Streamlining Python Development: A Guide to a Modern Project Setup
Talk of the hour, the wanna crypt ransomware
1. Talk of the hour,
WannaCrypt ransomware
Shubair Abdullah,
PhD in Computer Science, network security
2. ILT department,
college of education
(SQU)
Some Terminology
What Happened?
Attack Vector
WannaCrypt Component
Infection Cycle
Spreading Capability
Indicators of Infection
How to Prevent Infection
Cleaning Up Infected Systems
Content
3. ILT department,
college of education
(SQU)
• Ransomware is malicious code that is used by cybercriminals to launch data
kidnapping and lockscreen attacks.
• Trojan horse is a program that appears harmless, but is, in fact, malicious.
• Worm is a self-replicating virus that resides in active memory and duplicates
itself.
• Botnet is a collection of internet-connected devices, which may include PCs,
servers, mobile devices and IoT devices that are infected and controlled by a
common type of malware.
• Back-door is a means of access to a computer program that bypasses
security mechanisms.
• Vulnerability is a flaw in code or design that creates a potential point of
security compromise for an endpoint or network.
Malware Terminology
4. ILT department,
college of education
(SQU)
What Happened?
• On Friday May 12th 2017, several organizations were attacked by a new ransomware.
• The ransomware named as: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, or
WCRY.
• WannaCrypt was very successful because it used a Windows vulnerability to spread
inside networks.
• Variants of the WannaCrypt also have been seen spreading Saturday/Sunday.
• No obvious targeting, the organizations are from various countries and appear not to
be related.
• While large enterprises made the news, small business users and home users are
affected as well.
• Estimated more than 200,000 victims according to various media sources.
5. ILT department,
college of education
(SQU)
Attack Vector
• There are two attacking vectors of WannaCrypt:
1. Arrival through emails designed to trick users to run the malware and activate
the worm-spreading functionality.
2. Infection through Windows vulnerability when an unpatched computer is
addressable (on LAN) from other infected machines.
• WannaCrypt exploits the “Server Message Block vulnerability in Windows”. The SMB
“is a file sharing protocol that allows operating systems and applications to read and
write data to a system”.
• According to MS, this vulnerability was fixed in security bulletin MS17-010, which was
released on March 14, 2017.
• The exploit code used by WannaCrypt was designed to work only against unpatched
Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs
are not affected by this attack.
• However, Windows 10 and patched older Windows versions could be attacked
through emails.
6. ILT department,
college of education
(SQU)
WannaCrypt Component
• The WannaCrypt component is a dropper (Trojan horse) that contains some
executable files and a password-protected .rar archive.
• The executable files are:
1. The document encryption routine
2. A component that attempts to exploit the SMB vulnerability in other computers
• The files in the .zip archive contain:
1. Rnasonware support tools,
2. Decryption tool,
3. The wallpaper, and
4. The ransom message
7. ILT department,
college of education
(SQU)
Infection Cycle
• When this dropper is activated on a machine, it starts the infection cycle:
1) tries to connect the following domains:
o www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
o www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
• If connection to the domains is successful, the dropper simply stops
execution. However, if the connection fails, the threat proceeds to drop the
ransomware and creates a service on the system.
2) creates the following registry keys:
o HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun<random
string> = “<malware working directory>tasksche.exe”
o HKLMSOFTWAREWanaCrypt0rwd = “<malware working directory>”
8. ILT department,
college of education
(SQU)
Infection Cycle
3) changes the wallpaper to a ransom message by modifying the following registry
key:
o HKCUControl PanelDesktopWallpaper: “<malware working
directory>@WanaDecryptor@.bmp”
4) also creates the following files:
• %SystemRoot%tasksche.exe
• %SystemDrive%intel<random directory name>tasksche.exe
• %ProgramData%<random directory name>tasksche.exe
5) creates files in the malware’s working directory. Some file with .wnry extension
contain its message. (The text message is localized into 28 languages).
10. ILT department,
college of education
(SQU)
Infection Cycle
7) encrypts all files and renames them by appending .WNCRY. For example, if a
file is named picture1.jpg, it encrypts and renames the file to
picture1.jpg.WNCRY.
8) installs a back-door that could be used to compromise the system further, for
example creating a botnet or append the PC to an existing botnet.
9) replaces the desktop background image with the following message:
11. ILT department,
college of education
(SQU)
Infection Cycle
9) runs an executable showing a ransom note as well as a timer:
The user is asked to pay $300, which will increase to $600 after a few days. The
ransomware threatens to delete all files after a week
12. ILT department,
college of education
(SQU)
Infection Cycle
10) demonstrates the decryption capability by allowing the user to decrypt freely few
files. It then reminds him to pay the ransom to decrypt the remaining files.
13. ILT department,
college of education
(SQU)
Spreading Capability
• The worm functionality of WannaCrypt attempts to infect unpatched Windows PCs in
the local network.
• It executes massive scanning on Internet IP addresses to find and infect other
vulnerable computers.
• The Internet scanning routine randomly generates numbers to form the IPv4 address.
• Once a vulnerable machine is found and infected, it becomes the next hop to infect
other machines.
• The malicious infection cycle continues as the scanning routing discovers unpatched
computers.
• The spreading activity generates huge amount of network traffic from the infected
host, which means serious load and massively slow down the internet connection.
14. ILT department,
college of education
(SQU)
Indicators of Infection
• Systems that are infected by WannaCry will try to connect to a
specific domain, so huge amount of traffic could be initiated.
• Encrypted files with “.wncry” extension.
• Systems will scan internally for port 445.
• Ransom message will be displayed.
• Anti-Malware has signatures now for WannaCry.
15. ILT department,
college of education
(SQU)
How to Prevent Infection
• Avoid open suspicious email attachments (this also for Windows 10)
• Windows Versions (Windows Vista, 7, 8, Windows Server 2008-2016) can be patched
with MS17-010 released by Microsoft in March.
• Microsoft released a patch for older systems going back to Windows XP and Windows
2003 on Friday.
• Confirm that patch is installed.
For network administrator:
• Segment Network
• Prevent internal spreading via port 445 and RDP.
• Block Port 445 at perimeter.
• Disable SMBv1
• Implement internal “kill switch” domains / do not block them
• Block “Set registry key”.
16. ILT department,
college of education
(SQU)
Cleaning Up Infected Systems
• Anti-Malware vendors are offering removal tools.
• Removal tools will remove WannaCrypt, but will not recover
encrypted files.
• Note that not all files with the .wncry extension are encrypted. Some
may still be readable.
Will Paying the ransom help the victims?
There is no public report from victims who paid the ransom.
17. ILT department,
college of education
(SQU)
References
• https://technet.microsoft.com
• https://isc.sans.edu
• http://searchnetworking.techtarget.com
• https://www.hybrid-analysis.com