SlideShare a Scribd company logo

Talk of the hour, the wanna crypt ransomware

S
shubaira

A technical analysis of WannaCrypt ransomware

Technology
1 of 18
Download to read offline
Talk of the hour, WannaCrypt ransomware Shubair Abdullah, PhD in Computer Science, network security
ILT department, college of education (SQU) Some Terminology What Happened? Attack Vector WannaCrypt Component Infection Cycle Spreading Capability Indicators of Infection How to Prevent Infection Cleaning Up Infected Systems Content
ILT department, college of education (SQU) • Ransomware is malicious code that is used by cybercriminals to launch data kidnapping and lockscreen attacks. • Trojan horse is a program that appears harmless, but is, in fact, malicious. • Worm is a self-replicating virus that resides in active memory and duplicates itself. • Botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and IoT devices that are infected and controlled by a common type of malware. • Back-door is a means of access to a computer program that bypasses security mechanisms. • Vulnerability is a flaw in code or design that creates a potential point of security compromise for an endpoint or network. Malware Terminology
ILT department, college of education (SQU) What Happened? • On Friday May 12th 2017, several organizations were attacked by a new ransomware. • The ransomware named as: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, or WCRY. • WannaCrypt was very successful because it used a Windows vulnerability to spread inside networks. • Variants of the WannaCrypt also have been seen spreading Saturday/Sunday. • No obvious targeting, the organizations are from various countries and appear not to be related. • While large enterprises made the news, small business users and home users are affected as well. • Estimated more than 200,000 victims according to various media sources.
ILT department, college of education (SQU) Attack Vector • There are two attacking vectors of WannaCrypt: 1. Arrival through emails designed to trick users to run the malware and activate the worm-spreading functionality. 2. Infection through Windows vulnerability when an unpatched computer is addressable (on LAN) from other infected machines. • WannaCrypt exploits the “Server Message Block vulnerability in Windows”. The SMB “is a file sharing protocol that allows operating systems and applications to read and write data to a system”. • According to MS, this vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. • The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack. • However, Windows 10 and patched older Windows versions could be attacked through emails.
ILT department, college of education (SQU) WannaCrypt Component • The WannaCrypt component is a dropper (Trojan horse) that contains some executable files and a password-protected .rar archive. • The executable files are: 1. The document encryption routine 2. A component that attempts to exploit the SMB vulnerability in other computers • The files in the .zip archive contain: 1. Rnasonware support tools, 2. Decryption tool, 3. The wallpaper, and 4. The ransom message
ILT department, college of education (SQU) Infection Cycle • When this dropper is activated on a machine, it starts the infection cycle: 1) tries to connect the following domains: o www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com o www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com • If connection to the domains is successful, the dropper simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system. 2) creates the following registry keys: o HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun<random string> = “<malware working directory>tasksche.exe” o HKLMSOFTWAREWanaCrypt0rwd = “<malware working directory>”
ILT department, college of education (SQU) Infection Cycle 3) changes the wallpaper to a ransom message by modifying the following registry key: o HKCUControl PanelDesktopWallpaper: “<malware working directory>@WanaDecryptor@.bmp” 4) also creates the following files: • %SystemRoot%tasksche.exe • %SystemDrive%intel<random directory name>tasksche.exe • %ProgramData%<random directory name>tasksche.exe 5) creates files in the malware’s working directory. Some file with .wnry extension contain its message. (The text message is localized into 28 languages).
ILT department, college of education (SQU) Infection Cycle 6) searches the whole computer for any file with any of the following file name extensions: 123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw
ILT department, college of education (SQU) Infection Cycle 7) encrypts all files and renames them by appending .WNCRY. For example, if a file is named picture1.jpg, it encrypts and renames the file to picture1.jpg.WNCRY. 8) installs a back-door that could be used to compromise the system further, for example creating a botnet or append the PC to an existing botnet. 9) replaces the desktop background image with the following message:
ILT department, college of education (SQU) Infection Cycle 9) runs an executable showing a ransom note as well as a timer: The user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week
ILT department, college of education (SQU) Infection Cycle 10) demonstrates the decryption capability by allowing the user to decrypt freely few files. It then reminds him to pay the ransom to decrypt the remaining files.
ILT department, college of education (SQU) Spreading Capability • The worm functionality of WannaCrypt attempts to infect unpatched Windows PCs in the local network. • It executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. • The Internet scanning routine randomly generates numbers to form the IPv4 address. • Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. • The malicious infection cycle continues as the scanning routing discovers unpatched computers. • The spreading activity generates huge amount of network traffic from the infected host, which means serious load and massively slow down the internet connection.
ILT department, college of education (SQU) Indicators of Infection • Systems that are infected by WannaCry will try to connect to a specific domain, so huge amount of traffic could be initiated. • Encrypted files with “.wncry” extension. • Systems will scan internally for port 445. • Ransom message will be displayed. • Anti-Malware has signatures now for WannaCry.
ILT department, college of education (SQU) How to Prevent Infection • Avoid open suspicious email attachments (this also for Windows 10) • Windows Versions (Windows Vista, 7, 8, Windows Server 2008-2016) can be patched with MS17-010 released by Microsoft in March. • Microsoft released a patch for older systems going back to Windows XP and Windows 2003 on Friday. • Confirm that patch is installed. For network administrator: • Segment Network • Prevent internal spreading via port 445 and RDP. • Block Port 445 at perimeter. • Disable SMBv1 • Implement internal “kill switch” domains / do not block them • Block “Set registry key”.
ILT department, college of education (SQU) Cleaning Up Infected Systems • Anti-Malware vendors are offering removal tools. • Removal tools will remove WannaCrypt, but will not recover encrypted files. • Note that not all files with the .wncry extension are encrypted. Some may still be readable. Will Paying the ransom help the victims? There is no public report from victims who paid the ransom.
ILT department, college of education (SQU) References • https://technet.microsoft.com • https://isc.sans.edu • http://searchnetworking.techtarget.com • https://www.hybrid-analysis.com
ILT department, college of education (SQU) Discussion

Recommended

Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo MaliciosoJose Manuel Acosta
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniquesSandun Perera
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
Skywiper
SkywiperSkywiper
Skywipermikaelsorai
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
XST
XSTXST
XSTAung Khant
 

Recommended

Codigo Malicioso
Codigo MaliciosoCodigo Malicioso
Codigo MaliciosoJose Manuel Acosta
 
File inflection techniques
File inflection techniquesFile inflection techniques
File inflection techniquesSandun Perera
 
Report_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareReport_Honeypots_Trojans_Spyware
Report_Honeypots_Trojans_SpywareShan Kumar
 
Comparative Study of Fileless Ransomware
Comparative Study of Fileless RansomwareComparative Study of Fileless Ransomware
Comparative Study of Fileless Ransomwareijtsrd
 
Skywiper
SkywiperSkywiper
Skywipermikaelsorai
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
XST
XSTXST
XSTAung Khant
 
File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011Ashwin Patil, GCIH, GCIA, GCFE
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftidsecconf
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...Mrunalini Koritala
 
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 

More Related Content

What's hot

File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux SecurityGeo Marian
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitAnurag Srivastava
 
Inception framework
Inception frameworkInception framework
Inception framework한익 주
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to RespondThomas Roccia
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftidsecconf
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajaliwebhostingguy
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry moreBHack Conference
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...Mrunalini Koritala
 

What's hot (20)

File System Implementation & Linux Security
File System Implementation & Linux SecurityFile System Implementation & Linux Security
File System Implementation & Linux Security
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02
 
Metasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With MetasploitMetasploit (Module-1) - Getting Started With Metasploit
Metasploit (Module-1) - Getting Started With Metasploit
 
Inception framework
Inception frameworkInception framework
Inception framework
 
42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond42 - Malware - Understand the Threat and How to Respond
42 - Malware - Understand the Threat and How to Respond
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
Defeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draftDefeating spyware and forensics on the black berry draft
Defeating spyware and forensics on the black berry draft
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
 
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
2011-A_Novel_Approach_to_Troubleshoot_Security_Attacks_in_Local_Area_Networks...
 

Similar to Talk of the hour, the wanna crypt ransomware

WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INVijay Sarathy Rangayyan
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5CAS
 
Virus and Worms
Virus and WormsVirus and Worms
Virus and WormsGrittyCC
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 
Computer worm
Computer wormComputer worm
Computer wormzelkan19
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMAlienVault
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malwaredrewz lin
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec
 

Similar to Talk of the hour, the wanna crypt ransomware (20)

WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-INWannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
WannaCry (WannaCrypt) Ransomware - Advisory from CERT-IN
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Virus and Worms
Virus and WormsVirus and Worms
Virus and Worms
 
Computer worm
Computer wormComputer worm
Computer worm
 
Computer worm
Computer wormComputer worm
Computer worm
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Malware
MalwareMalware
Malware
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
 
How to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USMHow to Detect a Cryptolocker Infection with AlienVault USM
How to Detect a Cryptolocker Infection with AlienVault USM
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
5 worms and other malware
5 worms and other malware5 worms and other malware
5 worms and other malware
 
Symantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit AnalysisSymantec White Paper: W32.Ramnit Analysis
Symantec White Paper: W32.Ramnit Analysis
 
Mitppt
MitpptMitppt
Mitppt
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Talk of the hour, the wanna crypt ransomware

  • 1. Talk of the hour, WannaCrypt ransomware Shubair Abdullah, PhD in Computer Science, network security
  • 2. ILT department, college of education (SQU) Some Terminology What Happened? Attack Vector WannaCrypt Component Infection Cycle Spreading Capability Indicators of Infection How to Prevent Infection Cleaning Up Infected Systems Content
  • 3. ILT department, college of education (SQU) • Ransomware is malicious code that is used by cybercriminals to launch data kidnapping and lockscreen attacks. • Trojan horse is a program that appears harmless, but is, in fact, malicious. • Worm is a self-replicating virus that resides in active memory and duplicates itself. • Botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and IoT devices that are infected and controlled by a common type of malware. • Back-door is a means of access to a computer program that bypasses security mechanisms. • Vulnerability is a flaw in code or design that creates a potential point of security compromise for an endpoint or network. Malware Terminology
  • 4. ILT department, college of education (SQU) What Happened? • On Friday May 12th 2017, several organizations were attacked by a new ransomware. • The ransomware named as: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, or WCRY. • WannaCrypt was very successful because it used a Windows vulnerability to spread inside networks. • Variants of the WannaCrypt also have been seen spreading Saturday/Sunday. • No obvious targeting, the organizations are from various countries and appear not to be related. • While large enterprises made the news, small business users and home users are affected as well. • Estimated more than 200,000 victims according to various media sources.
  • 5. ILT department, college of education (SQU) Attack Vector • There are two attacking vectors of WannaCrypt: 1. Arrival through emails designed to trick users to run the malware and activate the worm-spreading functionality. 2. Infection through Windows vulnerability when an unpatched computer is addressable (on LAN) from other infected machines. • WannaCrypt exploits the “Server Message Block vulnerability in Windows”. The SMB “is a file sharing protocol that allows operating systems and applications to read and write data to a system”. • According to MS, this vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. • The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack. • However, Windows 10 and patched older Windows versions could be attacked through emails.
  • 6. ILT department, college of education (SQU) WannaCrypt Component • The WannaCrypt component is a dropper (Trojan horse) that contains some executable files and a password-protected .rar archive. • The executable files are: 1. The document encryption routine 2. A component that attempts to exploit the SMB vulnerability in other computers • The files in the .zip archive contain: 1. Rnasonware support tools, 2. Decryption tool, 3. The wallpaper, and 4. The ransom message
  • 7. ILT department, college of education (SQU) Infection Cycle • When this dropper is activated on a machine, it starts the infection cycle: 1) tries to connect the following domains: o www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com o www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com • If connection to the domains is successful, the dropper simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system. 2) creates the following registry keys: o HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun<random string> = “<malware working directory>tasksche.exe” o HKLMSOFTWAREWanaCrypt0rwd = “<malware working directory>”
  • 8. ILT department, college of education (SQU) Infection Cycle 3) changes the wallpaper to a ransom message by modifying the following registry key: o HKCUControl PanelDesktopWallpaper: “<malware working directory>@WanaDecryptor@.bmp” 4) also creates the following files: • %SystemRoot%tasksche.exe • %SystemDrive%intel<random directory name>tasksche.exe • %ProgramData%<random directory name>tasksche.exe 5) creates files in the malware’s working directory. Some file with .wnry extension contain its message. (The text message is localized into 28 languages).
  • 9. ILT department, college of education (SQU) Infection Cycle 6) searches the whole computer for any file with any of the following file name extensions: 123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw
  • 10. ILT department, college of education (SQU) Infection Cycle 7) encrypts all files and renames them by appending .WNCRY. For example, if a file is named picture1.jpg, it encrypts and renames the file to picture1.jpg.WNCRY. 8) installs a back-door that could be used to compromise the system further, for example creating a botnet or append the PC to an existing botnet. 9) replaces the desktop background image with the following message:
  • 11. ILT department, college of education (SQU) Infection Cycle 9) runs an executable showing a ransom note as well as a timer: The user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week
  • 12. ILT department, college of education (SQU) Infection Cycle 10) demonstrates the decryption capability by allowing the user to decrypt freely few files. It then reminds him to pay the ransom to decrypt the remaining files.
  • 13. ILT department, college of education (SQU) Spreading Capability • The worm functionality of WannaCrypt attempts to infect unpatched Windows PCs in the local network. • It executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. • The Internet scanning routine randomly generates numbers to form the IPv4 address. • Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. • The malicious infection cycle continues as the scanning routing discovers unpatched computers. • The spreading activity generates huge amount of network traffic from the infected host, which means serious load and massively slow down the internet connection.
  • 14. ILT department, college of education (SQU) Indicators of Infection • Systems that are infected by WannaCry will try to connect to a specific domain, so huge amount of traffic could be initiated. • Encrypted files with “.wncry” extension. • Systems will scan internally for port 445. • Ransom message will be displayed. • Anti-Malware has signatures now for WannaCry.
  • 15. ILT department, college of education (SQU) How to Prevent Infection • Avoid open suspicious email attachments (this also for Windows 10) • Windows Versions (Windows Vista, 7, 8, Windows Server 2008-2016) can be patched with MS17-010 released by Microsoft in March. • Microsoft released a patch for older systems going back to Windows XP and Windows 2003 on Friday. • Confirm that patch is installed. For network administrator: • Segment Network • Prevent internal spreading via port 445 and RDP. • Block Port 445 at perimeter. • Disable SMBv1 • Implement internal “kill switch” domains / do not block them • Block “Set registry key”.
  • 16. ILT department, college of education (SQU) Cleaning Up Infected Systems • Anti-Malware vendors are offering removal tools. • Removal tools will remove WannaCrypt, but will not recover encrypted files. • Note that not all files with the .wncry extension are encrypted. Some may still be readable. Will Paying the ransom help the victims? There is no public report from victims who paid the ransom.
  • 17. ILT department, college of education (SQU) References • https://technet.microsoft.com • https://isc.sans.edu • http://searchnetworking.techtarget.com • https://www.hybrid-analysis.com
  • 18. ILT department, college of education (SQU) Discussion