SlideShare a Scribd company logo

WannaCry: Autopsy of Ransomwar

David Smith
David Smith

In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA). Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours.

Social Media
1 of 3
Download to read offline
WannaCry: Autopsy of Ransomware In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA). Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours. According to antivirus company, Avast, it took less than 24 hours to infect more than 100,000 Windows systems, 57% of them in Russia. Besides the NHS, its other high-profile victims included Telefonica, Santander, FedEx, Vodafone and Renault. Many organisations were forced to shut down systems and even production sites to prevent the spread of the virus, and the NHS was virtually paralysed by the attack, postponing operations and cancelling thousands of appointments at over 48 hospitals, medical centres and GP surgeries. Six hospitals were still experiencing difficulties the following day and diverting emergencies as a result. Exploiting Windows SMB Vulnerabilities WannaCry infects systems which operate on a vulnerable Windows Server and SMB (Server Message Block). It is spread using software the NSA had developed to spy with and which was stolen by a hacking group called the Shadow Brokers who then leaked it on the internet. It uses the same basic methods as most other ransomware, by getting users to open an attachment in an email, e.g. a Word document, PDF, image, etc. Once opened, the malware installs itself and a ransom request is shown on the screen asking for around £230 in Bitcoins to restore access. Because of the success of WannaCry, it is believed that other ransomware, such as the infamous Locky, will use the same leaked technology to improve their ability to infect and spread on a larger scale. The Mechanics of the Infection
The programs developed by the NSA to exploit the vulnerabilities in SMB are known as EternalBlue, EternalChampion, EternalSynergy and EternalRomance. Together, they are known as the FuzzBunch kit. These programs load a backdoor implant tool, called DoublePulsar, on to a compromised system, enabling attackers to load other malware. WannaCry’s authors have obviously used this mechanism to accelerate the spread of their strain. The infection uses EternalBlue and DoublePulsar to execute remote commands through Samba (SMB) in order to distribute ransomware to other machines on the same network. WannaCry Preying on Windows XP It is no surprise that cybercriminals are finding a use for these government developed, ultra- advanced hacking tools. According to Recorded Future, a US company specialising in threat intelligence, Chinese and Russian hackers had begun studying the malware leaked by Shadow Brokers with a particular interest in exploits that targeted SMB vulnerabilities. “We’re talking about very sophisticated techniques and tools that are generally beyond the reach of the underground community”, said Levi Gundert, Vice President of Intelligence and Strategy at Recorded Future Microsoft had already patched the vulnerabilities exploited by these tools in March 2017. However, according to Recorded Future, Chinese hackers were not totally convinced of the solidity of these patches. Attack still remains a possibility against non-patched systems and against OS versions that are no longer supported by Microsoft. This is a problem for the NHS, where 5% of their machines still use Windows XP. They are not the only ones at risk, however: many media industry organisations and a multitude of others all rely on applications which need this legacy OS to run. The problem is that XP is so old that it no longer supported by Microsoft and so doesn’t get patches or updates. WannaCry stopped … by a stroke of luck In response to the WannaCry emergency, Microsoft took the unusual step of releasing patches for SMB flaws on Windows XP (including embedded version of SP3), Windows Server 2003 and Windows 8. In this attack, Windows 10 has remained unscathed, however, Microsoft expects that the threat will evolve and eventually bypass Windows 10’s first line of defence. It, therefore, recommends disabling SMB on the network, if possible. Thanks to a stroke of luck, WannaCry is in temporary decline. A security researcher, known only as MalwareTech, accidentally stopped the malware spreading by registering a domain appearing in its code. This blocked the execution of WannaCry and stopped its broadcast. According to MalwareTech, the domain he registered was a security feature devised WannaCry’s developers to prevent it being analysed by security systems. Unfortunately, malware developers can easily modify WannaCry to get around this pitfall. In fact, within 24 hours of the first attack ending, Costin Raiu, Director of research and analysis
team at Kaspersky Lab, identified the release of new versions no longer hampered by MalwareTech operations. The WannaCry threat is, therefore, back out in cyberspace and looking for its next set of victims. All Clear at eUKhost At eUKhost, we found no evidence of infection on any of our Windows servers. However, we remain fully vigilant and have taken the preemptive step of patching all managed servers that are potentially vulnerable, in order to protect them from this exploit. If you manage your own servers and use Windows OS, we strongly recommend that you check and make sure you have the latest Windows patches installed. We urge all of you the check your desktop / laptop operating system to make sure that they are also patched and fully up to date. For further information please read the following status update: http://euk-status.com/2017/05/13/microsoft-vulnerability-urgent-attention-needed/ If you have any questions, please don’t hesitate to contact our 24x 7 support team.

Recommended

Escan advisory wannacry ransomware
Escan advisory wannacry ransomwareEscan advisory wannacry ransomware
Escan advisory wannacry ransomwareMicroWorld Software Services Pvt Ltd
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry VirusEast West University
 
How to prevent WannaCry Ransomware
How to prevent WannaCry RansomwareHow to prevent WannaCry Ransomware
How to prevent WannaCry RansomwareSeminar Links
 
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeYour Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeSysfore Technologies
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 
Senior seminar virus
Senior seminar virusSenior seminar virus
Senior seminar virusHimanshu Mahar
 
Computer virus
Computer virusComputer virus
Computer virusomroyal
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 

More Related Content

What's hot

WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017Jermund Ottermo
 
How to tackle the Ransomware threat "WannaCry" | Sysfore
How to tackle the Ransomware threat "WannaCry" | SysforeHow to tackle the Ransomware threat "WannaCry" | Sysfore
How to tackle the Ransomware threat "WannaCry" | SysforeSysfore Technologies
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
WannaCry Ransomware Attack
WannaCry Ransomware AttackWannaCry Ransomware Attack
WannaCry Ransomware AttackShehryar Khan
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
The Wannacry Effect - Provided by Raconteur
The Wannacry Effect - Provided by RaconteurThe Wannacry Effect - Provided by Raconteur
The Wannacry Effect - Provided by RaconteurGary Chambers
 
Quick heal threat_report_q3_2016
Quick heal threat_report_q3_2016Quick heal threat_report_q3_2016
Quick heal threat_report_q3_2016Andrey Apuhtin
 
Wannacry-A Ransomware Attack
Wannacry-A Ransomware AttackWannacry-A Ransomware Attack
Wannacry-A Ransomware AttackMahimaVerma28
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016Andrey Apuhtin
 

What's hot (20)

WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
 
Wanna cry
Wanna cryWanna cry
Wanna cry
 
MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017MLabs - Cyber Crime Tactics and Techniques Q2 2017
MLabs - Cyber Crime Tactics and Techniques Q2 2017
 
Virus
VirusVirus
Virus
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
 
Wanna cry
Wanna cryWanna cry
Wanna cry
 
How to tackle the Ransomware threat "WannaCry" | Sysfore
How to tackle the Ransomware threat "WannaCry" | SysforeHow to tackle the Ransomware threat "WannaCry" | Sysfore
How to tackle the Ransomware threat "WannaCry" | Sysfore
 
Wannacry
WannacryWannacry
Wannacry
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
 
WannaCry Ransomware Attack
WannaCry Ransomware AttackWannaCry Ransomware Attack
WannaCry Ransomware Attack
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
The Wannacry Effect - Provided by Raconteur
The Wannacry Effect - Provided by RaconteurThe Wannacry Effect - Provided by Raconteur
The Wannacry Effect - Provided by Raconteur
 
Quick heal threat_report_q3_2016
Quick heal threat_report_q3_2016Quick heal threat_report_q3_2016
Quick heal threat_report_q3_2016
 
Wannacry-A Ransomware Attack
Wannacry-A Ransomware AttackWannacry-A Ransomware Attack
Wannacry-A Ransomware Attack
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016
 

Similar to WannaCry: Autopsy of Ransomwar

Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attackskevinmass30
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomwareJawhar Ali
 
What is ransomware
What is ransomwareWhat is ransomware
What is ransomwarevikash saini
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
Viruses ppt finale
Viruses ppt finaleViruses ppt finale
Viruses ppt finalemishrasb4
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Black Duck by Synopsys
 
Crucial wannacryoutbreaks
Crucial wannacryoutbreaksCrucial wannacryoutbreaks
Crucial wannacryoutbreakskevinmass30
 
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...Jay Beale
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsSophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsConnecting Up
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdfHiYeti1
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 

Similar to WannaCry: Autopsy of Ransomwar (20)

Ransomware
RansomwareRansomware
Ransomware
 
SECURITY IN COMPUTING.pptx
SECURITY IN COMPUTING.pptxSECURITY IN COMPUTING.pptx
SECURITY IN COMPUTING.pptx
 
Industry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacksIndustry reactions to wanna cry ransomware attacks
Industry reactions to wanna cry ransomware attacks
 
Conficker
ConfickerConficker
Conficker
 
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
What Businesses Entrepreneurs Are Imperative To Know About RansomwareWhat Businesses Entrepreneurs Are Imperative To Know About Ransomware
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
 
Wannacry
WannacryWannacry
Wannacry
 
seminar report on What is ransomware
seminar report on What is ransomwareseminar report on What is ransomware
seminar report on What is ransomware
 
What is ransomware
What is ransomwareWhat is ransomware
What is ransomware
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomware
 
Viruses ppt finale
Viruses ppt finaleViruses ppt finale
Viruses ppt finale
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
 
Crucial wannacryoutbreaks
Crucial wannacryoutbreaksCrucial wannacryoutbreaks
Crucial wannacryoutbreaks
 
Zero day exploit
Zero day exploitZero day exploit
Zero day exploit
 
Virus
VirusVirus
Virus
 
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsSophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdf
 
Malware
MalwareMalware
Malware
 
Malware
MalwareMalware
Malware
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 

WannaCry: Autopsy of Ransomwar

  • 1. WannaCry: Autopsy of Ransomware In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA). Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours. According to antivirus company, Avast, it took less than 24 hours to infect more than 100,000 Windows systems, 57% of them in Russia. Besides the NHS, its other high-profile victims included Telefonica, Santander, FedEx, Vodafone and Renault. Many organisations were forced to shut down systems and even production sites to prevent the spread of the virus, and the NHS was virtually paralysed by the attack, postponing operations and cancelling thousands of appointments at over 48 hospitals, medical centres and GP surgeries. Six hospitals were still experiencing difficulties the following day and diverting emergencies as a result. Exploiting Windows SMB Vulnerabilities WannaCry infects systems which operate on a vulnerable Windows Server and SMB (Server Message Block). It is spread using software the NSA had developed to spy with and which was stolen by a hacking group called the Shadow Brokers who then leaked it on the internet. It uses the same basic methods as most other ransomware, by getting users to open an attachment in an email, e.g. a Word document, PDF, image, etc. Once opened, the malware installs itself and a ransom request is shown on the screen asking for around £230 in Bitcoins to restore access. Because of the success of WannaCry, it is believed that other ransomware, such as the infamous Locky, will use the same leaked technology to improve their ability to infect and spread on a larger scale. The Mechanics of the Infection
  • 2. The programs developed by the NSA to exploit the vulnerabilities in SMB are known as EternalBlue, EternalChampion, EternalSynergy and EternalRomance. Together, they are known as the FuzzBunch kit. These programs load a backdoor implant tool, called DoublePulsar, on to a compromised system, enabling attackers to load other malware. WannaCry’s authors have obviously used this mechanism to accelerate the spread of their strain. The infection uses EternalBlue and DoublePulsar to execute remote commands through Samba (SMB) in order to distribute ransomware to other machines on the same network. WannaCry Preying on Windows XP It is no surprise that cybercriminals are finding a use for these government developed, ultra- advanced hacking tools. According to Recorded Future, a US company specialising in threat intelligence, Chinese and Russian hackers had begun studying the malware leaked by Shadow Brokers with a particular interest in exploits that targeted SMB vulnerabilities. “We’re talking about very sophisticated techniques and tools that are generally beyond the reach of the underground community”, said Levi Gundert, Vice President of Intelligence and Strategy at Recorded Future Microsoft had already patched the vulnerabilities exploited by these tools in March 2017. However, according to Recorded Future, Chinese hackers were not totally convinced of the solidity of these patches. Attack still remains a possibility against non-patched systems and against OS versions that are no longer supported by Microsoft. This is a problem for the NHS, where 5% of their machines still use Windows XP. They are not the only ones at risk, however: many media industry organisations and a multitude of others all rely on applications which need this legacy OS to run. The problem is that XP is so old that it no longer supported by Microsoft and so doesn’t get patches or updates. WannaCry stopped … by a stroke of luck In response to the WannaCry emergency, Microsoft took the unusual step of releasing patches for SMB flaws on Windows XP (including embedded version of SP3), Windows Server 2003 and Windows 8. In this attack, Windows 10 has remained unscathed, however, Microsoft expects that the threat will evolve and eventually bypass Windows 10’s first line of defence. It, therefore, recommends disabling SMB on the network, if possible. Thanks to a stroke of luck, WannaCry is in temporary decline. A security researcher, known only as MalwareTech, accidentally stopped the malware spreading by registering a domain appearing in its code. This blocked the execution of WannaCry and stopped its broadcast. According to MalwareTech, the domain he registered was a security feature devised WannaCry’s developers to prevent it being analysed by security systems. Unfortunately, malware developers can easily modify WannaCry to get around this pitfall. In fact, within 24 hours of the first attack ending, Costin Raiu, Director of research and analysis
  • 3. team at Kaspersky Lab, identified the release of new versions no longer hampered by MalwareTech operations. The WannaCry threat is, therefore, back out in cyberspace and looking for its next set of victims. All Clear at eUKhost At eUKhost, we found no evidence of infection on any of our Windows servers. However, we remain fully vigilant and have taken the preemptive step of patching all managed servers that are potentially vulnerable, in order to protect them from this exploit. If you manage your own servers and use Windows OS, we strongly recommend that you check and make sure you have the latest Windows patches installed. We urge all of you the check your desktop / laptop operating system to make sure that they are also patched and fully up to date. For further information please read the following status update: http://euk-status.com/2017/05/13/microsoft-vulnerability-urgent-attention-needed/ If you have any questions, please don’t hesitate to contact our 24x 7 support team.