The document provides an in-depth analysis of the WannaCry ransomware outbreak, detailing its development, propagation methods, and the response from CrowdStrike. It highlights the impact of ransomware in 2016, with significant increases in cases and various ransomware families emerging. CrowdStrike's strategies for detecting and mitigating such threats, including the use of machine learning, are also discussed.

1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
AN INSIDE LOOK AT THE WANNACRY
RANSOMWARE OUTBREAK
ADAM MEYERS – VICE PRESIDENT, INTELLIGENCE
CHRIS WITTER – SR. DIRECTOR, HUNTING OPERATIONS

2. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Threat Intelligence Report on WannaCry
WannaCry: The Analyst Perspective
Stopping WannaCry
Q&A

3. ADAM
MEYERS
§ VP, Intelligence CrowdStrike
§ Security Researcher
§ Former DIB Contractor
A LITTLE ABOUT ME:

4. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WE STOP
BREACHES
Next Generation
Endpoint
Intelligence Services

5. 2016: THE YEAR OF RANSOMWARE
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
§ Over 175 new ransomware families introduced in 2016
§ Method of choice for developing and new criminal
operators
§ Growing popularity within the criminal community
§ FBI reports a 300% increase of ransomware cases
compared to 2015

6. MAJOR RANSOMWARE FAMILIES
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
SamasEarly 2016
Continues…CerberMarch 2016
CryptXXXApril 2016 October 2016
CryptoWall April 2016June 2014
TeslaCryptEarly 2015 May 2016
LockyJanuary 2016
CryptFile2March 2016
Petya/Mischa/GoldeneyeMarch 2016
TorrentLocker Continues…Early 2014
Continues…
Continues…
Continues…
Continues…
Continues…

7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WANNACRYSelf propagating ransomware leveraging
ShadowBrokers exploit package
§ Trade Craft
§ AES-128
§ Targets 177 file types for encryption
§ DNS Kill Switch
§ SMB exploit (MS-17010)
§ Complex Architecture
§ Unpacked 8 files plus directory with
Ransom messages in various
languages
§ Resource name XIA, a password-
protected ZIP (WNcry@2ol7)
§ TOR C2 (contains Tor Package)
§ RSA 2048-bit key PKI
§ Multiple Bitcoin Addresses used for
receipt of payment

8. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Wannacry Development Timeline
Continuous Development
9 February 2017
WannaCry Variant #1
12 May 2017
WannaCry Variant
#3
28 April 2017
WannaCry Variant
#2
14 April 2017
“Lost in
Translation”
ShadowBrokers
Release
14 March 2017
Microsoft issues
numerous
patches
including MS-
17010
29 April 2017
Initial ETERNAL
BLUE exploitation
13 May 2017
Modified
WannaCry
redistributed

9. Christopher
Witter
§ Senior Manager Falcon OverWatch
§ 15 years DFIR experience.
A LITTLE ABOUT ME:

10. FALCON OVERWATCH DATA & PROCESS FLOW
CUSTOMER
ENDPOINTS
CONTINUOUS
ENDPOINT
DATA
1 FALCON UI
• Detection details
• EAM investigation
• Intelligence/Actors
2
OVERWATCH
ANALYTICS
PLATFORM
• Falcon data streams
• Hunting triggers
• Advanced analytics
• Business logic
3
• Strategic analysis
• Atomic + Behavioral + Anomaly detection
• Rapid intrusion triage and scoping
OVERWATCH
HUNTERS
4
• Notification of intrusions/breaches
• Expert operators <--> Support channel
5
CROWDSTRIKE CLOUD
Patented Threat Graph ™

11. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
WHAT DO WE KNOW?
§ 4/14 The Shadow Brokers dump more goodness into the public domain both
exploits and utilities, particularly SMB related.

12. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
4/18 FIRST OBSERVED

13. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
ITEMS OF DISTINCTION
§ (5) Cases all identical in nature
§ Externally facing assets
§ LSASS Password Dumping detections
§ All shared an identical DLL written during the attack
§ No post exploit Action on Objectives
§ (3) Commands all run in succession
§ Net group /domain
§ Net group ”domain admins” /domain
§ Nltest /domain_trust

14. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
5/12 -> WANNACRY

15. STOPPING RANSOMWARE
THE CROWDSTRIKE APPROACH
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

16. Machine Learning
• Prevents the execution of the WannaCry executable
• Our ML model in VirusTotal from January identified an early WannaCry variant on Feb 20
• That same ML model blocked the WannaCry that struck on May 12

18. WHAT HAPPENS IF YOU MISS?
2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.

19. Suspicious Process Blocking
• If ML misses, we still catch WannaCry when Windows task scheduler tries to run it
• This IOA is generic and can identify and block almost any malicious process

21. RANSOMWARE IOA

22. Ransomware IOA Blocking
• I can’t show you an IOA block for WannaCry because it never made it this far

23. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
DEMONSTRATION
§ WannaCry infection and propagation
§ Stop with machine learning
§ Stop variant while offline
§ What happens if ML misses?
§ Stop propagation
§ Visibility into everything

26. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
Questions?
Please submit all questions in the Q&A chat
right below the presentation slides
Contact Us
Additional Information
Join Weekly Demos
crowdstrike.com/productdemos
Featured Asset:
Falcon Test Drive
Link in Resource List
Website: crowdstrike.com
Email: info@crowdstrike.com
Number: 1.888.512.8902 (US)