![ILT department,
college of education
(SQU)
Infection Cycle
• When this dropper is activated on a machine, it starts the infection cycle:
1) tries to connect the following domains:
o www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
o www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
• If connection to the domains is successful, the dropper simply stops
execution. However, if the connection fails, the threat proceeds to drop the
ransomware and creates a service on the system.
2) creates the following registry keys:
o HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun<random
string> = “<malware working directory>tasksche.exe”
o HKLMSOFTWAREWanaCrypt0rwd = “<malware working directory>”](https://image.slidesharecdn.com/talkofthehourthewannacryptransomware-170519143333/85/Talk-of-the-hour-the-wanna-crypt-ransomware-7-320.jpg)
Talk of the hour, the wanna crypt ransomware
- 1. Talk of the hour, WannaCrypt ransomware Shubair Abdullah, PhD in Computer Science, network security
- 2. ILT department, college of education (SQU) Some Terminology What Happened? Attack Vector WannaCrypt Component Infection Cycle Spreading Capability Indicators of Infection How to Prevent Infection Cleaning Up Infected Systems Content
- 3. ILT department, college of education (SQU) • Ransomware is malicious code that is used by cybercriminals to launch data kidnapping and lockscreen attacks. • Trojan horse is a program that appears harmless, but is, in fact, malicious. • Worm is a self-replicating virus that resides in active memory and duplicates itself. • Botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and IoT devices that are infected and controlled by a common type of malware. • Back-door is a means of access to a computer program that bypasses security mechanisms. • Vulnerability is a flaw in code or design that creates a potential point of security compromise for an endpoint or network. Malware Terminology
- 4. ILT department, college of education (SQU) What Happened? • On Friday May 12th 2017, several organizations were attacked by a new ransomware. • The ransomware named as: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, or WCRY. • WannaCrypt was very successful because it used a Windows vulnerability to spread inside networks. • Variants of the WannaCrypt also have been seen spreading Saturday/Sunday. • No obvious targeting, the organizations are from various countries and appear not to be related. • While large enterprises made the news, small business users and home users are affected as well. • Estimated more than 200,000 victims according to various media sources.
- 5. ILT department, college of education (SQU) Attack Vector • There are two attacking vectors of WannaCrypt: 1. Arrival through emails designed to trick users to run the malware and activate the worm-spreading functionality. 2. Infection through Windows vulnerability when an unpatched computer is addressable (on LAN) from other infected machines. • WannaCrypt exploits the “Server Message Block vulnerability in Windows”. The SMB “is a file sharing protocol that allows operating systems and applications to read and write data to a system”. • According to MS, this vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. • The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack. • However, Windows 10 and patched older Windows versions could be attacked through emails.
- 6. ILT department, college of education (SQU) WannaCrypt Component • The WannaCrypt component is a dropper (Trojan horse) that contains some executable files and a password-protected .rar archive. • The executable files are: 1. The document encryption routine 2. A component that attempts to exploit the SMB vulnerability in other computers • The files in the .zip archive contain: 1. Rnasonware support tools, 2. Decryption tool, 3. The wallpaper, and 4. The ransom message
- 7. ILT department, college of education (SQU) Infection Cycle • When this dropper is activated on a machine, it starts the infection cycle: 1) tries to connect the following domains: o www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com o www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com • If connection to the domains is successful, the dropper simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system. 2) creates the following registry keys: o HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun<random string> = “<malware working directory>tasksche.exe” o HKLMSOFTWAREWanaCrypt0rwd = “<malware working directory>”
- 8. ILT department, college of education (SQU) Infection Cycle 3) changes the wallpaper to a ransom message by modifying the following registry key: o HKCUControl PanelDesktopWallpaper: “<malware working directory>@[email protected]” 4) also creates the following files: • %SystemRoot%tasksche.exe • %SystemDrive%intel<random directory name>tasksche.exe • %ProgramData%<random directory name>tasksche.exe 5) creates files in the malware’s working directory. Some file with .wnry extension contain its message. (The text message is localized into 28 languages).
- 9. ILT department, college of education (SQU) Infection Cycle 6) searches the whole computer for any file with any of the following file name extensions: 123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw
- 10. ILT department, college of education (SQU) Infection Cycle 7) encrypts all files and renames them by appending .WNCRY. For example, if a file is named picture1.jpg, it encrypts and renames the file to picture1.jpg.WNCRY. 8) installs a back-door that could be used to compromise the system further, for example creating a botnet or append the PC to an existing botnet. 9) replaces the desktop background image with the following message:
- 11. ILT department, college of education (SQU) Infection Cycle 9) runs an executable showing a ransom note as well as a timer: The user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week
- 12. ILT department, college of education (SQU) Infection Cycle 10) demonstrates the decryption capability by allowing the user to decrypt freely few files. It then reminds him to pay the ransom to decrypt the remaining files.
- 13. ILT department, college of education (SQU) Spreading Capability • The worm functionality of WannaCrypt attempts to infect unpatched Windows PCs in the local network. • It executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. • The Internet scanning routine randomly generates numbers to form the IPv4 address. • Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. • The malicious infection cycle continues as the scanning routing discovers unpatched computers. • The spreading activity generates huge amount of network traffic from the infected host, which means serious load and massively slow down the internet connection.
- 14. ILT department, college of education (SQU) Indicators of Infection • Systems that are infected by WannaCry will try to connect to a specific domain, so huge amount of traffic could be initiated. • Encrypted files with “.wncry” extension. • Systems will scan internally for port 445. • Ransom message will be displayed. • Anti-Malware has signatures now for WannaCry.
- 15. ILT department, college of education (SQU) How to Prevent Infection • Avoid open suspicious email attachments (this also for Windows 10) • Windows Versions (Windows Vista, 7, 8, Windows Server 2008-2016) can be patched with MS17-010 released by Microsoft in March. • Microsoft released a patch for older systems going back to Windows XP and Windows 2003 on Friday. • Confirm that patch is installed. For network administrator: • Segment Network • Prevent internal spreading via port 445 and RDP. • Block Port 445 at perimeter. • Disable SMBv1 • Implement internal “kill switch” domains / do not block them • Block “Set registry key”.
- 16. ILT department, college of education (SQU) Cleaning Up Infected Systems • Anti-Malware vendors are offering removal tools. • Removal tools will remove WannaCrypt, but will not recover encrypted files. • Note that not all files with the .wncry extension are encrypted. Some may still be readable. Will Paying the ransom help the victims? There is no public report from victims who paid the ransom.
- 17. ILT department, college of education (SQU) References • https://technet.microsoft.com • https://isc.sans.edu • http://searchnetworking.techtarget.com • https://www.hybrid-analysis.com
- 18. ILT department, college of education (SQU) Discussion