WannaCry ransomware attack
- 2. PLAN
Introduction
What happened ?
What is Wannacry / Wannacrypt ?
How many Infections ?
What happens to the victim?
How to protect yourself ?
Will Paying the Ransom Help Us?
Conclusion
2
- 3. WHAT IS RANSOMWARE ?
“Ransomware is a malware that encrypts contents on infected systems and demands payment in bitcoins.”
3
- 4. WHAT HAPPENED?
several organizations were affected by a new Ransomware strain.
The exploit ETERNALBLUE, was released in as part of a leak of NSA.
May 12th 2017
April 15th 2017
March 14th 2017
Apparition of WanaCrypt0r 2.0 who is more dangerious May 22th 2017
A young white hat hacker stopped wannacry attackMay 21th 2017
A "critical" patch had been issued by Microsoft
4
- 8. HOW DO SYSTEMS GET INFECTED?
• E-Mail.
• Infected websites.
• SMB (Server Message Block) :
vulnerable systems exposed via port 445.
8
- 9. WHAT HAPPENS TO THE VICTIM?
• Files with specific extensions will be encrypted.
• The victim will see a ransom message asking for approx. $300.
9
- 10. WHAT HAPPENS TO THE VICTIM?
• Once all the files are encrypted:
• Open a backdoor
10
- 11. WHAT HAPPENS TO THE VICTIM?
Wannacry warns the user of the encryption of these files by modificating the desktop wallpaper:
11
- 13. WILL PAYING THE RANSOM HELP US?
• There is no public report from victims who paid the ransom.
• About a hundred victims paid so far.
13
- 15. CONCLUSION
• Availability
Affected organizations will loose access to the files encrypted by the malware. Recovery is
uncertain even after paying the ransom.
• Confidentiality
The malware does install a backdoor that could be used to leak data from affected
machines, but the malware itself does not exfiltrate data
• Integrity
Aside from encrypting the data, the malware does not alter data. But the backdoor could
be used by others to cause additional damage
15
Editor's Notes
- Several large organizations world wide are known to be affected.
Estimated > 200,000 victims according to various anti virus vendors
- Several large organizations world wide are known to be affected.
Estimated > 200,000 victims according to various anti virus vendors
- Several large organizations world wide are known to be affected.
- Some organizations suggest that the initial infection originated from e-mail attachments
Affected organizations may have had
- Ransomware demands will increase to $600 after 3 days. After 7 days, the files may not longer be recoverable.The ransomware will also install a backdoor to access the system remotely via port 445 (Double Pulsar, also part of the NSA tool set).
- Wannacry uses the discrete anonymity network to communicate with its Command & Control server:
- Wannacry uses the discrete anonymity network to communicate with its Command & Control server:
- Deploy antivirus protection
Block spam
Perform regular backups of all critical information
Don't open attachments in unsolicited e-mails
Disable opened SMB port in Microsoft Office products.