The document summarizes the Wannacrypt + Smbv1.0 ransomware attack, one of the most damaging in history. It began on a Friday in May 2017, infecting over 216,000 machines worldwide in just one day by exploiting an SMB vulnerability. The ransomware used the EternalBlue exploit leaked from the ShadowBrokers to spread rapidly through networks. Microsoft had released a patch for the vulnerability in March 2017 but many systems remained unpatched. The attack was stopped when a researcher registered a domain name hard-coded in the ransomware. The document examines the technical details and impact of the attack, and recommends steps to prevent future ransomware infections like keeping systems updated with the latest security patches.

1. Wannacrypt + Smbv1.0
Vulnerability = One of the Most
Damaging Ransomware Attacks
in History
Andrea Lelli – anlelli@microsoft.com

2. Introduction
• Initial spread and telemetry
• The bug
• The backdoor
• Mitigations
• The ransomware
• The aftermath
• Conclusion

3. It began on a Friday
• Several organization started reporting
massive infections
o NHS in UK
o Telefonica in Spain
o FedEx in US
o MegaFon in Russia
Overall campaign:
• 216k until August (estimated more)
• Spanning through all the world

4. “Is it worm-able ?”
• How does it spread so fast?

5. “Is it worm-able ?” YES
Source: Packetstorm Security
https://packetstormsecurity.com/files/142464/MS17-010.txt

6. Timeline of the vulnerability
March
14th
May
12th
April
14th
MS17-010 Released
ETERNALBLUE leaked, code is publicly available
WannaCrypt unleashed
May
10th Exploit code wildly adopted (Packetstorm, Exploit DB)
January
16th US CERT warns about potential (unconfirmed) SMB vulnerability
January
8th ShadowBrokers put stolen tools on sale (750 Bitcoins)

7. Initial infection vector ?
• Earlier Wannacry found along with Lazarus’ tools
• New Wannacry possibly planted by Lazarus actors?
• We don‘t know!

8. Telemetry
• Wannacrypt detections
• Distinct machines
• First encounters
Windows 7

9. Cumulative Telemetry
• Wannacrypt detections
• Distinct machines
• First encounters

10. The Killswitch
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

11. The Killswitch
Source: internic.net

12. Understanding the attack

13. The bug
Bad integer cast -> buffer overflow
ATTR ATTR ATTR ATTR ATTR
BUFFER
ATTR ATTR ATTRATTR ATTR Original List Size: 0x00010000
Truncated List Size: 0x0000FF5D
Updated List size: 0x0001FF5D
Excellent article from Viktor Brange:
https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-
with-windows-10-virtualization-based-security/
Unsigned Long
Unsigned Short

14. The exploit KERNEL MEMORY
SMB Spray
Trigger
…
…
Ptr SRVNET_CONNECTION
…
…
SRVBUFFER struct
HAL MEMORY
RWX
…
Ptr SRVNET_RECEIVE_HANDLER
…
Shellcode
SRVNET_CONNECTION struct
Fixed address!
Works on
Windows 7

15. The backdoor (DoublePulsar)
Excellent article from Matt Oh:
https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-
ransomware-smb-exploit-propagation/
Step 1:
Hook SYSENTER handler
What About Patchguard ???

16. The backdoor (DoublePulsar)
Step 2:
SYSENTER hook is executed,
Original SYSENTER handler restored
Backdoor installed
SRV!SrvTransactionNotImplemented
(Transaction2->SESSION_SETUP)
Hook UnHook
Patchguard thread:
• Unlikely to spawn when SYSENTER hooked
• Does not check for SRV code/ writabe data
sections
By design, PatchGuard does not catch transient attacks

17. Mitigations
1. HAL memory not RWX (DEP,
HVCI requires DeviceGuard)
2. HAL memory location
randomized (kASLR)
3. Control Flow Guard (optional,
requires DeviceGuard)
X
X
X XDoesn’t work on
Windows 10 RS1+!
X

18. Mitigations
1. Hyper Guard – Mitigates MSR writes
2. Legacy dispatch tables made Read Only
X
X

19. More mitigations!
In general, several mitigations were introduced in Windows 10
• Controlled Folder Access (CFA)
• Access to folders with documents is restricted (hinders ransomware)
• Code Integrity Guard (CIG)
• Can’t modify executable memory
• Arbitrary Code Guard (ACG)
• Can’t load or create untrusted executable memory
• MemGC
• Prevents Use After Free exploitation
…and more! (Not all are active by default.)

20. The ransomware

21. Encryption
• Targets wide range of file extensions
• Renames encrypted files by adding “.wncry”
• Uses AES-128
• One key per file
• Encrypted with randomly generated RSA key

22. And finally…

23. Unusual features
• Stops exchange and SQL related processes
• Deletes shadow copies / backup catalog
• Overwrites original file with junk data
• Then deletes it
• Writes Gb’s of junk data in temp file
• Until < 1Gb remains

24. Should you pay?
???

25. WanaKiwi / WanaDecrypt
• Tools for decryption of the files
 Scans WanaCrypt’s memory for keys
• Do they work?
 If you did not reboot
 If you did not run other software
 If you ran WanaKiwi immediately
 If you are lucky
• Too many “if”!

26. WanaKiwi / WanaDecrypt
IT WORKS!
(Wanafork tool can use this)
Prime numbers
candidates
(from memory)
This candidate
divides malware’s key
IN THEORY:

27. WanaKiwi / WanaDecrypt
IN PRACTICE:
• Office
• Browser
• Outlook
• Click WanaCrypt’s
interface
• Leave it for a couple of
hours
Unlikely to work

28. Worth it?
“We have taken measures to blacklist all addresses associated
with the WannaCry attackers that are known to the ShapeShift
team”
Spokesperson from ShapeShift

29. Worth it?
$ 142,361
$ 300
474
payments
0.2 %
of 216000
infected
machines
(Very rough estimate)
"Cyber extortion losses are skyrocketing with ransomware on pace to be a 1
billion dollar business in 2016."
The FBI - as reported by CNN

30. Is it still alive?
Alas, yes! (Not just Wannacrypt)
DoublePulsar detections by platform per day

31. Is it still alive?
DoublePulsar distribution

32. Copycats
• UIWIX
• Ransomware: encrypts files
• File-less: only resides in memory
• Steals information
• ALDYKUZZ
• Monero coin miner
• PETYA
• Encrypts Files and MFT
• BADRABBIT (PETYA variant)
• Leverages ETERNALROMANCE

33. Who?

34. Who?
Wannacrypt Lazarus

35. Conclusion
• Install security updates!
• Disable unnecessary / legacy features
• Block inbound/outbound SMB traffic to your network if possible
• Do not pay cybercriminals
• Do not delete the encrypted files
• Respond quickly and isolate infected machines
• Use Windows 10!