The document summarizes the Wannacrypt + Smbv1.0 ransomware attack, one of the most damaging in history. It began on a Friday in May 2017, infecting over 216,000 machines worldwide in just one day by exploiting an SMB vulnerability. The ransomware used the EternalBlue exploit leaked from the ShadowBrokers to spread rapidly through networks. Microsoft had released a patch for the vulnerability in March 2017 but many systems remained unpatched. The attack was stopped when a researcher registered a domain name hard-coded in the ransomware. The document examines the technical details and impact of the attack, and recommends steps to prevent future ransomware infections like keeping systems updated with the latest security patches.
2. Introduction
• Initial spread and telemetry
• The bug
• The backdoor
• Mitigations
• The ransomware
• The aftermath
• Conclusion
3. It began on a Friday
• Several organization started reporting
massive infections
o NHS in UK
o Telefonica in Spain
o FedEx in US
o MegaFon in Russia
Overall campaign:
• 216k until August (estimated more)
• Spanning through all the world
5. “Is it worm-able ?” YES
Source: Packetstorm Security
https://packetstormsecurity.com/files/142464/MS17-010.txt
6. Timeline of the vulnerability
March
14th
May
12th
April
14th
MS17-010 Released
ETERNALBLUE leaked, code is publicly available
WannaCrypt unleashed
May
10th Exploit code wildly adopted (Packetstorm, Exploit DB)
January
16th US CERT warns about potential (unconfirmed) SMB vulnerability
January
8th ShadowBrokers put stolen tools on sale (750 Bitcoins)
7. Initial infection vector ?
• Earlier Wannacry found along with Lazarus’ tools
• New Wannacry possibly planted by Lazarus actors?
• We don‘t know!
13. The bug
Bad integer cast -> buffer overflow
ATTR ATTR ATTR ATTR ATTR
BUFFER
ATTR ATTR ATTRATTR ATTR Original List Size: 0x00010000
Truncated List Size: 0x0000FF5D
Updated List size: 0x0001FF5D
Excellent article from Viktor Brange:
https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-
with-windows-10-virtualization-based-security/
Unsigned Long
Unsigned Short
14. The exploit KERNEL MEMORY
SMB Spray
Trigger
…
…
Ptr SRVNET_CONNECTION
…
…
SRVBUFFER struct
HAL MEMORY
RWX
…
Ptr SRVNET_RECEIVE_HANDLER
…
Shellcode
SRVNET_CONNECTION struct
Fixed address!
Works on
Windows 7
15. The backdoor (DoublePulsar)
Excellent article from Matt Oh:
https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-
ransomware-smb-exploit-propagation/
Step 1:
Hook SYSENTER handler
What About Patchguard ???
16. The backdoor (DoublePulsar)
Step 2:
SYSENTER hook is executed,
Original SYSENTER handler restored
Backdoor installed
SRV!SrvTransactionNotImplemented
(Transaction2->SESSION_SETUP)
Hook UnHook
Patchguard thread:
• Unlikely to spawn when SYSENTER hooked
• Does not check for SRV code/ writabe data
sections
By design, PatchGuard does not catch transient attacks
17. Mitigations
1. HAL memory not RWX (DEP,
HVCI requires DeviceGuard)
2. HAL memory location
randomized (kASLR)
3. Control Flow Guard (optional,
requires DeviceGuard)
X
X
X XDoesn’t work on
Windows 10 RS1+!
X
19. More mitigations!
In general, several mitigations were introduced in Windows 10
• Controlled Folder Access (CFA)
• Access to folders with documents is restricted (hinders ransomware)
• Code Integrity Guard (CIG)
• Can’t modify executable memory
• Arbitrary Code Guard (ACG)
• Can’t load or create untrusted executable memory
• MemGC
• Prevents Use After Free exploitation
…and more! (Not all are active by default.)
23. Unusual features
• Stops exchange and SQL related processes
• Deletes shadow copies / backup catalog
• Overwrites original file with junk data
• Then deletes it
• Writes Gb’s of junk data in temp file
• Until < 1Gb remains
25. WanaKiwi / WanaDecrypt
• Tools for decryption of the files
Scans WanaCrypt’s memory for keys
• Do they work?
If you did not reboot
If you did not run other software
If you ran WanaKiwi immediately
If you are lucky
• Too many “if”!
26. WanaKiwi / WanaDecrypt
IT WORKS!
(Wanafork tool can use this)
Prime numbers
candidates
(from memory)
This candidate
divides malware’s key
IN THEORY:
27. WanaKiwi / WanaDecrypt
IN PRACTICE:
• Office
• Browser
• Outlook
• Click WanaCrypt’s
interface
• Leave it for a couple of
hours
Unlikely to work
28. Worth it?
“We have taken measures to blacklist all addresses associated
with the WannaCry attackers that are known to the ShapeShift
team”
Spokesperson from ShapeShift
29. Worth it?
$ 142,361
$ 300
474
payments
0.2 %
of 216000
infected
machines
(Very rough estimate)
"Cyber extortion losses are skyrocketing with ransomware on pace to be a 1
billion dollar business in 2016."
The FBI - as reported by CNN
30. Is it still alive?
Alas, yes! (Not just Wannacrypt)
DoublePulsar detections by platform per day
35. Conclusion
• Install security updates!
• Disable unnecessary / legacy features
• Block inbound/outbound SMB traffic to your network if possible
• Do not pay cybercriminals
• Do not delete the encrypted files
• Respond quickly and isolate infected machines
• Use Windows 10!