1. Protecting Your
Organization from
WannaCry Ransomware

2. Presenter
Mayank Dikshit
Senior Manager , Quality Assurance
Windows, Mac, Linux,
Quick Heal

3. Overview of Ransomware
•Infection vectors and Targeted Files
•Payment Mechanisms
•New Techniques used by Ransomware
•Industries affected
Agenda
How Seqrite protects against WannaCry
•Layered Protection
•Statistics
Prevention Steps
•WannaCry Specific
•General
Overview of WannaCry Ransomware
•How WannaCry Propagates
•Targeted Files

4. Digital extortion
• Encryption
Encrypts files with a password, stopping from opening them
• Lock screen
Uses a full-screen image or webpage to stop from accessing anything on
computer
• MBR
Overview of Ransomware

5. • Email attachments
• Phishing links
• Part of another malware's payload
• Delivered by an exploit kit
• Malvertising
• Through Vulnerabilities found in:
• Applications
• Plug-ins (like Adobe, Flash Player)
• Operating System
Infection Vectors

6. Office files PDF files Database files
Images & Drawings Games files
Targeted Files

7. Payment Mechanisms
SMSs or phone calls
to premium-rate
numbers
Prepaid electronic
payment – Ukash,
MoneyPack, PayPal
My Cash Cards
Bitcoins – virtual
currency which makes
it difficult to trace the
actual recipient of the
money

8. New Techniques used by Ransomwares
• RDP (Remote Desktop) – Brute Force Attacks
• Exploiting Server Vulnerabilities
• Hooking to popular Third Party Software/Tools

9. Industries affected
• Educational Institutions
• Government Organizations
• Corporates and Businesses
• Hospitals
• Telecom
• Transport

10. WannaCry Ransomware
• The ransomware, WannaCry, uses an exploit named EternalBlue
Server Message Block (SMB) Vulnerability [MS17-010–Critical] to
infect computers running versions of Windows operating systems.
• EternalBlue was first made public in April 2017 after Shadow
Brokers released a bunch of exploits and hacking tools developed
by the US NSA.
• Microsoft released a patch for the EternalBlue exploit just a few
weeks before Shadow Brokers made the NSA-developed
vulnerability's existence public.
• In addition to ‘EternalBlue’, ‘EternalRomance’ and
‘EternalSynergy’ were also addressed by Microsoft as part of
security bulletin MS17-010.

11. How does WannaCry Propagate?
• What makes it lethal is the combination of a Worm with
Ransomware.
• Generates list of:
• Internal IPs [Local Network]
• Random IPs [Internet/External Networks]

12. WannaCry Ransomware
• After successful exploitation, it adds the below files to the system:
C:ProgramData<random_alphanumeric>@WanaDecryptor@.exe
C:ProgramData<random_alphanumeric>tasksche.exe
C:ProgramData<random_alphanumeric>taskdl.exe
C:ProgramData<random_alphanumeric>taskse.exe
• WannaCry adds below malicious registry entries to make persistence into
the system, so that it could launch the infection after each system reboot:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
“xwjfzbtm432″=””C:ProgramData<random_alphanumeric>tasksche.exe“”
• WannaCry then encrypts all the data on the system by changing file
extension names to '.WNCRY'.
• The ransomware then displays a window informing users that their files
have been encrypted and that they can be recovered in lieu of a payment
made in bitcoins. The window is accompanied by two timers:
• one counting down to a certain time after which the ransom amount
will be doubled.
• other warns of the time after which users' files will be lost.

13. • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx).
• Archives (.zip, .rar, .tar)
• Emails and email databases (.eml, .msg, .ost, .pst).
• Database files (.sql, .sqlitedb, .accdb, .mdb, .dbf, .odb, .myd).
• Media files like image, audio and video (.jpeg, .mp4.,mpeg)
• Graphic designers, artists and photographers files (.vsd, .odg, .raw,
.nef, .svg, .psd).
• Virtual machine files (.vmx, .vmdk, .vdi).
• Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg,
.aes).
• Developers' sourcecode and project files (.php, .java, .cpp, .pas,
.asm).
Targeted Files

14. Behavior
based
detection
Signature
based
detection
Backup and
Restore
Internet and
Network
How Seqrite protects against WannaCry?
Ransomware ProtectionIntrusion Prevention

15. Detection Prompt

16. Shadow Broker Statistics - IPS

17. WannaCry – HeatMap and Attacker IPs

18. ETERNALCHAMPION Windows SMB Information Disclosure Vulnerability
EXPLODINGCAN WEB-MISC IIS v6 WebDAV ScStoragePathFromUrl Buffer
overflow attempt
ECLIPSEDWING Remote Code Execution Exploit
ETERNALROMANCE Remote Code Execution Exploit
ETERNALBLUE SMBv2 exploit
ETERNALCHAMPION Windows SMB Remote Code Execution Vulnerability
DOUBELPULSER backdoor - SHELLCODE BACKDOOR
Quick Heal & Seqrite detections specifc to MS17-010 :
VID-01899 : [MS17-010] Windows SMB Remote Code Execution Vulnerability
VID-01901 : [MS17-010] Windows SMB Remote Code Execution Vulnerability
VID-01906 : [MS17-010] Windows SMB Remote Code Execution Vulnerability
VID-01907 : [MS17-010] Windows SMB Remote Code Execution Vulnerability
VID-01912 : [MS17-010] Windows SMB Information Disclosure Vulnerability
Shadow Broker Exploit Coverage

19. How Seqrite protects against WannaCry
Behavior based detection
- Advance DNAScan
- Anti Ransomware

20. Anti-Ransomware
Detection Prompts
Behavior Detection System

21. Signature based detection
- Virus Protection
- Email Scan Protection
How Seqrite protects against WannaCry

22. Detection Prompt

23. Key Highlights
The feature requires Seqrite product to be already installed and activated. It is
downloaded as part of updates and no specific user action is required.
Backup and Restore feature is lightweight and works seamlessly in the background
to back-up your data without any performance overheads.
It automatically and periodically (multiple times in a day), takes incremental
backup of all your important and well-known file formats - PDF, Microsoft Office ,
Open Office files.
Keeps a backup of your files on the local drive itself and at no point this data is
either shared or transferred to Seqrite cloud.
To restore data Seqrite Technical Support provides all assistance.
Backup and Restore

24. Preventive Steps
Regular backup of
important data
Apply
MS17-010 Security
updates.
Keep your Security
product Up-to-date
Follow best security
practices

25. MS17-010 Security Updates
Apply Security Update for Microsoft Windows SMB Server :
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
# ‘Windows XP SP3’ ‘KB4012598’
# 'Windows Vista', 'KB4012598'
# 'Windows 7', 'KB4012212', 'KB4012215'
# 'Windows 8.1', 'KB4012213', 'KB4012216'
# 'Windows 10', 'KB4012606'
# 'Windows 10 Version 1511', 'KB4013198'
# 'Windows 10 Version 1607', 'KB4013429'
# 'Windows Server 2008', 'KB4012598'
# 'Windows Server 2008 R2', 'KB4012212', 'KB4012215'
# 'Windows Server 2012', 'KB4012214', 'KB4012217'
# 'Windows Server 2012 R2', 'KB4012213', 'KB4012216'
# 'Windows Server 2016', 'KB4013429'

26. • Apply the latest security updates released by Quick Heal/Seqrite.
• Disable SMB service (running on port 445) if not used.
• Use strong and unique passwords.
• Disable RDP or change the default RDP port number.
• 2-Factor Authentication for Remote Services
• Configure Account Lockout Policies
• Disable Macros in Microsoft Office via Group Policy
• Configure password protection for your security software
Preventive Steps

27. • Ensure that Windows Update is enabled to automatically download and
apply regular security updates. Also ensure that your system has the
latest Windows security patches installed. Also apply updates for
important software which is regularly targeted, such as:
• Microsoft Office
• Java
• Adobe Acrobat Reader
• Web browsers like Internet Explorer, Chrome, Firefox, Opera etc
• Adobe Flash Player
Applying important software updates

28. • It is very important to understand the need for data backup policies
for all your important data.
• It is highly recommended that you periodically backup your important
data using the right combination of ONLINE and OFFLINE backups.
• Do not keep offline backups connected to your system as this data
could be encrypted in case of an infection.
Regular backup of important data

29. 1. Keep strong passwords for login accounts and network shares.
2. Do not open and execute attachments received from unknown
senders. Cybercriminals use ‘Social Engineering’ techniques to allure
users to open attachments or to click on links containing malware.
3. Avoid downloading software from untrusted P2P or torrent sites. At
times, they are Trojanized with malicious software.
4. Do not download cracked software as they could propagate the
added risk of opening a backdoor entry for malware into your system.
5. Do not download pirated/free software from unknown and un-trusted
sites.
6. It is recommended to avoid mapping of network drives in the system.
7. Do not use untrusted plugins/add-ons/extensions on browsers.
8. Do not use important Servers for daily browsing/mailing activities.
9. Avoid browsing, downloading when you are logged-in with complete
administrator rights.
Follow best Security Practices

30. Q&A

31. Call us at:
1800-212-7377
Write to us at:
support@seqrite.com
Visit us:
www.seqrite.com | blogs.seqrite.com

32. Thank You!