SlideShare a Scribd company logo

Wannacry | Technical Insight and Lessons Learned

T
Thomas Roccia

This presentation is an overview of the Ransomware Wannacry. The slides talk about the techniques used and the lessons learned.

Technology
1 of 39
Download to read offline
1McAfee Foundstone Services McAfee WannaCry Technical Insight and Lessons Learned Thomas Roccia | Security Consultant Researcher
2McAfee Foundstone Services McAfee Presentation • Thomas Roccia • McAfee Foundstone Consultant • Twitter: @fr0gger_
3McAfee Foundstone Services Overview § Wannacry Presentation § about the Exploit Code § Technical Overview § Lessons Learned § Conclusion § Summary – Q & A Summary
PROFESSIONAL SERVICES Introduction The Increasing Malware Threat
5McAfee Foundstone Services The Increasing Malware Threat § Today the malware threat is really increasing and lot of stolen data are sold in the underground markets. § Malware are new weapons used by a lot of actors: § Governments § Spies § Hacktivist § Mafia § Even kids § The challenge is huge for attackers and defenders
6McAfee Foundstone Services The Increasing Ransomware Threat § Ransomware is an increase threat. § The first ransomware was pretty much Scarewares (Without encryption). § Today Ransomware is more powerfull and encrypts with a solid algorithm your data or even used exploit code. § Wannacry was very mediatic due to this automatedand quick spreading. Introduction
PROFESSIONAL SERVICES Wannacry Presentation The Largest Ransomware Attack
8McAfee Foundstone Services Wannacry Presentation § WannaCry is a ransomware that hit the World in May 2017. § It combined Ransomware capabilities with Worm techniques to spread automatically across the network. § The Worm exploits a vulnerability into SMB that was discovered previously by the NSA (EquationGroup). § More than 230 000 computers in over 150 countries were infected. § Big companies like the NHS, FedEx or Renault were impacted by it.
9McAfee Foundstone Services Wannacry Presentation Map Infection
10McAfee Foundstone Services Why is Wannacry Big? WannaCry Ransomware No user interaction needed Remote code Exploit
PROFESSIONAL SERVICES The Story About the Exploit Code
12McAfee Foundstone Services The Shadow Brokers § The Shadow Brokers is a hacker group who first appeared in the summer of 2016. § They published several leaks containing hacking tools from the National Security Agency, including several zero-day exploits. § First message appeared in August 2016 § The leak with all the zero day was publicly available for free in April 15th 2017 The Story about the Exploit Code
13McAfee Foundstone Services The Exploit Code used by Wannacry Exploit Code Used by Wannacry The Story about the Exploit Code § WannaCry used the exploit code EternalBlue. § EternalBlue exploits a vulnerability in the Server Message Block (SMB) protocol. § This vulnerability is denoted by entry CVE-2017-0144. § The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. § The Windows security update on 14 March 2017 resolved the issue via security update MS17-010.
14McAfee Foundstone Services Exploit Code used by Wannacry Exploit Code Used by Wannacry The Story about the Exploit Code § In addition to EternalBlue exploit, Wannacry used the DoublePulsar Implant. § The implant using a Kernel DLL injection technique allowing the attacker the full right on the compromised system. § Payload in memory was XORed to remain undetected. § Then the shellcode was injected directly into lsass.exe.
PROFESSIONAL SERVICES Wannacry Technical Overview
16McAfee Foundstone Services Key Characteristic § Uses the MS17-010 “EternalBlue” exploit to spread to other machines through SMB § Malware generates random target IP addresses, not limited to the local network § Hardcoded IP addresses. § Payload delivered by the SMB packets is encrypted § Malware dropper contains code to check for two specific domains before executing its ransomware or the network exploit codes. § Dropper variants do not exhibit this same behavior –no “kill switch”, no exploit, target mounted networkshares § 3 Bitcoin wallets being used to receive payment from victims - Tor browser used for anonymous payment Wannacry Technical Overview
17McAfee Foundstone Services Content Wannacry Technical Overview § msg -This folder contains the RTF describing the different instructions for the ransomware. Totaling 28 languages. § b.wnry - BMP ransom image used as a background image replacement by the malware. § c.wnry -  configuration file containing the target address, but also the tor communication endpoints information. § s.wnry - Tor client to communication with the above endpoints. § u.wnry - UI interface of the ransomware, containing the communications routines and password validation. § t.wnry - “WANACRY!” file — contains default keys • The initial file is a ZIP protected (Password: WNcry@2ol7)containing several other files that are dropped into the infected system.
18McAfee Foundstone Services § Wannacry has a kill switch function to stop the spreading. § hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com § hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com Kill Switch Function Wannacry Technical Overview
19McAfee Foundstone Services § Wannacry spreads across the network by scanning a range of IP dynamically generated. How Wannacry Spreads Wannacry Technical Overview
20McAfee Foundstone Services § SMB Requests through the network SMB Exploit Wannacry Technical Overview
21McAfee Foundstone Services § Infection Flow SMB Exploit Wannacry Technical Overview
22McAfee Foundstone Services § Extract resource zip file XIA with hardcoded password “WNcry@2ol7” § Get c.wnry, which includes the Tor configuration used by the malware used by the malware § Extract the configuration from c.wnry to get the Tor browser and onion sites to be used for communication and onion sites to be used for communication: § gx7ekbenv2riucmf.onion; § 57g7spgrzlojinas.onion; § xxlvbrloxvriy2c5.onion; § 76jdd2ir2embyv47.onion; § cwwnhwhlz52maqm7.onion; § Load Bitcoin wallets which have been previously set up by the attackers for payment for file restoration and update c.wnry § “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94” § “12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" § “115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" Ransomware Behavior Wannacry Technical Overview
23McAfee Foundstone Services § Hide Extract Zip Directory and Modify Security Descriptors § Create process: Runs command to hide current directory: attrib +h § Runs command: § icacls . /grant Everyone:F /T /C /Q. This grants all users full access to files in the current directory and all directories below. § Prep Encryption Public Key, AES Key… § Creates Mutex for all threads: GlobalMsWinZonesCacheCounterMutexW Ransomware Behavior Wannacry Technical Overview
24McAfee Foundstone Services § Creates a new thread to overwrite files on disk § Generate a key § Generate Data Buffers for each file § Call thread for function StartAddress to begin writing encrypting file contents § Tack on extension ".WNCRYT” § Run new process taskdl.exe in a new thread § Set Up the Decrypter Persistence § Create process "taskse.exe @WanaDecryptor@.exe” § Set persistence key to run itself on reboot HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun § CheckTokenMembership, GetComputerName Info § Run: cmd.exe /c reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun” /v "<rand>" /t REG_SZ /d “"tasksche.exe"" /f Ransomware Behavior Wannacry Technical Overview
25McAfee Foundstone Services .der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc, Targeted file extension Wannacry Technical Overview
26McAfee Foundstone Services Format of the Encrypted file Wannacry Technical Overview
27McAfee Foundstone Services § 3 walllets 50 Bitcoins (115 000€) Bitcoin Wallet Wannacry Technical Overview
PROFESSIONAL SERVICES How to Recover Your Files
29McAfee Foundstone Services § Wannacry uses AES encryption to encrypt files. § Then the AES key is encrypted in RSA. § The RSA private key is generated dynamically in memory. § The keys are immediately destroying. Wannacry Encryption How to Recover Your Files
30McAfee Foundstone Services § Wannacry uses 2 functions to destroy the keys in memory: § CryptDestroyKey: free the memory that the key used. § CryptReleaseContext: release the Cryptography Service Provider (CSP). § French Security Researcher discovered that these functions does not release the prime numbers into the memory. § Allowing the victim to generate the private key if the memory is not freeing. § Wannakiwi is a tool that looks for the prime number in the memory. https://github.com/gentilkiwi/wanakiwi The bug How to Recover Your Files
PROFESSIONAL SERVICES Wannacry Legacy
32McAfee Foundstone Services § Wannacry inspired several other attackers. § After this attack we saw many other variants that spread the same manner and use the EternalBlue Exploit. § New variant of Wannacry were used (no kill switch…). § Adylkuzz which used the same exploit to spread. § EternalRocks § UIWIX Ransomware Wannacry Legacy
PROFESSIONAL SERVICES Lessons Learned
34McAfee Foundstone Services § Threat intelligence is a key to know what’s happened in the Infosec World! § Shadow Brokers was known since one year. § The leak was published in April 2017 § Patch Management is crucial! § Wannacry exploited a known vulnerability CVE-2017-0144. § Microsoft published the March 14 the security update MS17-010 § Disable unnecessary services! § The SMB is not use everywhere § Disable if not needed. Vulnerability Lessons Learned
35McAfee Foundstone Services Security § Teach your people! § Train your security team for Malware Analysis § Perform user awareness training for users § Follow the best practices against Ransomware threat! § Backup file § Manage the user and admin right § Create an Incident Response Program! § Do the right things when an incident occurs. Lessons Learned
36McAfee Foundstone Services www.NoMoreRansom.org
37McAfee Foundstone Services § Wannacry is not an advanced Ransomware, however the worm capabilities allows it to spread very quickly. § EquationGroup exploit leak let powerful tools for attackers. § The Ransomware threats are still evolving to be more powerful. § Malware are still growing so does attack surfaces § Security best practices still efficient (Backup, Update, Awareness…) § Setup advanced malware detection technics like Sandboxing and machine learning Conclusion
Q & A
McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC.

Recommended

Wannacry
WannacryWannacry
Wannacry
Gunther Clauwaert
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
Wannacry
WannacryWannacry
Wannacry
AravindVV
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
Mikel Solabarrieta
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
Ransomware
Ransomware Ransomware
Ransomware
Armor
 
Introduction à la sécurité informatique
Introduction à la sécurité informatiqueIntroduction à la sécurité informatique
Introduction à la sécurité informatique
Yves Van Gheem
 

Recommended

Wannacry
WannacryWannacry
Wannacry
Gunther Clauwaert
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
Wannacry
WannacryWannacry
Wannacry
AravindVV
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
Mikel Solabarrieta
 
WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
Ransomware
Ransomware Ransomware
Ransomware
Armor
 
Introduction à la sécurité informatique
Introduction à la sécurité informatiqueIntroduction à la sécurité informatique
Introduction à la sécurité informatique
Yves Van Gheem
 
La sécurité informatique
La sécurité informatiqueLa sécurité informatique
La sécurité informatique
Saber Ferjani
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
Ransomware Presentation.pptx
Ransomware Presentation.pptxRansomware Presentation.pptx
Ransomware Presentation.pptx
MirMurtaza39
 
WannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt RansomwareWannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt Ransomware
Ayoub Rouzi
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
dinCloud Inc.
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
Tharindu Edirisinghe
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
Nick Miller
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Mukul Agarwal
 
Attaques Informatiques
Attaques InformatiquesAttaques Informatiques
Attaques Informatiques
Sylvain Maret
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
divyanshigarg4
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
Georgekutty Francis
 
les logiciels malveillant
les logiciels malveillantles logiciels malveillant
les logiciels malveillant
fehmi arbi
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Cyber security
Cyber securityCyber security
Cyber security
manoj duli
 
La Sécurité informatiques
La Sécurité informatiquesLa Sécurité informatiques
La Sécurité informatiques
Nouriddin BEN ZEKRI
 
Principes fondamentaux de la sécurité du réseau.
Principes fondamentaux de la sécurité du réseau.Principes fondamentaux de la sécurité du réseau.
Principes fondamentaux de la sécurité du réseau.
DjibyMbaye1
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
shubaira
 

More Related Content

What's hot

La sécurité informatique
La sécurité informatiqueLa sécurité informatique
La sécurité informatique
Saber Ferjani
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
CrowdStrike
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 

What's hot (20)

La sécurité informatique
La sécurité informatiqueLa sécurité informatique
La sécurité informatique
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
An Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware OutbreakAn Inside Look At The WannaCry Ransomware Outbreak
An Inside Look At The WannaCry Ransomware Outbreak
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
Ransomware Presentation.pptx
Ransomware Presentation.pptxRansomware Presentation.pptx
Ransomware Presentation.pptx
 
WannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt RansomwareWannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt Ransomware
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
 
The Rise of Ransomware
The Rise of RansomwareThe Rise of Ransomware
The Rise of Ransomware
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Attaques Informatiques
Attaques InformatiquesAttaques Informatiques
Attaques Informatiques
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecurity
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
 
les logiciels malveillant
les logiciels malveillantles logiciels malveillant
les logiciels malveillant
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Cyber security
Cyber securityCyber security
Cyber security
 
La Sécurité informatiques
La Sécurité informatiquesLa Sécurité informatiques
La Sécurité informatiques
 
Principes fondamentaux de la sécurité du réseau.
Principes fondamentaux de la sécurité du réseau.Principes fondamentaux de la sécurité du réseau.
Principes fondamentaux de la sécurité du réseau.
 

Similar to Wannacry | Technical Insight and Lessons Learned

Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware Attacks
Solarwinds N-able
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1
Florin D. Tanasache
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Priyanka Aash
 
Ransomware: How to avoid a crypto crisis at your IT business
Ransomware: How to avoid a crypto crisis at your IT businessRansomware: How to avoid a crypto crisis at your IT business
Ransomware: How to avoid a crypto crisis at your IT business
Calyptix Security
 

Similar to Wannacry | Technical Insight and Lessons Learned (20)

Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Talk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomwareTalk of the hour, the wanna crypt ransomware
Talk of the hour, the wanna crypt ransomware
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Ransomware History and Monitoring Tips
Ransomware History and Monitoring TipsRansomware History and Monitoring Tips
Ransomware History and Monitoring Tips
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware Attacks
 
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeYour Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
 
Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1Penetration Testing Project Game of Thrones CTF: 1
Penetration Testing Project Game of Thrones CTF: 1
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Top Ransomware decryption tools-PART-01.pdf
Top Ransomware decryption tools-PART-01.pdfTop Ransomware decryption tools-PART-01.pdf
Top Ransomware decryption tools-PART-01.pdf
 
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?Palestra Filipi Pires - Ransomware – Existe proteção para isso?
Palestra Filipi Pires - Ransomware – Existe proteção para isso?
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
 
formation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .pptformation malware CSC50 pour les attaque malware .ppt
formation malware CSC50 pour les attaque malware .ppt
 
virusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.pptvirusessssßsssssssssssssssssssssssssssssssss.ppt
virusessssßsssssssssssssssssssssssssssssssss.ppt
 
Ransomware: How to avoid a crypto crisis at your IT business
Ransomware: How to avoid a crypto crisis at your IT businessRansomware: How to avoid a crypto crisis at your IT business
Ransomware: How to avoid a crypto crisis at your IT business
 
Ransomware - Rameez Shahzada
Ransomware - Rameez ShahzadaRansomware - Rameez Shahzada
Ransomware - Rameez Shahzada
 

More from Thomas Roccia

More from Thomas Roccia (9)

TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Ransomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware AnalysisRansomware Teslacrypt Uncovered - Malware Analysis
Ransomware Teslacrypt Uncovered - Malware Analysis
 
Research Paper on Digital Forensic
Research Paper on Digital ForensicResearch Paper on Digital Forensic
Research Paper on Digital Forensic
 
Windows Kernel Debugging
Windows Kernel DebuggingWindows Kernel Debugging
Windows Kernel Debugging
 
Sec day cuckoo_workshop
Sec day cuckoo_workshopSec day cuckoo_workshop
Sec day cuckoo_workshop
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Wannacry | Technical Insight and Lessons Learned

  • 1. 1McAfee Foundstone Services McAfee WannaCry Technical Insight and Lessons Learned Thomas Roccia | Security Consultant Researcher
  • 2. 2McAfee Foundstone Services McAfee Presentation • Thomas Roccia • McAfee Foundstone Consultant • Twitter: @fr0gger_
  • 3. 3McAfee Foundstone Services Overview § Wannacry Presentation § about the Exploit Code § Technical Overview § Lessons Learned § Conclusion § Summary – Q & A Summary
  • 5. 5McAfee Foundstone Services The Increasing Malware Threat § Today the malware threat is really increasing and lot of stolen data are sold in the underground markets. § Malware are new weapons used by a lot of actors: § Governments § Spies § Hacktivist § Mafia § Even kids § The challenge is huge for attackers and defenders
  • 6. 6McAfee Foundstone Services The Increasing Ransomware Threat § Ransomware is an increase threat. § The first ransomware was pretty much Scarewares (Without encryption). § Today Ransomware is more powerfull and encrypts with a solid algorithm your data or even used exploit code. § Wannacry was very mediatic due to this automatedand quick spreading. Introduction
  • 8. 8McAfee Foundstone Services Wannacry Presentation § WannaCry is a ransomware that hit the World in May 2017. § It combined Ransomware capabilities with Worm techniques to spread automatically across the network. § The Worm exploits a vulnerability into SMB that was discovered previously by the NSA (EquationGroup). § More than 230 000 computers in over 150 countries were infected. § Big companies like the NHS, FedEx or Renault were impacted by it.
  • 9. 9McAfee Foundstone Services Wannacry Presentation Map Infection
  • 10. 10McAfee Foundstone Services Why is Wannacry Big? WannaCry Ransomware No user interaction needed Remote code Exploit
  • 11. PROFESSIONAL SERVICES The Story About the Exploit Code
  • 12. 12McAfee Foundstone Services The Shadow Brokers § The Shadow Brokers is a hacker group who first appeared in the summer of 2016. § They published several leaks containing hacking tools from the National Security Agency, including several zero-day exploits. § First message appeared in August 2016 § The leak with all the zero day was publicly available for free in April 15th 2017 The Story about the Exploit Code
  • 13. 13McAfee Foundstone Services The Exploit Code used by Wannacry Exploit Code Used by Wannacry The Story about the Exploit Code § WannaCry used the exploit code EternalBlue. § EternalBlue exploits a vulnerability in the Server Message Block (SMB) protocol. § This vulnerability is denoted by entry CVE-2017-0144. § The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. § The Windows security update on 14 March 2017 resolved the issue via security update MS17-010.
  • 14. 14McAfee Foundstone Services Exploit Code used by Wannacry Exploit Code Used by Wannacry The Story about the Exploit Code § In addition to EternalBlue exploit, Wannacry used the DoublePulsar Implant. § The implant using a Kernel DLL injection technique allowing the attacker the full right on the compromised system. § Payload in memory was XORed to remain undetected. § Then the shellcode was injected directly into lsass.exe.
  • 16. 16McAfee Foundstone Services Key Characteristic § Uses the MS17-010 “EternalBlue” exploit to spread to other machines through SMB § Malware generates random target IP addresses, not limited to the local network § Hardcoded IP addresses. § Payload delivered by the SMB packets is encrypted § Malware dropper contains code to check for two specific domains before executing its ransomware or the network exploit codes. § Dropper variants do not exhibit this same behavior –no “kill switch”, no exploit, target mounted networkshares § 3 Bitcoin wallets being used to receive payment from victims - Tor browser used for anonymous payment Wannacry Technical Overview
  • 17. 17McAfee Foundstone Services Content Wannacry Technical Overview § msg -This folder contains the RTF describing the different instructions for the ransomware. Totaling 28 languages. § b.wnry - BMP ransom image used as a background image replacement by the malware. § c.wnry -  configuration file containing the target address, but also the tor communication endpoints information. § s.wnry - Tor client to communication with the above endpoints. § u.wnry - UI interface of the ransomware, containing the communications routines and password validation. § t.wnry - “WANACRY!” file — contains default keys • The initial file is a ZIP protected (Password: WNcry@2ol7)containing several other files that are dropped into the infected system.
  • 18. 18McAfee Foundstone Services § Wannacry has a kill switch function to stop the spreading. § hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com § hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com Kill Switch Function Wannacry Technical Overview
  • 19. 19McAfee Foundstone Services § Wannacry spreads across the network by scanning a range of IP dynamically generated. How Wannacry Spreads Wannacry Technical Overview
  • 20. 20McAfee Foundstone Services § SMB Requests through the network SMB Exploit Wannacry Technical Overview
  • 21. 21McAfee Foundstone Services § Infection Flow SMB Exploit Wannacry Technical Overview
  • 22. 22McAfee Foundstone Services § Extract resource zip file XIA with hardcoded password “WNcry@2ol7” § Get c.wnry, which includes the Tor configuration used by the malware used by the malware § Extract the configuration from c.wnry to get the Tor browser and onion sites to be used for communication and onion sites to be used for communication: § gx7ekbenv2riucmf.onion; § 57g7spgrzlojinas.onion; § xxlvbrloxvriy2c5.onion; § 76jdd2ir2embyv47.onion; § cwwnhwhlz52maqm7.onion; § Load Bitcoin wallets which have been previously set up by the attackers for payment for file restoration and update c.wnry § “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94” § “12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" § “115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" Ransomware Behavior Wannacry Technical Overview
  • 23. 23McAfee Foundstone Services § Hide Extract Zip Directory and Modify Security Descriptors § Create process: Runs command to hide current directory: attrib +h § Runs command: § icacls . /grant Everyone:F /T /C /Q. This grants all users full access to files in the current directory and all directories below. § Prep Encryption Public Key, AES Key… § Creates Mutex for all threads: GlobalMsWinZonesCacheCounterMutexW Ransomware Behavior Wannacry Technical Overview
  • 24. 24McAfee Foundstone Services § Creates a new thread to overwrite files on disk § Generate a key § Generate Data Buffers for each file § Call thread for function StartAddress to begin writing encrypting file contents § Tack on extension ".WNCRYT” § Run new process taskdl.exe in a new thread § Set Up the Decrypter Persistence § Create process "taskse.exe @WanaDecryptor@.exe” § Set persistence key to run itself on reboot HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun § CheckTokenMembership, GetComputerName Info § Run: cmd.exe /c reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun” /v "<rand>" /t REG_SZ /d “"tasksche.exe"" /f Ransomware Behavior Wannacry Technical Overview
  • 25. 25McAfee Foundstone Services .der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc, Targeted file extension Wannacry Technical Overview
  • 26. 26McAfee Foundstone Services Format of the Encrypted file Wannacry Technical Overview
  • 27. 27McAfee Foundstone Services § 3 walllets 50 Bitcoins (115 000€) Bitcoin Wallet Wannacry Technical Overview
  • 28. PROFESSIONAL SERVICES How to Recover Your Files
  • 29. 29McAfee Foundstone Services § Wannacry uses AES encryption to encrypt files. § Then the AES key is encrypted in RSA. § The RSA private key is generated dynamically in memory. § The keys are immediately destroying. Wannacry Encryption How to Recover Your Files
  • 30. 30McAfee Foundstone Services § Wannacry uses 2 functions to destroy the keys in memory: § CryptDestroyKey: free the memory that the key used. § CryptReleaseContext: release the Cryptography Service Provider (CSP). § French Security Researcher discovered that these functions does not release the prime numbers into the memory. § Allowing the victim to generate the private key if the memory is not freeing. § Wannakiwi is a tool that looks for the prime number in the memory. https://github.com/gentilkiwi/wanakiwi The bug How to Recover Your Files
  • 32. 32McAfee Foundstone Services § Wannacry inspired several other attackers. § After this attack we saw many other variants that spread the same manner and use the EternalBlue Exploit. § New variant of Wannacry were used (no kill switch…). § Adylkuzz which used the same exploit to spread. § EternalRocks § UIWIX Ransomware Wannacry Legacy
  • 34. 34McAfee Foundstone Services § Threat intelligence is a key to know what’s happened in the Infosec World! § Shadow Brokers was known since one year. § The leak was published in April 2017 § Patch Management is crucial! § Wannacry exploited a known vulnerability CVE-2017-0144. § Microsoft published the March 14 the security update MS17-010 § Disable unnecessary services! § The SMB is not use everywhere § Disable if not needed. Vulnerability Lessons Learned
  • 35. 35McAfee Foundstone Services Security § Teach your people! § Train your security team for Malware Analysis § Perform user awareness training for users § Follow the best practices against Ransomware threat! § Backup file § Manage the user and admin right § Create an Incident Response Program! § Do the right things when an incident occurs. Lessons Learned
  • 37. 37McAfee Foundstone Services § Wannacry is not an advanced Ransomware, however the worm capabilities allows it to spread very quickly. § EquationGroup exploit leak let powerful tools for attackers. § The Ransomware threats are still evolving to be more powerful. § Malware are still growing so does attack surfaces § Security best practices still efficient (Backup, Update, Awareness…) § Setup advanced malware detection technics like Sandboxing and machine learning Conclusion
  • 38. Q & A
  • 39. McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC.