3. WannaCry
▶ Malware from the Shadow Brokers dump wreaks havoc 5/12
▶ NSA Windows hacking tools 4/14/17
▶ Worm – replicates itself with no user intervention
▶ Ransomware – encrypts your disk drive and requests money
$300 in order to decrypt your drive
▶ WannaCry appears to primarily utilize
▶ ETERNALBLUE modules – for initial SMBv1.0 exploit
▶ DOUBLEPULSAR backdoor - installs the ransomware payload.
6. WannaCry
▶ How was it stopped?
▶ Stopped by registering non-existent DNS domain
▶ If the domain existed, then the worm didn’t do anything
else
▶ Disable SMB 1.0 should be using SMB 3.0
▶ Patch Windows devices (Windows 10 not affected)
▶ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
▶ Backup your computer so you can recover
▶ https://www.barkly.com/ransomware-recovery-decryption-
tools-search
7.
8. Wannacry Update
▶ WannaCry ransomware worm...
▶ Honda forced to shut down plant in Japan
▶ Block port Ports 139, 445 to external networks
▶ Don’t use SMB 1.0, should be using SMB 3.0
▶ If have SMB 3.0 in use, but have not disabled SMB 1.0,
hackers could enable SMB 1.0 to exploit
▶ Patches Available
▶ Next version of Microsoft 10 RedStone 3 will disable
9. WannaCry Hero Arrested
▶ Marcus Hutchins the 23 year old Malware hunter who stopped
Wannacry was arrested after Defcon/BlackHat Conferences
▶ He’s accused of advertising, distributing, and profiting from
Kronos malware
▶ Steal online banking credentials
▶ Steals credit card data
10. WannaCry Hero Arrested
▶ Gov alleges Marcus wrote the Kronos code
▶ Some of the code may have been written for non malicious means
▶ Apparently he wrote a chunk of code that was then used in
Kronos
▶ As reported by Dan Goodin at ARS Technica, Marcus
complained of a code sample that he wrote for his blog that
was stolen and used in malware.
11. Marcus’ Dubious Background
▶ Brian Krebs did in depth research on Marcus’ background and
found that Marcus had created and sold malware as a teen.
▶ Apparently Marcus made a turn to be a white hat hacker as an
adult and has never looked back to the dark web so to speak
▶ Hoping that the government takes this into account in his case
▶ We don’t want white hack hackers to feel threatened for
releasing vulnerability information on products.
12. Podcast
Check out my WannaCry podcast:
https://cysreport.com/wannacry-special-report/