the malware threat is really increasing and lot of stolen data are sold in the underground markets. § Malware are new weapons used by a lot of actors: § Governments § Spies § Hacktivist § Mafia § Even kids § The challenge is huge for attackers and defenders
is an increase threat. § The first ransomware was pretty much Scarewares (Without encryption). § Today Ransomware is more powerfull and encrypts with a solid algorithm your data or even used exploit code. § Wannacry was very mediatic due to this automatedand quick spreading. Introduction
ransomware that hit the World in May 2017. § It combined Ransomware capabilities with Worm techniques to spread automatically across the network. § The Worm exploits a vulnerability into SMB that was discovered previously by the NSA (EquationGroup). § More than 230 000 computers in over 150 countries were infected. § Big companies like the NHS, FedEx or Renault were impacted by it.
Brokers is a hacker group who first appeared in the summer of 2016. § They published several leaks containing hacking tools from the National Security Agency, including several zero-day exploits. § First message appeared in August 2016 § The leak with all the zero day was publicly available for free in April 15th 2017 The Story about the Exploit Code
Exploit Code Used by Wannacry The Story about the Exploit Code § WannaCry used the exploit code EternalBlue. § EternalBlue exploits a vulnerability in the Server Message Block (SMB) protocol. § This vulnerability is denoted by entry CVE-2017-0144. § The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer. § The Windows security update on 14 March 2017 resolved the issue via security update MS17-010.
Code Used by Wannacry The Story about the Exploit Code § In addition to EternalBlue exploit, Wannacry used the DoublePulsar Implant. § The implant using a Kernel DLL injection technique allowing the attacker the full right on the compromised system. § Payload in memory was XORed to remain undetected. § Then the shellcode was injected directly into lsass.exe.
“EternalBlue” exploit to spread to other machines through SMB § Malware generates random target IP addresses, not limited to the local network § Hardcoded IP addresses. § Payload delivered by the SMB packets is encrypted § Malware dropper contains code to check for two specific domains before executing its ransomware or the network exploit codes. § Dropper variants do not exhibit this same behavior –no “kill switch”, no exploit, target mounted networkshares § 3 Bitcoin wallets being used to receive payment from victims - Tor browser used for anonymous payment Wannacry Technical Overview
-This folder contains the RTF describing the different instructions for the ransomware. Totaling 28 languages. § b.wnry - BMP ransom image used as a background image replacement by the malware. § c.wnry - configuration file containing the target address, but also the tor communication endpoints information. § s.wnry - Tor client to communication with the above endpoints. § u.wnry - UI interface of the ransomware, containing the communications routines and password validation. § t.wnry - “WANACRY!” file — contains default keys • The initial file is a ZIP protected (Password: WNcry@2ol7)containing several other files that are dropped into the infected system.
function to stop the spreading. § hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com § hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com Kill Switch Function Wannacry Technical Overview
with hardcoded password “WNcry@2ol7” § Get c.wnry, which includes the Tor configuration used by the malware used by the malware § Extract the configuration from c.wnry to get the Tor browser and onion sites to be used for communication and onion sites to be used for communication: § gx7ekbenv2riucmf.onion; § 57g7spgrzlojinas.onion; § xxlvbrloxvriy2c5.onion; § 76jdd2ir2embyv47.onion; § cwwnhwhlz52maqm7.onion; § Load Bitcoin wallets which have been previously set up by the attackers for payment for file restoration and update c.wnry § “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94” § “12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" § “115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" Ransomware Behavior Wannacry Technical Overview
Modify Security Descriptors § Create process: Runs command to hide current directory: attrib +h § Runs command: § icacls . /grant Everyone:F /T /C /Q. This grants all users full access to files in the current directory and all directories below. § Prep Encryption Public Key, AES Key… § Creates Mutex for all threads: Global\\MsWinZonesCacheCounterMutexW Ransomware Behavior Wannacry Technical Overview
overwrite files on disk § Generate a key § Generate Data Buffers for each file § Call thread for function StartAddress to begin writing encrypting file contents § Tack on extension ".WNCRYT” § Run new process taskdl.exe in a new thread § Set Up the Decrypter Persistence § Create process "taskse.exe @WanaDecryptor@.exe” § Set persistence key to run itself on reboot HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run § CheckTokenMembership, GetComputerName Info § Run: cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v "<rand>" /t REG_SZ /d “\"tasksche.exe\"" /f Ransomware Behavior Wannacry Technical Overview
destroy the keys in memory: § CryptDestroyKey: free the memory that the key used. § CryptReleaseContext: release the Cryptography Service Provider (CSP). § French Security Researcher discovered that these functions does not release the prime numbers into the memory. § Allowing the victim to generate the private key if the memory is not freeing. § Wannakiwi is a tool that looks for the prime number in the memory. https://github.com/gentilkiwi/wanakiwi The bug How to Recover Your Files
§ After this attack we saw many other variants that spread the same manner and use the EternalBlue Exploit. § New variant of Wannacry were used (no kill switch…). § Adylkuzz which used the same exploit to spread. § EternalRocks § UIWIX Ransomware Wannacry Legacy
to know what’s happened in the Infosec World! § Shadow Brokers was known since one year. § The leak was published in April 2017 § Patch Management is crucial! § Wannacry exploited a known vulnerability CVE-2017-0144. § Microsoft published the March 14 the security update MS17-010 § Disable unnecessary services! § The SMB is not use everywhere § Disable if not needed. Vulnerability Lessons Learned
Train your security team for Malware Analysis § Perform user awareness training for users § Follow the best practices against Ransomware threat! § Backup file § Manage the user and admin right § Create an Incident Response Program! § Do the right things when an incident occurs. Lessons Learned
Ransomware, however the worm capabilities allows it to spread very quickly. § EquationGroup exploit leak let powerful tools for attackers. § The Ransomware threats are still evolving to be more powerful. § Malware are still growing so does attack surfaces § Security best practices still efficient (Backup, Update, Awareness…) § Setup advanced malware detection technics like Sandboxing and machine learning Conclusion