ Create an Incident Response Program!
§ Do the right things when an incident occurs.
Lessons Learned
37. 37McAfee Foundstone Services
§ Wannacry is not an advanced Ransomware, however the worm capabilities allows it to spread very
quickly.
§ EquationGroup exploit leak let powerful tools for attackers.
§ The Ransomware threats are still evolving to be more powerful.
§ Malware are still growing so does attack surfaces
§ Security best practices still efficient (Backup, Update, Awareness…)
§ Setup advanced malware detection technics like Sandboxing and machine learning
Conclusion