SlideShare a Scribd company logo

WannaCry ransomware attack

Download as PPTX, PDF
A
Abdelhakim Salama

The document summarizes the WannaCry/WannaCrypt ransomware attack that affected over 200,000 victims globally in May 2017. It briefly describes how the ransomware works by encrypting files and demanding ransom payments in bitcoin. It also provides details on how systems get infected, the impacts on victims including encrypted files and ransom messages, and recommendations on how to protect systems by patching vulnerabilities and using backups.

Related slideshows

Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant MaliRansomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant Mali
 
Ransomware - The Growing Threat
Ransomware - The Growing ThreatRansomware - The Growing Threat
Ransomware - The Growing Threat
 
1 of 15
WANNACRY / WANNACRYPT RANSOMWARE Prepared by: - Ayoub Rouzi - Abdelhakim Salama
PLAN  Introduction  What happened ?  What is Wannacry / Wannacrypt ?  How many Infections ?  What happens to the victim?  How to protect yourself ?  Will Paying the Ransom Help Us?  Conclusion 2
WHAT IS RANSOMWARE ?  “Ransomware is a malware that encrypts contents on infected systems and demands payment in bitcoins.” 3
WHAT HAPPENED? several organizations were affected by a new Ransomware strain. The exploit ETERNALBLUE, was released in as part of a leak of NSA. May 12th 2017 April 15th 2017 March 14th 2017 Apparition of WanaCrypt0r 2.0 who is more dangerious May 22th 2017 A young white hat hacker stopped wannacry attackMay 21th 2017 A "critical" patch had been issued by Microsoft 4
HOW MANY INFECTIONS? Estimated > 200,000 victims 5
HOW MANY INFECTIONS? 6
HOW MANY INFECTIONS? 7
HOW DO SYSTEMS GET INFECTED? • E-Mail. • Infected websites. • SMB (Server Message Block) : vulnerable systems exposed via port 445. 8
WHAT HAPPENS TO THE VICTIM? • Files with specific extensions will be encrypted. • The victim will see a ransom message asking for approx. $300. 9
WHAT HAPPENS TO THE VICTIM? • Once all the files are encrypted: • Open a backdoor 10
WHAT HAPPENS TO THE VICTIM? Wannacry warns the user of the encryption of these files by modificating the desktop wallpaper: 11
HOW TO PROTECT YOURSELF 12
WILL PAYING THE RANSOM HELP US? • There is no public report from victims who paid the ransom. • About a hundred victims paid so far. 13
WHAT’S THE UPDATES ? 14 • Windows, Linux, Mac • More victims • More data collection
CONCLUSION • Availability Affected organizations will loose access to the files encrypted by the malware. Recovery is uncertain even after paying the ransom. • Confidentiality The malware does install a backdoor that could be used to leak data from affected machines, but the malware itself does not exfiltrate data • Integrity Aside from encrypting the data, the malware does not alter data. But the backdoor could be used by others to cause additional damage 15

More Related Content

WannaCry ransomware attack

  • 1. WANNACRY / WANNACRYPT RANSOMWARE Prepared by: - Ayoub Rouzi - Abdelhakim Salama
  • 2. PLAN  Introduction  What happened ?  What is Wannacry / Wannacrypt ?  How many Infections ?  What happens to the victim?  How to protect yourself ?  Will Paying the Ransom Help Us?  Conclusion 2
  • 3. WHAT IS RANSOMWARE ?  “Ransomware is a malware that encrypts contents on infected systems and demands payment in bitcoins.” 3
  • 4. WHAT HAPPENED? several organizations were affected by a new Ransomware strain. The exploit ETERNALBLUE, was released in as part of a leak of NSA. May 12th 2017 April 15th 2017 March 14th 2017 Apparition of WanaCrypt0r 2.0 who is more dangerious May 22th 2017 A young white hat hacker stopped wannacry attackMay 21th 2017 A "critical" patch had been issued by Microsoft 4
  • 5. HOW MANY INFECTIONS? Estimated > 200,000 victims 5
  • 8. HOW DO SYSTEMS GET INFECTED? • E-Mail. • Infected websites. • SMB (Server Message Block) : vulnerable systems exposed via port 445. 8
  • 9. WHAT HAPPENS TO THE VICTIM? • Files with specific extensions will be encrypted. • The victim will see a ransom message asking for approx. $300. 9
  • 10. WHAT HAPPENS TO THE VICTIM? • Once all the files are encrypted: • Open a backdoor 10
  • 11. WHAT HAPPENS TO THE VICTIM? Wannacry warns the user of the encryption of these files by modificating the desktop wallpaper: 11
  • 12. HOW TO PROTECT YOURSELF 12
  • 13. WILL PAYING THE RANSOM HELP US? • There is no public report from victims who paid the ransom. • About a hundred victims paid so far. 13
  • 14. WHAT’S THE UPDATES ? 14 • Windows, Linux, Mac • More victims • More data collection
  • 15. CONCLUSION • Availability Affected organizations will loose access to the files encrypted by the malware. Recovery is uncertain even after paying the ransom. • Confidentiality The malware does install a backdoor that could be used to leak data from affected machines, but the malware itself does not exfiltrate data • Integrity Aside from encrypting the data, the malware does not alter data. But the backdoor could be used by others to cause additional damage 15

Editor's Notes

  1. Several large organizations world wide are known to be affected. Estimated > 200,000 victims according to various anti virus vendors
  2. Several large organizations world wide are known to be affected. Estimated > 200,000 victims according to various anti virus vendors
  3. Several large organizations world wide are known to be affected.
  4. Some organizations suggest that the initial infection originated from e-mail attachments Affected organizations may have had
  5. Ransomware demands will increase to $600 after 3 days. After 7 days, the files may not longer be recoverable. The ransomware will also install a backdoor to access the system remotely via port 445 (Double Pulsar, also part of the NSA tool set).
  6. Wannacry uses the discrete anonymity network to communicate with its Command & Control server:
  7. Wannacry uses the discrete anonymity network to communicate with its Command & Control server:
  8. Deploy antivirus protection Block spam Perform regular backups of all critical information Don't open attachments in unsolicited e-mails Disable opened SMB port in Microsoft Office products.