Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

An Inside Look At The WannaCry Ransomware Outbreak

827 visualizaciones

Publicado el

Gain in-depth information on the massive WannaCry ransomware attack

On Friday, May 12, the WannaCry ransomware variant swept the globe. In a short period of time, WannaCry (also known as Wanna Decryptor and WannaCryptor) infected over 230,000 systems in 150 countries. It was a particularly effective piece of malware because it not only encrypted data and held it for ransom, but it also spread like wildfire to other systems. Entire organizations found themselves looking at a ransom note on their screens and wondering what to do next.

As the situation continues to unfold, please join us as Adam Myers, VP of Threat Intelligence at CrowdStrike, presents an in-depth look at the WannaCry ransomware.

Register for this webcast to learn:
-A complete technical understanding of the WannaCry threat
-What analysts were seeing on the day of the WannaCry outbreak
-How to prevent WannaCry infections and protect against ransomware going forward

Publicado en: Tecnología
  • Sé el primero en comentar

An Inside Look At The WannaCry Ransomware Outbreak

  1. 1. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. AN INSIDE LOOK AT THE WANNACRY RANSOMWARE OUTBREAK ADAM MEYERS – VICE PRESIDENT, INTELLIGENCE CHRIS WITTER – SR. DIRECTOR, HUNTING OPERATIONS
  2. 2. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Threat Intelligence Report on WannaCry WannaCry: The Analyst Perspective Stopping WannaCry Q&A
  3. 3. ADAM MEYERS § VP, Intelligence CrowdStrike § Security Researcher § Former DIB Contractor A LITTLE ABOUT ME:
  4. 4. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WE STOP BREACHES Next Generation Endpoint Intelligence Services
  5. 5. 2016: THE YEAR OF RANSOMWARE 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. § Over 175 new ransomware families introduced in 2016 § Method of choice for developing and new criminal operators § Growing popularity within the criminal community § FBI reports a 300% increase of ransomware cases compared to 2015
  6. 6. MAJOR RANSOMWARE FAMILIES 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. SamasEarly 2016 Continues…CerberMarch 2016 CryptXXXApril 2016 October 2016 CryptoWall April 2016June 2014 TeslaCryptEarly 2015 May 2016 LockyJanuary 2016 CryptFile2March 2016 Petya/Mischa/GoldeneyeMarch 2016 TorrentLocker Continues…Early 2014 Continues… Continues… Continues… Continues… Continues…
  7. 7. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WANNACRYSelf propagating ransomware leveraging ShadowBrokers exploit package § Trade Craft § AES-128 § Targets 177 file types for encryption § DNS Kill Switch § SMB exploit (MS-17010) § Complex Architecture § Unpacked 8 files plus directory with Ransom messages in various languages § Resource name XIA, a password- protected ZIP (WNcry@2ol7) § TOR C2 (contains Tor Package) § RSA 2048-bit key PKI § Multiple Bitcoin Addresses used for receipt of payment
  8. 8. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Wannacry Development Timeline Continuous Development 9 February 2017 WannaCry Variant #1 12 May 2017 WannaCry Variant #3 28 April 2017 WannaCry Variant #2 14 April 2017 “Lost in Translation” ShadowBrokers Release 14 March 2017 Microsoft issues numerous patches including MS- 17010 29 April 2017 Initial ETERNAL BLUE exploitation 13 May 2017 Modified WannaCry redistributed
  9. 9. Christopher Witter § Senior Manager Falcon OverWatch § 15 years DFIR experience. A LITTLE ABOUT ME:
  10. 10. FALCON OVERWATCH DATA & PROCESS FLOW CUSTOMER ENDPOINTS CONTINUOUS ENDPOINT DATA 1 FALCON UI • Detection details • EAM investigation • Intelligence/Actors 2 OVERWATCH ANALYTICS PLATFORM • Falcon data streams • Hunting triggers • Advanced analytics • Business logic 3 • Strategic analysis • Atomic + Behavioral + Anomaly detection • Rapid intrusion triage and scoping OVERWATCH HUNTERS 4 • Notification of intrusions/breaches • Expert operators <--> Support channel 5 CROWDSTRIKE CLOUD Patented Threat Graph ™
  11. 11. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. WHAT DO WE KNOW? § 4/14 The Shadow Brokers dump more goodness into the public domain both exploits and utilities, particularly SMB related.
  12. 12. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 4/18 FIRST OBSERVED
  13. 13. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. ITEMS OF DISTINCTION § (5) Cases all identical in nature § Externally facing assets § LSASS Password Dumping detections § All shared an identical DLL written during the attack § No post exploit Action on Objectives § (3) Commands all run in succession § Net group /domain § Net group ”domain admins” /domain § Nltest /domain_trust
  14. 14. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. 5/12 -> WANNACRY
  15. 15. STOPPING RANSOMWARE THE CROWDSTRIKE APPROACH 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  16. 16. Machine Learning • Prevents the execution of the WannaCry executable • Our ML model in VirusTotal from January identified an early WannaCry variant on Feb 20 • That same ML model blocked the WannaCry that struck on May 12
  17. 17. WHAT HAPPENS IF YOU MISS? 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
  18. 18. Suspicious Process Blocking • If ML misses, we still catch WannaCry when Windows task scheduler tries to run it • This IOA is generic and can identify and block almost any malicious process
  19. 19. RANSOMWARE IOA
  20. 20. Ransomware IOA Blocking • I can’t show you an IOA block for WannaCry because it never made it this far
  21. 21. 2015 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. DEMONSTRATION § WannaCry infection and propagation § Stop with machine learning § Stop variant while offline § What happens if ML misses? § Stop propagation § Visibility into everything
  22. 22. 2017 CROWDSTRIKE, INC. ALL RIGHTS RESERVED. Questions? Please submit all questions in the Q&A chat right below the presentation slides Contact Us Additional Information Join Weekly Demos crowdstrike.com/productdemos Featured Asset: Falcon Test Drive Link in Resource List Website: crowdstrike.com Email: info@crowdstrike.com Number: 1.888.512.8902 (US)

×