A Timeline of WannaCry

okay right well good morning everyone my name's Martin Martin Lee and one of the technical leads from Cisco Dallas what I want to talk to you today about is one a crime I mean it's now impossible to have any form of security presentation without mentioning one a cry so we might as well get at least one of the days one across sessions out of the way this presentation was really one that's born of frustration so two days before wanna cry here and May the 10th I was at a conference in the Netherlands talking to government regulators about the risk of self-propagating run somewhere and how it was going to hit critical national infrastructure and how really we really

really need to do something about it because this has been long long overdue so what really really surprised me about when a cry was just how it took to happen and why it didn't happen you know three four five years oh yeah obviously you'll have seen it in the news equals large large amounts of disruption across the world you will almost certainly have heard of the disruption that it caused to the NHS in the UK one other one which is really really interesting on the bottom left that's a car park car park payment terminal all the car park payment terminals and the Netherlands got hit by one and by and got taken out which is

kind of interesting you know why on earth our payment terminals open to the internet on point four four five in some way really didn't make sense very very quickly a couple of interesting things about wanna cry obviously it contains the eternal blue exploit that in turn leads to the installation of the double points are back deal which is used for the malware to install itself from the vulnerable devices first question why because if you've got the exploit there surely you don't need the back door because if you've triggered the exploit making a strong code on the vulnerable machine why bother having the double Paul saw something here is a little bit odd almost looks like someone's just copy

pasted the code to put it into the the worm why have the two together it's kind of a strange choice it then goes on obviously scan Z internal IP address space looking for vulnerable other vulnerable machines and also scans external systems when it finds a vulnerable system we've got that eternal blue exploit being triggered installing the double pulsar backdoor which is then used to install the malware itself first thing that we'll do and remember this for later it'll check the kill switch domain and if it gets any back from that HTTP GET request then it quits out and it doesn't go anything further so here we've got a really really good trace to find devices that

are infected if it doesn't get anything back well then it will go wrong to scan the internal IP address and infect other machines it'll install the malware as well it dropped the task scheduler executable and then install that as a service on the infected device so we've got that persistence then things start getting a little bit interesting and a little bit different that task scheduler goes on to encrypt the files and then we've got this really clumsy strange system that we've got all these other files that are dropped we've got a separate executable which is deleting the temporary files created as part of the encryption process we've got this other file this other executable task a

sieve which then goes on to call the one a decrypted the XE which is actually displaying the ransom note so unlike other ransomware sort the more professional ransomware that we see well the ransomware is a image with a desktop background in the infected device here we've got a separate executable displaying the ransom note which is kind of interesting suffice to say this really is quite different the professional criminal ransomware that we see in circulation so it looks like a new entrant into the game or at least someone is writing this in a slightly clumsy way but it was very very effective in terms of spreading and the thing that really gets me is well why

what I want what led to this happening what actually caused this to take they take place across the internet and take route across the internet and spread so quickly in my mind and this is my personal view we've got four factors in the threat environment that in enabling one apply to happen you have rights and where as a bit as a business as a criminal business model there's big money to be made in that somewhere we've also got a long history of self-propagating malware of malware that can spread and can copy itself in effects and devices and spread autonomously across the Internet we've also got this quite interesting thing of a democratization of threat and

I'll talk about that in a minute and the big one really is also complacency you know we talk about security obviously in the business we hear about security so much we're securing systems but there's an awful lot of businesses and a lot of systems out there where the bare minimum if that is being done to secure them but nevertheless more and more devices are being connected and are being exposed to these kinds of threats so let's start with a force one self-propagating malware actually I'll ask a question does anyone know when self-propagating malware dates from the first occurrence so 85 it's a very good guess higher/lower anyone think higher more recently than 85 anyone think earlier

don't give me a guess Joe give me a guess 79 is very very good guess any others 19:49 we have a very first theoretical it must be said theory of self reproducing automata written by john newman he designed the very first self-propagating piece of computer code actually without having a computer which is a fairly neat trick well the theory behind it his book was published after his death in 1966 but the work had been done in 1949 so we have a very very long history of self-propagating computer code shred Cohen who is a graduate student in the early 80s did a lot of work and the theory of computer viruses and predicting how they could spread and

actually showing that this would happen but his theoretical underpinning of self-propagating a code was actually predated by what was happening in the field Joe your guest of 1979 was pretty good a very first example of self-propagating code is actually from 1971 the creeper which is spreading on the dec pdp-10 of the time connected to a so we have a first example of self-propagating code that would spread from machine to machine dating way back 1971 in 1979 we'll have a group of researchers creating this zero park worm this is actually the first example referred to as a worm they were looking at how their code could spread internally on their research machines they left it running overnight and found

that actually it had jumped out of the little research environment and are gone on and run it infected all sorts of devices causing them to crash so here 1979 we have our first example of a warden doing more damage than the writer ever thought possible kind of interesting also interestingly I'm sure you will play at all the fuss at the moment about fireless malware and how to detect malware that doesn't exist in the file and talking about how this is something new yeah this 1979 this is your first filers malware focused malware is not a new thing it's been happening for a long long time Fred Cohen 1983 talking about viruses talking about how they can spread in the wild

our first example the cloner from 1982 the year before this is our forced Apple to malware that would spread via diskette and then we go on a few years 1986 and we've got our forced ms-dos malware spreading in the the world really is sort of that grandfather of Windows malware that we're seeing today a first big example of an Internet worm that spread and did loads of damage is the Morris worm from 1988 where we've got a young researcher writing a worm wants to try and infect systems see how much it could spread again hasn't learned from the past from ten years prior to that the worm spreads out of control causes enormous amounts of havoc on the Internet at the time

exploiting Network vulnerabilities in this system spreading like wildfire causing all sorts of havoc the early 2000s if you have a certain age you might have received an email I love you from one of your friends or colleagues in the spring of 2001 got that that again an early example of self-propagating malware a very nice social engineering trick you get a message I love you from the cute girl at reception of course you're gonna click and open that attachment wouldn't it then reads your your Outlook contacts and then emails its emails itself to all of those exploiting networked vulnerabilities on the Internet spread like wildfire and cause the absolute havoc and brought down email servers across the world throughout the

2000s we've got SQL slammer code word whole series of other worms again exploiting Network vulnerabilities spreading like wildfire causing all sorts of havoc our last example 2008 the conficker worm in fact this is actually still spreading across the internet if you set up a virtual machine running an old system of Windows XP will most certainly sooner or later you'll get hit with Conficker it's still out there again exploited vulnerabilities in network services spread like wildfire caused absolute havoc are we seeing a pattern here 2017 tumbleweed nothing we hadn't seen a major Internet warm since 2008 and so all of these lessons about how quickly these things can spread and the amount of damage that they can cause and how do

we detect them and how do we protect systems that knowledge had been deep prioritized but lost we've got new people coming into the into the business who don't have the experience of it that all those lessons were lost and so we come in to the beginning of 2017 and yeah worms are a missing presumed dead presumed extinct a dinosaur of malware in fact this wasn't the case also going on we've got the developments of run somewhere and cybercrime as a way of making money you know it's great to be able to make money with malware to be an assistant you know maybe we can find some really interesting data that can be exfiltrated and sold on the black market

in fact that's you know really a lot of work also not all data can be sold there is very little in the terms of black market for second-hand PowerPoint presentations or indeed pictures of my dog nobody really wants to buy this in an underground market nevertheless it's something which is really valuable to me so if I turn on my computer and instead of my lovely presentation to give you this morning I get a ransom note someone has held my otherwise valueless PowerPoint presentation to ransom and won't give it back unless I pay money yeah of course you're gonna pay at least of course you're gonna consider paying but again then somewhere is not a new

thing again I'll ask the question when do we think ransomware dates from if you put a day a year on the earliest ransomware yes 1997 that's a very very good guess haider lower forty-eight Wow no that's that's that's really really optimistic eighty-seven was a really really good guess in fact the first example of ransomware dates from the very tail end of the nineteen 1980s 1989 it was genuinely invented by an insane criminal genius a very interesting story the guy who created this forced a piece of ransomware actually had a grudge against the medical community spread this Trojan that looked like a clinical tool in fact if you opened it in your in your system it would encrypt the files only the foil

names with a symmetric form of encryption and demand that you pay a ransom by cheque to an address in Panama obviously leading a really big easy trail to find the guy he was arrested he was brought to trial and actually found unfit to stand trial due to insanity so this was a genuine insane criminal genius just like out of Batman so he invented this first example of ransomware basically not a lot happened until we've got this first criminal form of ransomware happening in the mid-2000s spread by email this time we've got a better way of collecting money paying through Eagle door occurrences over time that ransom is increasing in cost bit by bit the encryption is certainly getting better

and by 220 2014 we've got these big very very professional forms of ransomware which are being spread across the internet 2016 we've got something new we've got Sam Sam which is our first example of ransomware which has been targeted against organizations specifically instead of just trying to spread and infect as many systems as possible it's going for specific businesses and making more money that way in fact there is a lot of money to be made out of ransomware one of my favorite stories is this one it's a luxury hotel in Austria it was reported in the press that the the hotel was hit by ransomware which locked clients in their room in fact that wasn't the case what happened was

the computer which programmed the key cards so what guests could get in and out of their room was actually hit with ransomware so the hotel couldn't check new people in because it couldn't issue a new key card to get into your room so the functioning of the hotel is brought to a halt so when the bad guys are claiming a 1500 euro ransom to be paid well yeah of course the hotel is going to pay most interesting thing of this is that wasn't the first time that it has happened it was the fourth time that this hotel had got hit with ransomware and there is nothing that makes me think that this is unusual so

for the bad guys yeah if you can just hit this hotel again and again and again and the you can go thousand five hundred euros per time and this is only one hotel so there is a lot of money to be made there for the bad guys too use this as a criminal business moment to make money and also to reinvest some of this money in making newer and better forms of ransomware which brings us to Sam Sam so Sam Sam was specifically targeted against organizations that healthcare sector looking to infect the patient care record all those databases that are used in hotels to process patients if you can do that the entire Hospital grinds to a hood which case the

bad guys can ask for incrementally not much much more money than you can for a hotel and there are enough stories and anecdotes out there about you know fees ransoms of in excess of ten thousand dollars being paid there is big money to be made in this which brings us to the eve of one a cry of maybe eleventh well we saw the latest form of ransomware Jeff this is kind of a Russian dawn form of ransomware distributed over email almost no social engineering in that we've just got a title or subject line and an attachment its PDF attachments if you open the email click on the attachment it's got JavaScript in that which will open a

word document which is embedded within the JavaScript that will ask you to enable macros in order to open that if you enable the macros Ling Diwan and download the ransomware and encrypt your system and you will come up with this particular ransom note this particular malware was the one that much in the industry was confusing with wellick why when one of my thoughts came out were a lot of people saying get spread by email it spread by email when we looked at it all of the examples that they were giving were actually Jeff which had happened the day before so it's very easy to get things mixed up one of the key things that I think is

driving innovation in the threat environment is that a threat democratization of technology moving from very sophisticated threat actors down through to the least sophisticated ones well the best examples that I have a threat democratization and the democratization of technology is this in the time of the Cuban Missile Crisis in the early sixties the world was absolutely captivated that the world's number one superpower the United States had this technology where they could peer down from from space and photograph the missiles in Cuba on the docks and this was revolutionary technology that was only available today to the world's most sophisticated superpower anyone in their front room got access to Google Earth you can go and see exactly

the same place is what it looks now you can go and count the air the aeroplanes and the missile bases in North Korea if you so wish that technology has been democratized to the point it's no longer only accessible to the president the United States it's accessible to anyone in the front room even now it's incredible how this technology has moved I think the same thing is happening when it comes to cyber weapons so I was stressing this has been recorded this is Declassified stuff which is legitimately in the public domain it's not like I certainly haven't hacked any any any computers but we've got the traces in the historical record that in 1997 the

authorization was given to the NSA to develop computer network attack technology few years later in 2003 we've also got these forced reports that they're kind of hinting that actually that mission has been successful and now we had the development of official doctrine and that these weapons could be applied in the real world on the other side we've also clearly got the developments of adversary's and that you know United States is not the only country which is developing this and we've got indictments against a certain other third party country accusing them of having conducted cyber espionage in 2006 onwards so we've got this evidence that there are offensive cyber capability being developed by superpowers and in fact if we look at

the same analogy for satellites or surveillance technology really it's only going to be a matter of time before that technology becomes democratized and gets in the hands of unsophisticated threat actors in fact we only had to wait until 2016 well we've got the threat actors the shadow brokers who are putting up offensive cyber or tools and exploits which they're claiming are coming from a a three-letter agency it's put up for auction on August the 13th we don't know whether that auction was successful or not or whether something changed within the motivations of a shadow brokers but on April the 14th of this year that code was put in the clear available for a very quickly afterwards we've brought

these traces of unsophisticated threat actors taking these tools that have been released online and going out and compromising systems so all of a sudden we've created this environment where we've got this democratization of very very sophisticated tools and exploits and releasing that to unsophisticated threat actors to do as they wish I will lost factor is that complacency actually I'll ask the question again when do you think the first vulnerability was discovered in a user term electronic communications give me spunk absolutely spot-on so mark only one of these forced demonstrations of wireless telegraphy in cotton it was 1900 1900 and one did demonstration and hotel in London about transmitting Morse code and decoding that in front of an audience what he

didn't know was a time there was a prankster in the next building who was actually doing the same thing and was pranking his demonstration by sending or offensive shall we say Morse code messages that were being decoded in the room whilst Marconi was trying to do his his genuine ministration so as soon as Electronic Communications has been discovered we've got people that are hacking it and the history of computing if you think about Bletchley Park and the work that was done during Second World War basically they were exploiting vulnerabilities in the German cryptography the history of computers is about the history of vulnerability and exploiting those vulnerabilities as we're creating the Internet and we're adding more and more systems to the

Internet a number of vulnerabilities that are being discovered are actually static which in many ways is good news it's not good an incremental wars problem we're finding about the same number of vulnerabilities per year in 2016 more less as in 2006 the really good news is that those vulnerabilities which a trivial to exploit have dropped from about 30 percent of vulnerabilities down to you know slightly less than one in five the bad news is one in five on abilities that are still being found actually trivially exploit exploitable and also they're not getting patched so samsam which was that sophisticated ransomware targeting systems exploiting network vulnerabilities we know the vulnerabilities that were being exploited they dated from 2010 2012 2014

when we looked in 2016 at the times that have been exploited by the bad guys will identify 3.2 million on patched devices connected to the Internet so even knowing that these quite important vulnerabilities that can be exploited remotely by attackers to get control of it or the device still not really being patched in the wild so we created this environment where we've got the motivation for the bad guys to write ransomware we've got the possibility of these things to spread we've got a history of self-propagating cold and we've got many many unpatched devices that are out there potentially through a Mac at lack of knowledge or a certain degree of complacency but these aren't really

being taken seriously which brings us to the morning of May the 12th of this year a very first race looking our honeypot port for four or five connections we've got this sharp uptick from 800 hours UTC where we've got a large large number of connections being made to our port for four or five honeypot there's always a background level of noise there's always connections going on but you can see just how quickly that ramps up and we've got the spread of one apply captured in the data this isn't off earliest trace our earliest trace it comes from or DNS telemetry where we have the forced connection to that Killswitch domain from 740 UTC so very very forced

connection that we see of telemetry you think this is probably within a couple of minutes of the start of the infection that then grew massively throughout the day by the evening 1800 we've got this enormous spike which is probably done to be fair to a lot of of researchers looking at this but we've got that trace captured from the very very beginning of the infection going forwards so we know again from what's been published by late morning we've got the NHS computers which are being infected about 2:00 p.m. we've got that Killswitch domain being registered which is enough to actually then stop the spread of the malware if there's just some kind of splash screen

where now the late afternoon we've got many in the security industry saying it's an email it's an email well actually no evening we've got ourselves and others being able to say yeah it's a pure network worm it's not being spread by email but those connections and that disruption is still happening because in 19th of June which is more than a month after the malware has come out we've got manufacturing plants that are being shut down and if we think that Conficker from 2008 is still in distribution now and still happening I think we can be fairly sure but at least wanna cry despite the the kill switch is probably still going to still going to

spread in some way if it can't make that connection to the kill switch domain so I don't think this is something which is going to go away obviously it caused a large amount of damage and a large amount of havoc however I think we actually did pretty well you know at least in the UK the banking system continued to function you know you could still get money out of the ATMs the railways were still working we still had transport we didn't have traffic lights being taken down and the lights stayed up still had electricity so there's much to take there's a positive note here and it certainly is at least certain amounts of protection happening in many critical

infrastructures which were resistant to water crime which is very very good news however I said at the time that she's not the forced to hit the internet and it will not be the last and so obviously just six weeks later we've got Nietzsche a in this case not a ransomware worm but a wiper piece of malware self-propagating spreading across the internet again causing havoc in unsecured systems and taking down all sorts of critical systems almost certainly with a different intent than one a cry not ransomware but a wiper where a destructive piece of malware nevertheless using also this self-propagating fashion in able to spread kind of wanna cry is acting as the thought leader for malware showing

the way to malware writers are just how destructive self-propagating malware can be and going on and inspiring others to conduct these kind of attacks so in terms of protection what can we do well working in the security industry we're in place to actually do something about this and to protect systems there's only so many ways that you can do this it doesn't have to be enormously complicated the great kryptonite of ransomware are backups if you've got good backups in place than even a system gets hit with with ransomware you can restore and get it back to a function where it was before if you're keeping that bad staff outside of the perimeter of your organisation in keeping it away

from the end users especially if it's coming through by malware through through email or keeping those poor elements of devices fully patched again you're keeping that malicious stuff outside of your network if it does get in well if you've got good Network segregation good network architecture and you're actively looking and blocking that malicious network activity we can stop it spreading good old-fashioned desktop AV stilt has its place it's not necessarily the best protection that's out there but it certainly is a lot better than nothing and it will give you management of being able to deactivate the malware if you see it and of course the other big thing is preparing for it when it happens

knowing what to do knowing who to call knowing how what you're going to do and knowing how you're going to detect that because ultimately these forces these factors that have created one a cry are still there ransomware is still there as an opportunity this is a massive criminal opportunity for the bad guys out there self-propagating malware it's still gonna happen we've still got this environment where it's possible democratization of threat and technology that's just going to keep happening so we've got a plan for it now that sophisticated staff now in the hands of the super powers you can be certain that's going to get into the hands and the criminal threat actors and also the

script kiddies eventually and what we can act on and we can reduce is that degree of complacency and expecting the worst and expecting that next piece of self-propagating malware because it's definitely definitely going to happen and what we want is now to be prepared for it so we can actually reduce the amount of impact that it will cause and with that I'll thank you very very much for listening I strongly encourage you to go and read our blog where we publish our research and open it up for questions what what more can I say what more would you like to know yeah please you know what I can't I can't remember a fan it's only it is on the internet if

you if you search it the guy who did it was he was a belief if I'm them Koreans a professional magician who had a history of just like doing pranks Entropia basically this guy was the world's worst troll so we've got Marconi in front of very you know very posh rumored distinguished audience demonstrating this new this new invention and we've got the world's first troll nearby realizing that in fact this is completely unaffected mechanism you know it was really really childish stuff it something like Marconi smells or along those lines but you know what genius to come up with this idea that here's this brand new mechanism you know now it gives us television it gives us mobile

phones you know links the world together and here's this guy up now on I'm gonna make fun of its absolute genius and it showed the way forwards really for so much where we are now I think it's partly part of human psychology and human behavior of wanting to try and support things but this guy to do it so early in this new medium I just think was an absolute genius dude it's it's out there there are reports about it it's I think it's fascinating please

yeah daddy so what Nietzsche isn't the first destructive wiper but we've seen if you go back early was 2010 the Shah moon attacks in the Gulf in the Gulf region there was 10,000 laptops that were wiped and a single organization in a single attack so I think there we've got at least that attack I thought was absolutely absolutely fascinating here we've clearly got a threat actor which is making a statement they're doing this to say something rather than the criminal threat actors are trying to make money from it rather than the hacktivists trying to score political points or spread a message here we've got someone really making a very very strong point we can destroy you

basically and I think we're seeing much the same thing in yeah this again was a strong message it was strongly targeted against a single country and yeah we've got this bit of yeah we can cause damage to your to your infrastructure so behind attack there is a person there is someone conducting this attack they have some kind of agenda and there's something that they're trying to achieve and I think thinking about we are what what are the types of threat actors that are that we're exposed to what types of things can we be exposed to and what other that the people who do is harm seeking to achieve I think going down those those routes and thinking about it

and you can think about how we can protect our systems or better target the protection that we've got in place in order to hit and prevent the types of attacks that were like to which will likely to be exposed