SlideShare a Scribd company logo

Wannacry

Download as PPT, PDF
Gunther Clauwaert
Gunther Clauwaert

WannaCry/WannaCrypt Ransomware. Prepared by the SANS Technology Institute Internet Storm Center. Released under a “Creative Commons Attribution-ShareAlike” License: Use, modify and share these slides. Please attribute the work to us.

1 of 14
WannaCry/WannaCrypt Ransomware Prepared by the SANS Technology Institute Internet Storm Center. Released under a “Creative Commons Attribution- ShareAlike” License: Use, modify and share these slides. Please attribute the work to us. https://creativecommons.org/licenses/by-sa/4.0/
What Happened?  On Friday May 12th 2017, several organizations were affected by a new Ransomware strain.  The Ransomware was very successful in part because it used a SMB vulnerability to spread inside networks.  The vulnerability was patched by Microsoft in March for supported versions of Windows.  The exploit, known under the name ETERNALBLUE, was released in April as part of a leak of NSA tools.  Variants have been seen spreading Saturday/Sunday.
How many infections?  Several large organizations world wide are known to be affected.  No obvious targeting. The organizations are from various countries and appear not to be related.  While large enterprises made the news, small business users and home users may be affected as well.  Estimated > 200,000 victims according to various anti virus vendors
How do systems get infected?  E-Mail: Some organizations suggest that the initial infection originated from e-mail attachments, but little is known about the e-mails. It is easily possible that other malware was confused with WannaCry.  SMB: Affected organizations may have had vulnerable systems exposed via port 445.  Up to know, affected organizations have not shared a lot of proof to show how the initial infection happened.
What happens to the victim?  Files with specific extensions will be encrypted.  The victim will see a ransom message asking for approx. $300. Ransomware demands will increase to $600 after 3 days. After 7 days, the files may not longer be recoverable.  The ransomware will also install a backdoor to access the system remotely via port 445 (Double Pulsar, also part of the NSA tool set).
How to Prevent Infection: Patch  Newer Windows Versions (Windows Vista, 7-10, Windows Server 2008-2016) can be patched with MS17-010 released by Microsoft in March.  Microsoft released a patch for older systems going back to Windows XP and Windows 2003 on Friday.  Confirm that patch is installed
Other Mitigating Controls  Segment Network  Prevent internal spreading via port 445 and RDP.  Block Port 445 at perimeter.  Disable SMBv1  Implement internal “kill switch” domains / do not block them  Set registry key.  At least one additional variant of the malware was seen this weekend. It uses a different “kill switch”.
Detect Affected Systems  Systems that are infected by WannaCry will try to connect to a specific domain.  Encrypted files will have the “wncry” extension.  Systems will scan internally for port 445.  Ransom message will be displayed.  In addition, infected systems will reach out to sites for crypto keys.  Anti-Malware has signatures now for WannaCry.
Ransom Note
Cleaning Up Infected Systems  Anti-Malware vendors are offering removal tools.  Removal tools with remove malware, but will not recover encrypted files.  WannaCry will install a backdoor that could be used to compromise the system further.  Note that not all files with the .wncry extension are encrypted. Some may still be readable.
Kill Switch  The malware will not run if it can access a specific website.  This web site has been registered to stop the spread of malware.  But proxies may prevent connections. An internal website may be more reliable and allows detecting infections.  A registry entry was found that will prevent infection as well, and a tool was released to set the entry.  Future versions will likely remove these kill switches or change the name of the registry entry.
Will Paying the Ransom Help Us?  There is no public report from victims who paid the ransom.  About a hundred victims paid so far.  The unlock code is transmitted in a manual process that requires the victim to contact the person behind the ransomware to transmit an unlock code.  Due to the law enforcement and public attention, it is possible that the individual(s) behind this malware will disappear and not release unlock codes in the future.
Impact / Summary  Availability Affected organizations will loose access to the files encrypted by the malware. Recovery is uncertain even after paying the ransom.  Confidentiality The malware does install a backdoor that could be used to leak data from affected machines, but the malware itself does not exfiltrate data  Integrity Aside from encrypting the data, the malware does not alter data. But the backdoor could be used by others to cause additional damage
Additional Links  Technical Webcast: https://www.sans.org/webcasts/massive- ransomware-crisis-uk-health-system-105150  Microsoft Guidance https://blogs.technet.microsoft.com/msrc/2017/05/12/custom er-guidance-for-wannacrypt-attacks/  Internet Storm Center: https://isc.sans.edu

Recommended

WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
Wannacry
WannacryWannacry
Wannacry
AravindVV
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
Mikel Solabarrieta
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
WannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt RansomwareWannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt Ransomware
Ayoub Rouzi
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
phexcom1
 
Ransomware
RansomwareRansomware
Ransomware
Chaitali Sharma
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
Amna
 

Recommended

WannaCry ransomware attack
WannaCry ransomware attackWannaCry ransomware attack
WannaCry ransomware attack
Abdelhakim Salama
 
Wannacry
WannacryWannacry
Wannacry
AravindVV
 
Ransomware: Wannacry
Ransomware: WannacryRansomware: Wannacry
Ransomware: Wannacry
Mikel Solabarrieta
 
WannaCry Ransomware
WannaCry Ransomware WannaCry Ransomware
WannaCry Ransomware
Zoho Corporation
 
WannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt RansomwareWannaCry / Wannacrypt Ransomware
WannaCry / Wannacrypt Ransomware
Ayoub Rouzi
 
The rise of malware(ransomware)
The rise of malware(ransomware)The rise of malware(ransomware)
The rise of malware(ransomware)
phexcom1
 
Ransomware
RansomwareRansomware
Ransomware
Chaitali Sharma
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
Amna
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
Datto
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
dinCloud Inc.
 
Ransomware
RansomwareRansomware
Ransomware
Nick Miller
 
Ransomware
RansomwareRansomware
Ransomware
G Prachi
 
Ransomware
Ransomware Ransomware
Ransomware
Armor
 
Ransomware
RansomwareRansomware
Ransomwarem3 Networks Limited
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
Ransomware
RansomwareRansomware
Ransomware
Akshita Pillai
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
izzul
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
Nick Miller
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
Mohammad Yahya
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
What is wanna cry ransomware attack
What is wanna cry ransomware attackWhat is wanna cry ransomware attack
What is wanna cry ransomware attack
i-engage
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
IkramSabir4
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdf
HiYeti1
 
Ransomware
RansomwareRansomware
Ransomware
DeepakKumar4980
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
East West University
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 

More Related Content

What's hot

WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
Datto
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
dinCloud Inc.
 
Ransomware
RansomwareRansomware
Ransomware
Nick Miller
 
Ransomware
RansomwareRansomware
Ransomware
G Prachi
 
Ransomware
Ransomware Ransomware
Ransomware
Armor
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
Andy Thompson
 
Ransomware
RansomwareRansomware
Ransomware
Akshita Pillai
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
izzul
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
Nick Miller
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
Mohammad Yahya
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
karanwayne
 
What is wanna cry ransomware attack
What is wanna cry ransomware attackWhat is wanna cry ransomware attack
What is wanna cry ransomware attack
i-engage
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
IkramSabir4
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdf
HiYeti1
 
Ransomware
RansomwareRansomware
Ransomware
DeepakKumar4980
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
IBM Security
 

What's hot (20)

WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?
 
Ransomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacksRansomware and tips to prevent ransomware attacks
Ransomware and tips to prevent ransomware attacks
 
Ransomware
RansomwareRansomware
Ransomware
 
Ransomware
RansomwareRansomware
Ransomware
 
Ransomware
Ransomware Ransomware
Ransomware
 
Ransomware
RansomwareRansomware
Ransomware
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
 
Ransomware
RansomwareRansomware
Ransomware
 
Computer Virus
Computer VirusComputer Virus
Computer Virus
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
What is wanna cry ransomware attack
What is wanna cry ransomware attackWhat is wanna cry ransomware attack
What is wanna cry ransomware attack
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptx
 
Ransomware (1).pdf
Ransomware (1).pdfRansomware (1).pdf
Ransomware (1).pdf
 
Ransomware
RansomwareRansomware
Ransomware
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 

Similar to Wannacry

Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
East West University
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeYour Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Sysfore Technologies
 
viruses.pptx
viruses.pptxviruses.pptx
viruses.pptx
AsadbekAbdumannopov
 
The malware (r)evolution
The malware (r)evolutionThe malware (r)evolution
The malware (r)evolution
ITrust - Cybersecurity as a Service
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
Sagilasagi1
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer security
WritingHubUK
 
Escan advisory wannacry ransomware
Escan advisory wannacry ransomwareEscan advisory wannacry ransomware
Escan advisory wannacry ransomware
MicroWorld Software Services Pvt Ltd
 
WannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarWannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of Ransomwar
David Smith
 
CS111-PART 7 (MALWARE).pdf
CS111-PART 7 (MALWARE).pdfCS111-PART 7 (MALWARE).pdf
CS111-PART 7 (MALWARE).pdf
Kakai Catalan
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
Muhammad FAHAD
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
Dark Side
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsSophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsConnecting Up
 
Types of Malware.docx
Types of Malware.docxTypes of Malware.docx
Types of Malware.docx
SarahReese14
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !
Mohammed Jaseem Tp
 
computervirus.ppt
computervirus.pptcomputervirus.ppt
computervirus.ppt
PritamSahoo16
 
Ransomware: A Perilous Malware
Ransomware: A Perilous MalwareRansomware: A Perilous Malware
Ransomware: A Perilous Malware
HTS Hosting
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
CAS
 
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
What Businesses Entrepreneurs Are Imperative To Know About RansomwareWhat Businesses Entrepreneurs Are Imperative To Know About Ransomware
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
MavrickHost - Reliable Hosting Partner
 

Similar to Wannacry (20)

Wannacry Virus
Wannacry VirusWannacry Virus
Wannacry Virus
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | SysforeYour Guide to tackle the Ransomware threat "WannaCry" | Sysfore
Your Guide to tackle the Ransomware threat "WannaCry" | Sysfore
 
viruses.pptx
viruses.pptxviruses.pptx
viruses.pptx
 
The malware (r)evolution
The malware (r)evolutionThe malware (r)evolution
The malware (r)evolution
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
 
The process of computer security
The process of computer securityThe process of computer security
The process of computer security
 
Escan advisory wannacry ransomware
Escan advisory wannacry ransomwareEscan advisory wannacry ransomware
Escan advisory wannacry ransomware
 
WannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of RansomwarWannaCry: Autopsy of Ransomwar
WannaCry: Autopsy of Ransomwar
 
CS111-PART 7 (MALWARE).pdf
CS111-PART 7 (MALWARE).pdfCS111-PART 7 (MALWARE).pdf
CS111-PART 7 (MALWARE).pdf
 
Common Malware Types Vulnerability Management
Common Malware Types Vulnerability ManagementCommon Malware Types Vulnerability Management
Common Malware Types Vulnerability Management
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsSophos Threatsaurus: The A-Z of Computer and Data Security Threats
Sophos Threatsaurus: The A-Z of Computer and Data Security Threats
 
Types of Malware.docx
Types of Malware.docxTypes of Malware.docx
Types of Malware.docx
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !
 
computervirus.ppt
computervirus.pptcomputervirus.ppt
computervirus.ppt
 
Ransomware: A Perilous Malware
Ransomware: A Perilous MalwareRansomware: A Perilous Malware
Ransomware: A Perilous Malware
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
What Businesses Entrepreneurs Are Imperative To Know About RansomwareWhat Businesses Entrepreneurs Are Imperative To Know About Ransomware
What Businesses Entrepreneurs Are Imperative To Know About Ransomware
 

Recently uploaded

Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 

Recently uploaded (20)

Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 

Wannacry

  • 1. WannaCry/WannaCrypt Ransomware Prepared by the SANS Technology Institute Internet Storm Center. Released under a “Creative Commons Attribution- ShareAlike” License: Use, modify and share these slides. Please attribute the work to us. https://creativecommons.org/licenses/by-sa/4.0/
  • 2. What Happened?  On Friday May 12th 2017, several organizations were affected by a new Ransomware strain.  The Ransomware was very successful in part because it used a SMB vulnerability to spread inside networks.  The vulnerability was patched by Microsoft in March for supported versions of Windows.  The exploit, known under the name ETERNALBLUE, was released in April as part of a leak of NSA tools.  Variants have been seen spreading Saturday/Sunday.
  • 3. How many infections?  Several large organizations world wide are known to be affected.  No obvious targeting. The organizations are from various countries and appear not to be related.  While large enterprises made the news, small business users and home users may be affected as well.  Estimated > 200,000 victims according to various anti virus vendors
  • 4. How do systems get infected?  E-Mail: Some organizations suggest that the initial infection originated from e-mail attachments, but little is known about the e-mails. It is easily possible that other malware was confused with WannaCry.  SMB: Affected organizations may have had vulnerable systems exposed via port 445.  Up to know, affected organizations have not shared a lot of proof to show how the initial infection happened.
  • 5. What happens to the victim?  Files with specific extensions will be encrypted.  The victim will see a ransom message asking for approx. $300. Ransomware demands will increase to $600 after 3 days. After 7 days, the files may not longer be recoverable.  The ransomware will also install a backdoor to access the system remotely via port 445 (Double Pulsar, also part of the NSA tool set).
  • 6. How to Prevent Infection: Patch  Newer Windows Versions (Windows Vista, 7-10, Windows Server 2008-2016) can be patched with MS17-010 released by Microsoft in March.  Microsoft released a patch for older systems going back to Windows XP and Windows 2003 on Friday.  Confirm that patch is installed
  • 7. Other Mitigating Controls  Segment Network  Prevent internal spreading via port 445 and RDP.  Block Port 445 at perimeter.  Disable SMBv1  Implement internal “kill switch” domains / do not block them  Set registry key.  At least one additional variant of the malware was seen this weekend. It uses a different “kill switch”.
  • 8. Detect Affected Systems  Systems that are infected by WannaCry will try to connect to a specific domain.  Encrypted files will have the “wncry” extension.  Systems will scan internally for port 445.  Ransom message will be displayed.  In addition, infected systems will reach out to sites for crypto keys.  Anti-Malware has signatures now for WannaCry.
  • 10. Cleaning Up Infected Systems  Anti-Malware vendors are offering removal tools.  Removal tools with remove malware, but will not recover encrypted files.  WannaCry will install a backdoor that could be used to compromise the system further.  Note that not all files with the .wncry extension are encrypted. Some may still be readable.
  • 11. Kill Switch  The malware will not run if it can access a specific website.  This web site has been registered to stop the spread of malware.  But proxies may prevent connections. An internal website may be more reliable and allows detecting infections.  A registry entry was found that will prevent infection as well, and a tool was released to set the entry.  Future versions will likely remove these kill switches or change the name of the registry entry.
  • 12. Will Paying the Ransom Help Us?  There is no public report from victims who paid the ransom.  About a hundred victims paid so far.  The unlock code is transmitted in a manual process that requires the victim to contact the person behind the ransomware to transmit an unlock code.  Due to the law enforcement and public attention, it is possible that the individual(s) behind this malware will disappear and not release unlock codes in the future.
  • 13. Impact / Summary  Availability Affected organizations will loose access to the files encrypted by the malware. Recovery is uncertain even after paying the ransom.  Confidentiality The malware does install a backdoor that could be used to leak data from affected machines, but the malware itself does not exfiltrate data  Integrity Aside from encrypting the data, the malware does not alter data. But the backdoor could be used by others to cause additional damage
  • 14. Additional Links  Technical Webcast: https://www.sans.org/webcasts/massive- ransomware-crisis-uk-health-system-105150  Microsoft Guidance https://blogs.technet.microsoft.com/msrc/2017/05/12/custom er-guidance-for-wannacrypt-attacks/  Internet Storm Center: https://isc.sans.edu