Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Wannacry Outbreak

Wannacry Outbreak

This presentation is about the Wannacry ransomware outbreak in 2017.


Thomas Roccia

July 10, 2017


  1. 1 McAfee Foundstone Services McAfee WannaCry Technical Insight and Lessons

    Learned Thomas Roccia | Security Consultant Researcher
  2. 2 McAfee Foundstone Services McAfee Presentation • Thomas Roccia •

    McAfee Foundstone Consultant • Twitter: @fr0gger_
  3. 3 McAfee Foundstone Services Overview § Wannacry Presentation § about

    the Exploit Code § Technical Overview § Lessons Learned § Conclusion § Summary – Q & A Summary
  4. PROFESSIONAL SERVICES Introduction The Increasing Malware Threat

  5. 5 McAfee Foundstone Services The Increasing Malware Threat § Today

    the malware threat is really increasing and lot of stolen data are sold in the underground markets. § Malware are new weapons used by a lot of actors: § Governments § Spies § Hacktivist § Mafia § Even kids § The challenge is huge for attackers and defenders
  6. 6 McAfee Foundstone Services The Increasing Ransomware Threat § Ransomware

    is an increase threat. § The first ransomware was pretty much Scarewares (Without encryption). § Today Ransomware is more powerfull and encrypts with a solid algorithm your data or even used exploit code. § Wannacry was very mediatic due to this automatedand quick spreading. Introduction
  7. PROFESSIONAL SERVICES Wannacry Presentation The Largest Ransomware Attack

  8. 8 McAfee Foundstone Services Wannacry Presentation § WannaCry is a

    ransomware that hit the World in May 2017. § It combined Ransomware capabilities with Worm techniques to spread automatically across the network. § The Worm exploits a vulnerability into SMB that was discovered previously by the NSA (EquationGroup). § More than 230 000 computers in over 150 countries were infected. § Big companies like the NHS, FedEx or Renault were impacted by it.
  9. 9 McAfee Foundstone Services Wannacry Presentation Map Infection

  10. 10 McAfee Foundstone Services Why is Wannacry Big? WannaCry Ransomware

    No user interaction needed Remote code Exploit
  11. PROFESSIONAL SERVICES The Story About the Exploit Code

  12. 12 McAfee Foundstone Services The Shadow Brokers § The Shadow

    Brokers is a hacker group who first appeared in the summer of 2016. § They published several leaks containing hacking tools from the National Security Agency, including several zero-day exploits. § First message appeared in August 2016 § The leak with all the zero day was publicly available for free in April 15th 2017 The Story about the Exploit Code
  13. 13 McAfee Foundstone Services The Exploit Code used by Wannacry

    Exploit Code Used by Wannacry The Story about the Exploit Code § WannaCry used the exploit code EternalBlue. § EternalBlue exploits a vulnerability in the Server Message Block (SMB) protocol. § This vulnerability is denoted by entry CVE-2017-0144. § The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. § The Windows security update on 14 March 2017 resolved the issue via security update MS17-010.
  14. 14 McAfee Foundstone Services Exploit Code used by Wannacry Exploit

    Code Used by Wannacry The Story about the Exploit Code § In addition to EternalBlue exploit, Wannacry used the DoublePulsar Implant. § The implant using a Kernel DLL injection technique allowing the attacker the full right on the compromised system. § Payload in memory was XORed to remain undetected. § Then the shellcode was injected directly into lsass.exe.
  15. PROFESSIONAL SERVICES Wannacry Technical Overview

  16. 16 McAfee Foundstone Services Key Characteristic § Uses the MS17-010

    “EternalBlue” exploit to spread to other machines through SMB § Malware generates random target IP addresses, not limited to the local network § Hardcoded IP addresses. § Payload delivered by the SMB packets is encrypted § Malware dropper contains code to check for two specific domains before executing its ransomware or the network exploit codes. § Dropper variants do not exhibit this same behavior –no “kill switch”, no exploit, target mounted networkshares § 3 Bitcoin wallets being used to receive payment from victims - Tor browser used for anonymous payment Wannacry Technical Overview
  17. 17 McAfee Foundstone Services Content Wannacry Technical Overview § \msg

    -This folder contains the RTF describing the different instructions for the ransomware. Totaling 28 languages. § b.wnry - BMP ransom image used as a background image replacement by the malware. § c.wnry -  configuration file containing the target address, but also the tor communication endpoints information. § s.wnry - Tor client to communication with the above endpoints. § u.wnry - UI interface of the ransomware, containing the communications routines and password validation. § t.wnry - “WANACRY!” file — contains default keys • The initial file is a ZIP protected (Password: WNcry@2ol7)containing several other files that are dropped into the infected system.
  18. 18 McAfee Foundstone Services § Wannacry has a kill switch

    function to stop the spreading. § hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com § hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com Kill Switch Function Wannacry Technical Overview
  19. 19 McAfee Foundstone Services § Wannacry spreads across the network

    by scanning a range of IP dynamically generated. How Wannacry Spreads Wannacry Technical Overview
  20. 20 McAfee Foundstone Services § SMB Requests through the network

    SMB Exploit Wannacry Technical Overview
  21. 21 McAfee Foundstone Services § Infection Flow SMB Exploit Wannacry

    Technical Overview
  22. 22 McAfee Foundstone Services § Extract resource zip file XIA

    with hardcoded password “WNcry@2ol7” § Get c.wnry, which includes the Tor configuration used by the malware used by the malware § Extract the configuration from c.wnry to get the Tor browser and onion sites to be used for communication and onion sites to be used for communication: § gx7ekbenv2riucmf.onion; § 57g7spgrzlojinas.onion; § xxlvbrloxvriy2c5.onion; § 76jdd2ir2embyv47.onion; § cwwnhwhlz52maqm7.onion; § Load Bitcoin wallets which have been previously set up by the attackers for payment for file restoration and update c.wnry § “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94” § “12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" § “115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" Ransomware Behavior Wannacry Technical Overview
  23. 23 McAfee Foundstone Services § Hide Extract Zip Directory and

    Modify Security Descriptors § Create process: Runs command to hide current directory: attrib +h § Runs command: § icacls . /grant Everyone:F /T /C /Q. This grants all users full access to files in the current directory and all directories below. § Prep Encryption Public Key, AES Key… § Creates Mutex for all threads: Global\\MsWinZonesCacheCounterMutexW Ransomware Behavior Wannacry Technical Overview
  24. 24 McAfee Foundstone Services § Creates a new thread to

    overwrite files on disk § Generate a key § Generate Data Buffers for each file § Call thread for function StartAddress to begin writing encrypting file contents § Tack on extension ".WNCRYT” § Run new process taskdl.exe in a new thread § Set Up the Decrypter Persistence § Create process "taskse.exe @WanaDecryptor@.exe” § Set persistence key to run itself on reboot HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run § CheckTokenMembership, GetComputerName Info § Run: cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v "<rand>" /t REG_SZ /d “\"tasksche.exe\"" /f Ransomware Behavior Wannacry Technical Overview
  25. 25 McAfee Foundstone Services .der, .pfx, .key, .crt, .csr, .p12,

    .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc, Targeted file extension Wannacry Technical Overview
  26. 26 McAfee Foundstone Services Format of the Encrypted file Wannacry

    Technical Overview
  27. 27 McAfee Foundstone Services § 3 walllets 50 Bitcoins (115

    000€) Bitcoin Wallet Wannacry Technical Overview
  28. PROFESSIONAL SERVICES How to Recover Your Files

  29. 29 McAfee Foundstone Services § Wannacry uses AES encryption to

    encrypt files. § Then the AES key is encrypted in RSA. § The RSA private key is generated dynamically in memory. § The keys are immediately destroying. Wannacry Encryption How to Recover Your Files
  30. 30 McAfee Foundstone Services § Wannacry uses 2 functions to

    destroy the keys in memory: § CryptDestroyKey: free the memory that the key used. § CryptReleaseContext: release the Cryptography Service Provider (CSP). § French Security Researcher discovered that these functions does not release the prime numbers into the memory. § Allowing the victim to generate the private key if the memory is not freeing. § Wannakiwi is a tool that looks for the prime number in the memory. https://github.com/gentilkiwi/wanakiwi The bug How to Recover Your Files

  32. 32 McAfee Foundstone Services § Wannacry inspired several other attackers.

    § After this attack we saw many other variants that spread the same manner and use the EternalBlue Exploit. § New variant of Wannacry were used (no kill switch…). § Adylkuzz which used the same exploit to spread. § EternalRocks § UIWIX Ransomware Wannacry Legacy

  34. 34 McAfee Foundstone Services § Threat intelligence is a key

    to know what’s happened in the Infosec World! § Shadow Brokers was known since one year. § The leak was published in April 2017 § Patch Management is crucial! § Wannacry exploited a known vulnerability CVE-2017-0144. § Microsoft published the March 14 the security update MS17-010 § Disable unnecessary services! § The SMB is not use everywhere § Disable if not needed. Vulnerability Lessons Learned
  35. 35 McAfee Foundstone Services Security § Teach your people! §

    Train your security team for Malware Analysis § Perform user awareness training for users § Follow the best practices against Ransomware threat! § Backup file § Manage the user and admin right § Create an Incident Response Program! § Do the right things when an incident occurs. Lessons Learned
  36. 36 McAfee Foundstone Services www.NoMoreRansom.org

  37. 37 McAfee Foundstone Services § Wannacry is not an advanced

    Ransomware, however the worm capabilities allows it to spread very quickly. § EquationGroup exploit leak let powerful tools for attackers. § The Ransomware threats are still evolving to be more powerful. § Malware are still growing so does attack surfaces § Security best practices still efficient (Backup, Update, Awareness…) § Setup advanced malware detection technics like Sandboxing and machine learning Conclusion
  38. Q & A

  39. McAfee, the McAfee logo and [insert <other relevant McAfee Names>]

    are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC.