WannaCry/WannaCrypt Ransomware

Slides:



Advertisements
Similar presentations
Thank you to IT Training at Indiana University Computer Malware.
Advertisements

The Malware Life Cycle. The Fascinating World of Infections.
By Hiranmayi Pai Neeraj Jain
Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
 Discovered in June/July 2010  Targeted Siemens software and equipment running Microsoft Windows  First malware for SCADA systems to spy and subvert.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Viruses.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Dial In Number Pin: 3959 Information About Microsoft’s January 2013 Out-of-Band Security Bulletin Jonathan Ness Security Development Manager.
Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
Chapter 13 Understanding E-Security. 2 OBJECTIVES What are security concerns (examples)? What are two types of threats (client/server) Virus – Computer.
Types of Electronic Infection
ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
TCOM Information Assurance Management System Hacking.
MyDoom ☉ Ian Axelrod ☉ Chris Mungol ☉ Antonio Silva ☉ Joshua Sole ☉ Somnath Banerjee Group 5 CS4235/8803.
Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
R ANSOMWARE CAN ORIGINATE FROM A MALICIOUS WEBSITE THAT EXPLOITS A KNOWN VULNERABILITY, PHISHING CAMPAIGNS,
ITS220 – How To Prevent Your PC From Infected by Virus presented by Desmond Ho.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Sander Hofman Sr Technical Sales Europe
Computer safety Filip Hruby.
Presented by: SBS CyberSecurity © SBS CyberSecurity, LLC
WannaCrypt Ransomeware Customer Guidance
Intercept X Early Access Program Sophos Tester
Chapter 40 Internet Security.
WannaCry/WannaCrypt Ransomware
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
Ransomware Guidance For Health Centers
CISOs Guide To Communicating WNCRY.
Ted Allen Rotary May 17, 2017 WannaCry Ransomware Ted Allen Rotary May 17, 2017.
Shadow Brokers – Details on Leaked Cyberintelligence Tools and Vulnerabilities A brief research note for Info-Tech’s members.
Three steps to prevent Malware infection
What they are and how to protect against them
Ransomware 12:00 Juwan harris.
Ilija Jovičić Sophos Consultant.
Malware and Computer Maintenance
Critical Security Controls
A+ Guide to Managing and Maintaining Your PC, 7e
Backdoor Attacks.
Ransomware & Security for Virtualization
Various Types of Malware
Trends in Ransomware Distribution
5.0 : Windows Operating System
Fix Windows Live Mail Error ID 0X
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
Fix Microsoft Office Error code Call for help
A Trojan is a computer program that contains the malicious code and it misleads users and user's computer. It aims to designed to perform something is.
How to Get Rid of Online Threats Impacting your Computer Device?
Intercept X for Server Early Access Program Sophos Tester
Cybersecurity Strategy
So… what is ransomware? #SPICECORPS.
Information Security Session October 24, 2005
David J. Carter, CISO Commonwealth Office of Technology
Ransomware in Web Apps OWASP Singapore.
Operating System Security
Implementing Client Security on Windows 2000 and Windows XP Level 150
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
How to keep the bad guys out and your data safe
CSCD 434 Spring 2019 Lecture 10 Attacks for Profit Ransomeware 1.
Presentation transcript:

WannaCry/WannaCrypt Ransomware Prepared by the SANS Technology Institute Internet Storm Center. Released under a “Creative Commons Attribution- ShareAlike” License: Use, modify and share these slides. Please attribute the work to us. https://creativecommons.org/licenses/by-sa/4.0/

What Happened? On Friday May 12th 2017, several organizations were affected by a new Ransomware strain. The Ransomware was very successful in part because it used a SMB vulnerability to spread inside networks. The vulnerability was patched by Microsoft in March for supported versions of Windows. The exploit, known under the name ETERNALBLUE, was released in April as part of a leak of NSA tools. Variants have been seen spreading Saturday/Sunday.

How many infections? Several large organizations world wide are known to be affected. No obvious targeting. The organizations are from various countries and appear not to be related. While large enterprises made the news, small business users and home users may be affected as well. Estimated > 200,000 victims according to various anti virus vendors

How do systems get infected? E-Mail: Some organizations suggest that the initial infection originated from e-mail attachments, but little is known about the e-mails. It is easily possible that other malware was confused with WannaCry. SMB: Affected organizations may have had vulnerable systems exposed via port 445. Up to know, affected organizations have not shared a lot of proof to show how the initial infection happened.

What happens to the victim? Files with specific extensions will be encrypted. The victim will see a ransom message asking for approx. $300. Ransomware demands will increase to $600 after 3 days. After 7 days, the files may not longer be recoverable. The ransomware will also install a backdoor to access the system remotely via port 445 (Double Pulsar, also part of the NSA tool set).

How to Prevent Infection: Patch Newer Windows Versions (Windows Vista, 7-10, Windows Server 2008-2016) can be patched with MS17-010 released by Microsoft in March. Microsoft released a patch for older systems going back to Windows XP and Windows 2003 on Friday. Confirm that patch is installed

Other Mitigating Controls Segment Network Prevent internal spreading via port 445 and RDP. Block Port 445 at perimeter. Disable SMBv1 Implement internal “kill switch” domains / do not block them Set registry key. At least one additional variant of the malware was seen this weekend. It uses a different “kill switch”.

Detect Affected Systems Systems that are infected by WannaCry will try to connect to a specific domain. Encrypted files will have the “wncry” extension. Systems will scan internally for port 445. Ransom message will be displayed. In addition, infected systems will reach out to sites for crypto keys. Anti-Malware has signatures now for WannaCry.

Ransom Note

Cleaning Up Infected Systems Anti-Malware vendors are offering removal tools. Removal tools with remove malware, but will not recover encrypted files. WannaCry will install a backdoor that could be used to compromise the system further. Note that not all files with the .wncry extension are encrypted. Some may still be readable.

Kill Switch The malware will not run if it can access a specific website. This web site has been registered to stop the spread of malware. But proxies may prevent connections. An internal website may be more reliable and allows detecting infections. A registry entry was found that will prevent infection as well, and a tool was released to set the entry. Future versions will likely remove these kill switches or change the name of the registry entry.

Will Paying the Ransom Help Us? There is no public report from victims who paid the ransom. About a hundred victims paid so far. The unlock code is transmitted in a manual process that requires the victim to contact the person behind the ransomware to transmit an unlock code. Due to the law enforcement and public attention, it is possible that the individual(s) behind this malware will disappear and not release unlock codes in the future.

Impact / Summary Availability Confidentiality Integrity Affected organizations will loose access to the files encrypted by the malware. Recovery is uncertain even after paying the ransom. Confidentiality The malware does install a backdoor that could be used to leak data from affected machines, but the malware itself does not exfiltrate data Integrity Aside from encrypting the data, the malware does not alter data. But the backdoor could be used by others to cause additional damage

Additional Links Technical Webcast: https://www.sans.org/webcasts/massive- ransomware-crisis-uk-health-system-105150 Microsoft Guidance https://blogs.technet.microsoft.com/msrc/2017/05/12/custom er-guidance-for-wannacrypt-attacks/ Internet Storm Center: https://isc.sans.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.