- What is WannaCry? - What are its Worm, Exploit, Botnet, Backdoor, Ransomware characteristics? - WannaCry and the end of the world? - Malware Prevention? - Is it a big deal? Comparison with other malware - WannaCry, a Military and Political Perspective

1. WANNA CRY?
NO THANKS!

2. ABOUT ME
Roberto Martelloni
COBIT®5(F), CISM, CISSP, CCSP, CSSLP, CSPO, CSM
Since 1995 I’ve been contributing to the Info/Cyber Security field for fun and profit (cit.)
About 17 years of work experience in defence, oil and gas and finance industries.
OWASP, Free and Open Source Software Contributor, and rock-climber*

3. ABOUT THE PRESENTATION
• What is WannaCry?
• What are its Worm, Exploit, Botnet, Backdoor, Ransomware characteristics
• WannaCry and the end of the world?
• Malware Prevention?
• Is it a big deal? Comparison with other malware
• WannaCry, a Military and Political perspective
• Questions & Answers, Money and Tomatoes

4. WHAT IS WANNACRY?
Malicious Software (Malware) is an umbrella term used to refer to a variety of
forms of hostile or intrusive software.
Malware is defined by its malicious intent, acting against the requirements of
the computer user.

5. A MALWARE TAXONOMY?
Virus Worm Botnet Backdoor Exploit
Trojan Rootkit HackTool Spyware Adwere
Ransomware
Ram
Scrapers
…

6. MALWARE ATTRIBUTE ENUMERATION AND
CHARACTERIZATION (MAEC)
• MAEC™ International in scope and free for public use, MAEC is a standardized language for encoding
and communicating high-fidelity information about malware based upon attributes such as behaviors,
artifacts, and attack patterns.
• By eliminating the ambiguity and inaccuracy that currently exists in malware descriptions and by
reducing reliance on signatures, MAEC aims to improve human-to-human, human-to-tool, tool-to-tool,
and tool-to-human communication about malware; reduce potential duplication of malware analysis
efforts by researchers; and allow for the faster development of countermeasures by enabling the ability
to leverage responses to previously observed malware instances.
• https://maec.mitre.org/

7. WANNACRY BEHAVIORS, ARTIFACTS, AND ATTACK
PATTERNS
(https://malwr.com)
(https://cuckoosandbox.org/)

8. WANNACRY CHARACTERISTIC
• Replicates itself to spread to other computersWorm
• Takes advantage of a bug or vulnerability to cause unintended or
unanticipated behaviourExploit
• Bypass normal authentication in a computer systemBackdoor
• Network of private computers infected with malicious software
and controlled as a group without the owners' knowledgeBotnet
• Blocks access to the victim's data or threatens to publish it until a
ransom is paidRansomware

9. WANNACRY WORM AND EXPLOIT CHARACTERISTICS
• Propagates using EnternalBlue Exploit
• Exploit developed by the U.S. National Security Agency (!) as part of their Cyber Arsenals
• On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010 to patch EternalBlue
• On Friday, April 14, 2017, Exploit was leaked by The Shadow Brokers (TSB)

10. WANNACRY WORM AND EXPLOIT CHARACTERISTICS
• EternalBlue exploits a vulnerability (CVE-2017-0144) in Microsoft's implementation of the Server Message
Block (SMBv1) protocol (shared drivers)
• Remote Code Execution without Authentication (!)
• The version of Microsoft Windows Vulnerable are
• XP Embedded SP3 x86/x64, SP2 X64
• Vista x86/64 Edition SP 2.0
• Server 2012 R2 0, 2012 0
• Server 2008 R2 x64/Itanium SP1-2, x32 SP2
• Server 2003 x32/x64 SP2
• RT 8.1, 8.0 X86/X64
• 7 for x86/x64 SP1
• 10 x86/x64 Version 0, 1607, 1511

11. WANNACRY WORM AND EXPLOIT CHARACTERISTICS
March 14, 2017
• Microsoft
Release
Patches
April 14, 2017
• Shadow
Broker Leaks
May 12, 2017
• WannaCry
Attack
May 14, 2017
• XP Security
Patches

12. WANNACRY BACKDOOR CHARACTERISTICS
• DoublePulsar is a backdoor implant tool developed by the U.S. National
Security Agency's (NSA)
• On April 14, 2017, the backdoor was leaked by The Shadow Brokers (TSB)

13. WANNACRY BACKDOOR CHARACTERISTICS
• Ring 0 BackDoor (highest privilege level)
• Implant workflow (simplified)
• Determine CPU Architecture x86/x64
• Locate the Server Message Block (SMBv1) driver
• Patch it to implant the BackDoor
• Using a special «Knock» to ping, exec, kill

14. WANNACRY BOTNET CHARACTERISTICS
• Command & Control on Tor Network
• gx7ekbenv2riucmf.onion
• 57g7spgrzlojinas.onion
• xxlvbrloxvriy2c5.onion
• 76jdd2ir2embyv47.onion
• cwwnhwhlz52maqm7.onion

15. WANNACRY RANSOMWARE CHARACTERISTICS
• Each Ransom between $300 to $600
• Languages: Bulgarian, Chinese (simplified/traditional), Croatian, Czech, Danish, Dutch, English,
Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian,
Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese
• Payment through following bitcoin addresses
• https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
• https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
• https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
• Total transaction 337, Total amount 50.77421311 BTC, Last Transaction 2017-06-02 11:43:27 (!)

16. WANNACRY RANSOMWARE CHARACTERISTICS
• Each infection generates a new RSA-2048 keypair
• For each target file type:
• Create a new AES key
• Encrypt the AES key using RSA key and store it
• Encrypt the file using AES-128-CBC

17. WANNACRY RANSOMWARE CHARACTERISTICS
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123,
.wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm,
.xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx,
.potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC,
.PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw,
.cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp,
.mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar,
.java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h,
.pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb,
.sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp,
.wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem,
.p12, .csr, .crt, .key, .pfx, .der

18. WANNACRY LIFECYCLE Exploitation
Backdoor
Installation
Join the
Botnet
Ransomware
Installation
Worm
Propagation

19. WANNACRY AND THE END OF THE WORLD?

20. WANNACRY AND THE END OF THE WORLD?
Marcus Hutchins, known as MalwareTech
The Kill switch Website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

21. WANNACRY LIFECYCLE Exploitation
Backdoor
Installation
Join the
Botnet
Ransomware
Installation
Worm
Propagation

22. MALWARE PREVENTION?
Latest
Software
Updates
(ALWAYS!)
Antivirus Backup Hardening
Network
Segmentation
and
Firewalling
Intrusion
Detection
System
Security
Operation
Center and
Incident
Response
Business
Continuity and
Disaster
Recovery

23. WANNACRY AND OTHER MALWARE
12,000,000
10,500,000
6,215,000
3,600,000
380,000
230,000
0 2,000,000 4,000,000 6,000,000 8,000,000 10,000,000 12,000,000 14,000,000
Mariposa
Conficker
Marina Botnet
Zeus
Mirai
WannaCry
Infected Hosts

24. WHAT IS THE BIG DEAL THEN?
“Hospitals and doctors' surgeries across Britain were forced to turn away patients and cancel appointments
after the cyberattack crippled some computer systems in the country's health service.”
Hospital affected by the Ransomware in Indonesia, Slovakia, Ontario, England, Scotland
(http://www.aljazeera.com/news/2017/05/disruption-uk-hospitals-hit-cyber-attack-
170512160000368.html)

25. WHAT IS THE BIG DEAL THEN?
• Most of the tools used for WannaCry attacks are from U.S. National Security Agency (!)
• The Shadow Brokers Leaks
• Shady release of patches by Microsoft before the vulnerabilities were leaked

26. THE NATO COOPERATIVE CYBER DEFENSE CENTRE OF
EXCELLENCE
• Goal is to support its member nations and NATO with cyber defence expertise in the fields of
technology, strategy, operations and law.
• Belgium, the Czech Republic, Estonia, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, the
Netherlands, Poland, Slovakia, Spain, Turkey, the United Kingdom, the United States, Austria, Finland
and Sweden
• The Tallinn Manual 2.0 is the most comprehensive analysis of how existing international law applies to
cyberspace and Cyber Operations

27. PRESENTATION RECAP
• What is WannaCry?
• What are its Worm, Exploit, Botnet, Backdoor, Ransomware characteristics
• WannaCry and the end of the world?
• Malware Prevention?
• Is it a big deal? Comparison with other malware
• WannaCry, a Military and Political perspective
• Questions & Answers, Money and Tomatoes

28. THANK YOU
ROBERTO MARTELLONI
RMARTELLONI@GMAIL.COM
HTTPS://WWW.LINKEDIN.COM/IN/RMARTELLONI/