Mistakes That Make You WannaCry

okay so ivory my name is Jonah staying we'll be presenting a thought I saw the mistakes that make you wanna cry when we go through the one cry rounds my campaign and talk about some of the mistakes that the authors made which could have hindered the prophets of success of ransomware and could allow people to decrypt the files in some instances so I'm a PhD student and researching run somewhere at sea sir queen's university i've new trusted name for quite a long time throughout my undergrad and beyond anyway it feels like a long time I compete in capture fly competitions with our team color that cara unlike CTF time and stuff like that I'm also on Twitter that's on the

school cryptocat so if you want to see a lot of mostly malware related tweets you can follow me there I'm gonna stop with a little bit of background I will assume that most people know what rats where is but just saw on the same page around somewhere it's a type of malware that prevents or limits users from accessing a system until a ransom has been paid there are generally we can categorize ransomware into two broad categories being lockers and encrypt around somewhere so lockers would be typically quite a lot easier to remove from a system actually going to do anything to the data crypto ransomware is a more difficult problem which has been getting a lot of

prominence over the past few years speaking of krypton runs were then the first piece of krypton ransomware was actually the AIDS Trojan in 1989 also known as PC sidewall trojan this was distributed on 20,000 floppy disks at the World Health Organization's AIDS Conference and rustlers - a long way since then so there wasn't really much couple crypto ransomware seen for a good while over the past five 10 years this Israeli picked up PC was estimated for in 2015 victims paid our total of 24 million and 6 2016 miss grew to over 1 billion obviously it's quite hard to get these statistics a lot of companies people don't want to say that they have paid so

long it's down to kind of track in Bitcoin addresses and stuff like that and just estimates based on what we would expect has what the payment rate has been based on the amount of effective system stuff like that I've listed a couple of well-known variants of ransomware here low key server Petra tassel scripts there's plenty more we go into detail on me but I just listed ones which have been quite successful in terms of the amount of systems they've infected the amount of revenue have been able to retrieve and how long they've really lasted interesting I've put here a couple which we'll talk a little bit about I say interesting and assumes that they have features which generally are used

throughout ransomware and some some potentially innovative features which we might see more of for my series where starts going to all these directions in future the jigsaw was a piece of ransomware which deletes incrementally deletes files every hour so it might delete a file after the first hour or just two files after second hour etc also if you try to end the process try to exit a process or restart computer or take any action which appears to be and may be trying to subvert the ransomware then it will penalize you by deleting a thousand files there is a free decrypter available for jigsaw although I don't think it was really a big problem in the

wild an area called patch small as well no one's popcorntime Miller interesting one the authors of this claimed to be computer science students from Syria who were raising money for food medicine shelter etc and they offer a chance to obtain your decryption key free of charge by infecting to other people so if you infect to other people and they pay the ransom then apparently you'll get your key free of charge in order to verify that you would need two people it's going to pay the ransom so whether this is legit or not really not - not too sure but it's an interesting concept Canova was as far as I can see very distant in development

piece around somewhere it wasn't I don't think it was really circulated in the wild might have been created by some researchers or something like that because in order to decrypt your files all you had to do was read - ransomware related security articles so and there wasn't really a ransom in terms of payment for that fat boy in other one I think this is interested so ransom as a service offering and has quite a few interesting features the most notable is that it uses Big Mac index or there's an index of the price of a big mark in every country around the world and whenever infects the system it will look at the IP address look at the

location based on the location then it will look at the price of big markings decide okay how much can they afford to pay the ransom so this has always been an interesting issue if you set around some too high and you're gonna get a lot of lower level companies and people are gonna pay whereas if you set it quite low you'll get organizations which would have probably paid out a lot more who will be on the same generic level so what are some of the problems for defenders unless in terms of ransomware crypto there's one of them sort of crypto has been implemented correctly as virtually impossible to decrypt files if we have an RSA key for the 2048 bit

modulus estimate suggests it could take 6.4 quadrillion years to decrypt on a standard desktop machine alpha station another issue it's just apply some malware in general so packing is often used to evade signature-based antivirus detection this can quite basic Parkers which trivial unpack sometimes more custom Parkers are used and then evasion so whenever you run malware around somewhere it may not reveal its true nature in a VM so maybe check and see or any virtual machine or any VMware or VirtualBox process is running my check is debugger presents being attached to a debugger and things like that might just have a timer on its try and fool like analysis of systems it would only run a sample of ten minutes

or something right up and on the network side it makes bombs l'm sure messages so send out a lot of IP addresses only one of which is actually a server listening for the command control server listening for the connection I was just an example here the typical an example of a round so I attack full process so here we have maybe some social engineering we don't on victim looking at the social medium stuff like that to generate efficiently email say with malicious stop swing or and abettors URL as malicious so the associated victim clicks on the URL they redirected to a landing page which could be a website that's just been set up to hold like an exploit kit it could be a

website that's been compromised so it was called a watering hole Latakia village and the website is hosted in some malicious content so in that case the exploit kit will scan the browser look at the operating system a version of browser the plug-in and stuff like that deliver the relevant exploit and through that they can drop the payload which in this case would be there a ransomware payload using symmetric or asymmetric encryption normally successful around sweat stream which is a hybrid between these two and then it will make its call out to its commander control service or maybe through tor send an information retrieval information at the same time the users fight the victims files have

been encrypted they'll be redirected to a payment site normally a hidden service on tour and they'll make a payment or go through to their operators wallets who will and probably tumble the coins maybe exchange them into a more anonymous currency and try to cast them out or reinvest them and some other illicit goods soon wanna cry attack so you see you probably if heard quite a bit about how the attack went down it used the eternal blue into a pulsar exploits these were stolen from the NSA and leaked by the shadow brokers in order to propagate if you Windows XP or above if you have the default configuration or the SMB 4 4 4 5 open then you were

vulnerable or if you already had a double pulse or backdoor installed interestingly this wasn't the first piece of malware to use these exploits on others quite prominent pieces of Bitcoin line in law whether it was using his exploits previously and actually if you've been infected by that it would have closed the port floor file afterwards so if you had been infected you were kind of isolated from again hit by want to cry some characteristics about Hualapai uses RSA 2048 they're an AAS 128-bit encryption so they're as we said there with a standard desktop machine it could take 6.4 quadrillion years to decrypt to crack 2048 bit RSA key there's quite a slow process if you

want to encrypt all the files and systems so what they'll do is they'll generates a unique public/private key pair for each victim the private key will then be encrypted with their only public key would have like a master key and then your public or sak will a new owner 28 the AES key will be generated for every file or system and this will be encrypted with the RSA key which you have you still have the public key just don't have the private key to decrypt it so that makes that a lot quicker to go through and obviously if you're able to crack one of these AAS keys it's only gonna get you access that one file but

it also deletes any windows backup so you'll have one system demands around sum of $300 which increases 600 dollars after 72 hours and I think after seven days you were there to say that you'll lose your data Ross Geller it allows a few random files to be decrypted free of charge so I think 10 files can be decrypted this is using a hard coded key found in one cry but it would be the exact same process if you did actually the private key that's encrypted with that public key if they was decrypted with their private key seriously that should just you should just be able to run the decrypt option and want to cry and recover your data in

fact has more than 500 thousand systems across hundred fifty countries now I've seen some different figures regardless it was an Intel botnet tracker that was tracking the spread of wanna cry and I'm sure quite a lot of these systems are down to analysis as well so true scales not really known but there was a lot of victims anyway I've got a list of types of victims included here an example of each obviously there were many more and you know it wasn't just the NHS it there were other hospitals or the transportation systems etc so it was quite wide region microsoft did release a patch for Windows XP was the first since 2014 however researchers at

Kaspersky reported that 98% of victims were running Windows 7 an insignificant amount of running Windows XP also another security company that was seen as more like 60% were running Windows 7 so there's obviously some of you overlap with the seem to be a general agreement the Windows XP wasn't as big an issue as was reported quite a lot of media at the beginning microsoft also we should public statement which is highly critical about government agencies stopping from our abilities they didn't mention any name specifically but it was quite clear what they were guerra and who they were talking to sooo profits as of the 2nd of August I think they had received 52 points -

bitcoins which was $140,000 for 338 payments on the 3rd of August they started to move the bitcoins they ended up going on transferring those into Manero ibly free shake chef to try and add as a more anonymous currency so we'll compare us all the ransomware attacks didn't seem to be very profitable cryptolocker made three hundred thousand its first 100 days and that was back in 2013 so this was coming up to three months that we were talking with wanna cry again $140,000 sober needs new 200,000 single meets and I believe for heard only 0.3% payment rate and crypto world made 325 million I'm not - I'm not too sure what the range of dates is for that statistic

though so why do Walter I fail to collect as much money as previous ransomware campaigns despite an access to some pretty sophisticated exploits so I'm gonna go through four kind of categories here the first issue is the payment tracking so they only use three Bitcoin addresses to track payments successful campaigns will usually generate a unique Bitcoin address each victim so the way that it did it makes it difficult to verify who has paid and it makes it easy for law enforcement and for researchers to track but they did actually try to implement unique Bitcoin addresses for each victim there was a race condition which meant that didn't work and just defaulted to the three there are seen the code the

check payment button doesn't actually work I think the functionality behind this should have been it was going to send a dot res file and a dot e KY file res file would have some information about the user and the amount of files that were encrypted and stuff like that and then the dot ek wife key is that encrypted private key so then they could decrypt that private key and send it back and then you'll be able to decrypt your files but obviously they're not able to verify the payments without that but the way the Bitcoin tracking was set up so the way they got around that they sent out a message to all victims advice

and to use a contact button where in that case of human operator errors required to manually ask each victim which Bitcoin address they're going to send the ransom from but the problem is if they've already sent the ransom so if I'd been affected by one cry and I see okay there's this Bitcoin address they want $300 I could quite easily go and look on the blockchain and see who is the last person that sent money to this address okay was five minutes ago this and this and that Bitcoin from this address I can go on a contact to say this did this five minutes cool where's my decryption keys I can't really see an easy way for them to be

able to verify but the only way they could do it is to say okay don't send the payment until you've told us what address you're going to be sending it from and how much you're gonna be sending and then but yeah so it's obviously slow manual process considering how many machines were affected by this and how many people were probably willing to go and pay the ransom to help consumer complaint I didn't receive a key and those who did obviously aren't generally too quick to say that they paid the ransom so I don't really know the full figures the second issue is a kill switch so when one cry is executed tries to connect CS

hard-coded URL basically if this response so if if the domain results will take no further action so there was an accidental hero's who is labeled by most of the media malware tech and he found that the domain wasn't registered when quickly registered himself more variants came out but by this time most users had already been patched I think by the time he rested the main a lot of companies in the US and people in the US hadn't started like get ready for there's no second one computer stuff like that so it probably reduced the effect in the u.s. particularly cry a lot so yeah and there were sorry we're more variance that came out say there was

another one quick quite quickly I had a different marketed URL and it was registered by a security researcher and then eventually always had no kill switch at all but when your shoes were punched so why was the kill switch included some speculated it may have been an ant analysis technique or as a means of stopping the malware if they got out of control so if you're running a sandbox human analysis environment and you wanted to see if this fits malware is going to make a connection out to this address and you think that's command and control server you want to see what's it going to try and send or what's it gonna try and request that stuff that might be

down the command control server may have been taken down a while ago or you may not just want to make that connection so if you might just kind of spoof that just just it's just resolve the DNS anyway just try and see what it does in that case you'll see that does nothing because this is life and you're too sure if that was the reason if so I don't think it's a very good analysis technique but well if I lose with a case anyway they obviously made a mistake of failing to pre-register domain I'm sure hindered the profits so sort of the file coverage so there are a few of those some researchers at Kaspersky who

reported on some of these techniques based on the way to wanna crypt in the crypts files so it's whenever it encrypts files that reads from the original file encrypts the content and saves it with the extension dot one crop after the encryption it moves the dot waltrip file so dot one cry and then deletes the original file this deletion logic may vary depending on the location and the properties of the victims files potentially enabling file recovery so we can take a look at some of these scenarios the first is file stored on the system drive when your C Drive on important folders so like desktop and documents these files won't be retrievable they're overwritten with random data before the

removal so we can't get them back to any forensics tools for all other files are moved to update a temp directory with like a decimal number dot one crit and they'll be deleted without being overwritten if they weren't in an important location this may allow us to retrieve some of the strategies a standard D recovery techniques just an inch as well there are now the researchers behind the students best for any important folders beside desktop documents I found that files in pictures and music and stuff like that are recoverable so it may actually just be documents and desktop video there are some folders which just will not be encrypted at all Intel program data Windows program files

1086 yeah update a local temp local sentence temp temporary Internet files and an interesting one if I can scroll down

okay if you had a folder called this folder protects against ransomware modifying it will reduce protection then it wouldn't have been touched if all your important for those are inside a folder with that name then you would've been fine okay the second thing is files on non system drives if you've got your C Drive you've got a couple of other hard drives the moniker I'll deal with the files slightly differently it will create a recycle folder and set hidden system attributes making it visible and the standard windows configuration the original files are supposed to move to this folder after the encryption but due to a synchronization errors in the code this doesn't always happen in fact for

me it didn't happen on any other samples or operating systems or anything that I tried it on well the files aren't leah securely so we should be able to still recover them with my recovery software the third eye did have problems with this file set to read only or should be easily recoverable so the researchers to discover these techniques indicated that one occur I will only create an encrypted copy these files and then so will create an encrypted copy but rather than deleting the original it will simply apply the hidden attribute to it so you should just be able to go to view hidden files or folders and you'll still have the original and we can just modify

the attribute should be back I tried there some four different operates as soon as probably 15 20 different samples with a variety of techniques for modify and permissions and things like that and in how many lock tried contacting the researchers but so if anybody has any tips [Music] interests here so I'll just [Music] I'll exit this source even quick demo what's the time right that was 12 hours so it really I have a snapshot safety of

okay so Windows 10 operating system off here I've put some files around the place just gonna focus just on a couple of examples so we have a read-only file here and a writable file beside the boat front a folder on the desktop which is the important locations so they shouldn't be recoverable but because this is read-only this apparently shouldn't be deleted I've the images I've used here I've kind of specified what type of file it is where it's located because I have a lot of different kind of mostly cat pictures of stuff on here so whenever you goes through the file recovery software you see a lot cats and like was that an important location or not an important

location was a read-only was it so and I have some pictures videos music stuff for that what we're going to focus on those four go to a C Drive I have a not important folder because this is not important location should be deleted but we should be able to recover it it's not securely deleted and have a file here just on a C Drive which we should be able to shouldn't even be encrypted as I say there are certain folders that are try not to touch just in case it does anything to the operating system which is going to prevent you being able to actually make the payment and then we have secondary drive here non system drive so we should

be able to recover that as well so [Music]

I'm gonna cry simple

okay so as we know when I these files get whatever they've these files get deleted they'll get moved to this temp directory for us with the decimal dot one crap

sorry honey I don't have my advice to my destination

yeah so we have a ransom note there you can see three days the pain increases seven days the day is lost so you can see this is filled up with they've got one crit files now just going to wait and moving until these are so most of these will be removed

so mostly it's been removed I'm gonna go and open up I'm gonna use FTK imager here like this also opportunity and we use the scanner task but autopsy you have to create a case may be slower loading things up so we'll add the C Drive yeah I'll just show as well sorry as well the figure bracts No right right a full blood

it has encrypted the two files read-only writable with you and hidden folders what we don't have we can't see the original run okay so

you're going to see drive and go to our

temp time actually

it was in surah nisa I was gonna be dumb all over them okay trying to seize by size because we'll see kind of some of the bigger images and stuff at the top

okay it's not actually Shawn

okay so I thought this wonderful demo two seconds I have

so turn off the sound so I'll just skip to Mars going to same so place [Music] it's the exact same process just had a couple of times didn't work for me I'll explain in a minute why I think maybe but if we go into there

and tamp changing up by size - stop scrolling through some of them and see you've got a couple of mp3 files cut pictures from my pictures location so these can just be exported to desktop and easily recovered in that way

it's exploited one that no strings confusing conscious of time [Music] didn't say as I scroll down free hair just to show that the only the only one that labels recover in terms the images were focusing on was

so it was a

yeah the father was not the important locations which is the one that we were focusing on now and the other thing it was the system Drive so if if I add on the second driver you can see that it has created a recycled folder produce the synchronization error it didn't actually go in there if you just go to the root directory where I had the original image then it's this recoverable it wasn't securely over in and yeah that's basically I was gonna kind of show at the end there is my experience of running this you have this hip cyst at one core which if you look at the size of it if you keep refreshing

this it will keep increasing until if you leave it for a while you'll eventually get the message and flatten your screen same windows your computer's running out of memory of the oberlin memory and then it'll delete it so these files really gonna obviously they've been deleted they have been securely deleted but if you have something like that that's running going over all the hard drive space then you've only got a limited amount of time you either need to suspend that process or get things done pretty quickly okay so decrypter is your thing and so decryptor was released for well apply what the way will cry were at least the decryption keys from system or it doesn't erase the

prime numbers that we used to generate the keys from memory for free and the associated memory so this means that the keys come the prime numbers can be retrieved from rank we used to generate a new decryption key and there were tools created to do this there's a one key tool which released Windows XP and then a Kiwi for Windows Vista 7 Server 2003 2008 these would combine the things to different authors work together so now we have run a Kiwi which should work on any of these operating systems officially 32-bit I've tried on some 64-bit systems and the only one to get it to work on as my only 32-bit system which is Windows XP obviously this only

work as a prime noise remaining memory so if you restart your computer if you start a lot of applications and files and stuff like that the prime numbers going to be gone so [Music] do you have [Music] another demo for that for this [ __ ] [ __ ] all right

okay I'm a actually a CL with 50mm so I may just just quickly flick through the talk for it and listen okay yeah so just great fire huh I'm just put some text into it

and [Music] well load this up just so that we come when one kiwi from that just to know the got one right there were Murray executable by if it's called something else I originally have this name there md5 of the sample and the tool as a working for me explicitly looking for one for one really I see so to rename it just two for one Kiwi to actually work I'm sure obviously that could be could be pretty easy to modify one key to deal with and so when the sample

you can see that it has been encrypted I've opened the file the scenes been encrypted basically waiting here and going free to make sure that this this dot this new file gets deleted first you know so it's gone through the full process and krypton deleting the files just now been deleted and we'll go and run one kiwi process

pause up see if and actually probably can't see too much which starts just by searching for actual searching for crimes and search of surprising memory thanks prying one prank to save the private key to DK rifle and then it basically just loops your files in the file system looking for anything that won't cry extension and then uses our decryption key to decrypt the contents so you can see again we now have our new text files back so decrypted this if you leave one cry running when you're doing this there's a good chance by the time you're gonna open this file that's been encrypted again so suspend the process maybe or obviously it needs to be if you

get hit by one a Corral you need to be quite aware that this decrypt is out there if you you know if you restart your computer or take any action start opening a lot of stuff then you know lose a chance to use this tool thickness

okay so we're talking a little bit about attribution we're individual artists one sport and was their goal to actually make money here so we talked about some mistakes lately would like the Bitcoin tracking system the kill switch to stuff like that although new variants came out I didn't actually appear that this that these updates were produced by the original authors it was binary been modified rather than actual source code which isn't a very typical of for-profit malware malware groups are likely to make sure they get as much money as I can if they find a mistake so put an update and try and get as much money as a counselor who's strange that didn't happen but state actors North Korea

Lazarus group for sure u.s. there was some code reuse by Lazarus group but I mean pal code reuse is pretty common in general and in the malware see you know if you're on forums or stuff like that which is code going on I don't think it's a very solid earth contribution however the UK's national cybersecurity Center finally attributed one cried to Lazarus they didn't publicly confirm this or deny it a source indicates the Guardian that they had led an international investigation Hyundai determined that it was likely North Korea behind the NSA also came to the same conclusion reported by The Washington Post again it was an internal the conclusion was an eternal assessment [Music] some have argued that one cannot but you

might the dawn of a new strategy of state-sponsored attacks or Ella crying not that you came out quite quick not that you came out not too long after when I cry and they have some similarities obviously in the sense of the exploits that they use not patchy I think it'd be quite I don't see you can really make the argument that there was any intention of making money from it wanna cry is a bit more difficult you know it does they did make some money from it and it can be you could just say they just weren't very good at making money or could be they could have just been better at making it look like they

wanted to make money some those behind so I think that's interesting in cases like that if it's not about money you have to kind of have a look and see what would be the objective who's gained and who's lost from art in terms of nation-states in terms of groups or not going system to mad conspiracy theories so others simply think it's just amateurs who were able to piece together some sophisticated exploits and do little more than than that and which is certainly a possibility I just think with the timing of not patcher as well I have suspicions over anyway antara light was attribution anyway so if anybody's home about seven marble framers released by WikiLeaks was a CIA

from CIA documentation where they trained talk about training there are options too basically fake attribution to use code in different languages to use reuse code from other groups in order to misdirect forensic investigations so they're actively there are agencies this has been legal CIA but I'm sure was not only the CIA that are actively trying to falsify our attribution so on how important is anyway those are just attract from some more important issues like the fact that these vulnerabilities are still being introduced and software companies on implement and security by design the government's stockpiling vulnerabilities and develop an exploit and in the end making the internet less secure for everybody lessons learned what can we take away

from one cry Malthus make mistakes and Whitehouse can use this their advantage so by slowing down infections for example by flying at a kill switch or by defeat in the round we're all together through the development of a decrypter vulnerabilities need to be disclosed responsibly should go without saying but they should be responsible disclose not hoarded and exploited but a three-letter agencies on how to defend so mostly you all heard these generics or advice plenty of times but keep your operating system software up-to-date particularly security related patches keep off like backups now this isn't really a defense it's a recovery method it doesn't change the facts that you've been compromised but at least you'll get your data back

use reputable and properly configured security products educate users so for a long time have been considered as a weakest link and my open phishing emails click on link so they shouldn't do people have been trying to educate users for a long time and the problem doesn't seem to be again any better so maybe some developers and our security architects need to start looking at more technical solutions to take some that burden away from users be prepared so there are some companies reportedly stockpiling bitcoins in case they get hit by ransomware even if you don't get hit by ransomware if you have been stockpiling bitcoins and I don't think you know we still doing pretty well from it bill paid a ransom or

immediately at least you may not get your data back a decrypted may be developed soon or not so soon in the case of pet share whenever not actually came out the original Apache all three of the three variants released a master key to decrypt so anybody who had any other three patchy variants in the past if they have the data they're encrypted data back book they can now decrypt them and it encourages more authors to who will probably invest in have a more sophisticated malware and encourages future generations of cyber criminals to join the ransomware game yep that's my talk it's listen when the questions