Wannacry | Technical Insight and Lessons Learned

1McAfee Foundstone Services
McAfee
WannaCry
Technical Insight and Lessons Learned
Thomas Roccia | Security Consultant Researcher

McAfee
Presentation
• Thomas Roccia
• McAfee Foundstone Consultant
• Twitter: @fr0gger_

Overview
§ Wannacry Presentation
§ about the Exploit Code
§ Technical Overview
§ Lessons Learned
§ Conclusion
§ Summary – Q & A
Summary

PROFESSIONAL SERVICES
Introduction
The Increasing Malware Threat

The Increasing Malware Threat
§ Today the malware threat is really increasing
and lot of stolen data are sold in the
underground markets.
§ Malware are new weapons used by a lot of
actors:
§ Governments
§ Spies
§ Hacktivist
§ Mafia
§ Even kids
§ The challenge is huge for attackers and
defenders

The Increasing Ransomware Threat
§ Ransomware is an increase threat.
§ The first ransomware was pretty much Scarewares
(Without encryption).
§ Today Ransomware is more powerfull and encrypts with a
solid algorithm your data or even used exploit code.
§ Wannacry was very mediatic due to this automatedand
quick spreading.
Introduction

Wannacry Presentation
The Largest Ransomware Attack

§ WannaCry is a ransomware that hit the World in
May 2017.
§ It combined Ransomware capabilities with Worm
techniques to spread automatically across the
network.
§ The Worm exploits a vulnerability into SMB that was
discovered previously by the NSA (EquationGroup).
§ More than 230 000 computers in over 150
countries were infected.
§ Big companies like the NHS, FedEx or Renault were
impacted by it.

Map Infection

Why is Wannacry Big?
WannaCry
Ransomware
No user
interaction
needed
Remote code
Exploit

The Story About the Exploit Code

The Shadow Brokers
§ The Shadow Brokers is a hacker group who first
appeared in the summer of 2016.
§ They published several leaks containing hacking
tools from the National Security Agency,
including several zero-day exploits.
§ First message appeared in August 2016
§ The leak with all the zero day was publicly available
for free in April 15th 2017
The Story about the Exploit Code

The Exploit Code used by Wannacry
Exploit Code Used by Wannacry
§ WannaCry used the exploit code EternalBlue.
§ EternalBlue exploits a vulnerability in the Server Message Block (SMB) protocol.
§ This vulnerability is denoted by entry CVE-2017-0144.
§ The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft
Windows accepts specially crafted packets from remote attackers, allowing them to execute
arbitrary code on the target computer.
§ The Windows security update on 14 March 2017 resolved the issue via security update MS17-010.

Exploit Code used by Wannacry
Exploit Code Used by Wannacry
§ In addition to EternalBlue exploit, Wannacry used the
DoublePulsar Implant.
§ The implant using a Kernel DLL injection technique
allowing the attacker the full right on the compromised
system.
§ Payload in memory was XORed to remain undetected.
§ Then the shellcode was injected directly into lsass.exe.

Wannacry Technical Overview

Key Characteristic
§ Uses the MS17-010 “EternalBlue” exploit to spread to
other machines through SMB
§ Malware generates random target IP addresses, not
limited to the local network
§ Hardcoded IP addresses.
§ Payload delivered by the SMB packets is encrypted
§ Malware dropper contains code to check for two specific
domains before executing its ransomware or the network
exploit codes.
§ Dropper variants do not exhibit this same behavior –no “kill
switch”, no exploit, target mounted networkshares
§ 3 Bitcoin wallets being used to receive payment from
victims - Tor browser used for anonymous payment

Content
§ msg -This folder contains the RTF describing the
different instructions for the ransomware. Totaling 28
languages.
§ b.wnry - BMP ransom image used as a background
image replacement by the malware.
§ c.wnry - configuration file containing the target
address, but also the tor communication endpoints
information.
§ s.wnry - Tor client to communication with the above
endpoints.
§ u.wnry - UI interface of the ransomware, containing
the communications routines and password
validation.
§ t.wnry - “WANACRY!” file — contains default keys
• The initial file is a ZIP protected (Password: WNcry@2ol7)containing several other files that
are dropped into the infected system.

§ Wannacry has a kill switch function to stop the spreading.
§ hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
§ hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
Kill Switch Function

§ Wannacry spreads across the network by scanning a range of IP dynamically generated.
How Wannacry Spreads

§ SMB Requests through the network
SMB Exploit

§ Infection Flow
SMB Exploit

§ Extract resource zip file XIA with hardcoded password “WNcry@2ol7”
§ Get c.wnry, which includes the Tor configuration used by the malware used by the malware
§ Extract the configuration from c.wnry to get the Tor browser and onion sites to be used for communication and
onion sites to be used for communication:
§ gx7ekbenv2riucmf.onion;
§ 57g7spgrzlojinas.onion;
§ xxlvbrloxvriy2c5.onion;
§ 76jdd2ir2embyv47.onion;
§ cwwnhwhlz52maqm7.onion;
§ Load Bitcoin wallets which have been previously set up by the attackers for payment for file
restoration and update c.wnry
§ “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94”
§ “12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
§ “115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"
Ransomware Behavior

§ Hide Extract Zip Directory and Modify Security Descriptors
§ Create process: Runs command to hide current directory: attrib +h
§ Runs command:
§ icacls . /grant Everyone:F /T /C /Q. This grants all users full access to files
in the current directory and all directories below.
§ Prep Encryption Public Key, AES Key…
§ Creates Mutex for all threads: GlobalMsWinZonesCacheCounterMutexW
Ransomware Behavior

§ Creates a new thread to overwrite files on disk
§ Generate a key
§ Generate Data Buffers for each file
§ Call thread for function StartAddress to begin writing encrypting file contents
§ Tack on extension ".WNCRYT”
§ Run new process taskdl.exe in a new thread
§ Set Up the Decrypter Persistence
§ Create process "taskse.exe @WanaDecryptor@.exe”
§ Set persistence key to run itself on reboot HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
§ CheckTokenMembership, GetComputerName Info
§ Run: cmd.exe /c reg add "HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun” /v
"<rand>" /t REG_SZ /d “"tasksche.exe"" /f
Ransomware Behavior

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .sxw, .stw, .3ds, .max, .3dm, .ods,
.sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3, .sqlitedb, .sql,
.accdb, .mdb, .dbf, .odb, .mdf, .ldf, .cpp, .pas, .asm, .cmd, .bat, .vbs, .sch,
.jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob,
.mpeg, .asf, .avi, .mov, .mp4, .mkv, .flv, .wma, .mid, .m3u, .m4u, .svg, .psd,
.tiff, .tif, .raw, .gif, .png, .bmp, .jpg, .jpeg, .iso, .backup, .zip, .rar, .tgz, .tar,
.bak, .ARC, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf,
.csv, .txt, .msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx,
.xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm, .docx, .doc,
Targeted file extension

Format of the Encrypted file

§ 3 walllets 50 Bitcoins (115 000€)
Bitcoin Wallet

How to Recover Your Files

§ Wannacry uses AES encryption to encrypt files.
§ Then the AES key is encrypted in RSA.
§ The RSA private key is generated dynamically
in memory.
§ The keys are immediately destroying.
Wannacry Encryption

§ Wannacry uses 2 functions to destroy the keys in memory:
§ CryptDestroyKey: free the memory that the key used.
§ CryptReleaseContext: release the Cryptography Service Provider (CSP).
§ French Security Researcher discovered that these functions does not release the prime numbers into
the memory.
§ Allowing the victim to generate the private key if the memory is not freeing.
§ Wannakiwi is a tool that looks for the prime number in the memory.
https://github.com/gentilkiwi/wanakiwi
The bug

Wannacry Legacy

§ Wannacry inspired several other attackers.
§ After this attack we saw many other variants that
spread the same manner and use the EternalBlue
Exploit.
§ New variant of Wannacry were used (no kill
switch…).
§ Adylkuzz which used the same exploit to spread.
§ EternalRocks
§ UIWIX Ransomware
Wannacry Legacy

Lessons Learned

§ Threat intelligence is a key to know what’s happened in the Infosec World!
§ Shadow Brokers was known since one year.
§ The leak was published in April 2017
§ Patch Management is crucial!
§ Wannacry exploited a known vulnerability CVE-2017-0144.
§ Microsoft published the March 14 the security update MS17-010
§ Disable unnecessary services!
§ The SMB is not use everywhere
§ Disable if not needed.
Vulnerability
Lessons Learned

Security
§ Teach your people!
§ Train your security team for Malware Analysis
§ Perform user awareness training for users
§ Follow the best practices against Ransomware
threat!
§ Backup file
§ Manage the user and admin right
§ Create an Incident Response Program!
§ Do the right things when an incident occurs.
Lessons Learned

www.NoMoreRansom.org

§ Wannacry is not an advanced Ransomware, however the worm capabilities allows it to spread very
quickly.
§ EquationGroup exploit leak let powerful tools for attackers.
§ The Ransomware threats are still evolving to be more powerful.
§ Malware are still growing so does attack surfaces
§ Security best practices still efficient (Backup, Update, Awareness…)
§ Setup advanced malware detection technics like Sandboxing and machine learning
Conclusion

McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2017 McAfee LLC.

Wannacry | Technical Insight and Lessons Learned

More Related Content

What's hot (20)

Similar to Wannacry | Technical Insight and Lessons Learned (20)

More from Thomas Roccia (9)

Recently uploaded (20)

Wannacry | Technical Insight and Lessons Learned