Beruflich Dokumente
Kultur Dokumente
ransomware
Advisory
15 May 2017
RSA-2048
Carried out using
encryption,
RSA-2048 there
have already
encryption, there
been over 45,000
have already been
attacks in over 70
over 70,000
countries.
infections in 150
countries
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2
How does it work?
WannaCry infects systems using two routes:
1Phishing email
2
EternalBlue
E-mails with the subjects An exploit, developed by the
FILE_<5 numbers>, US National Security Agency
SCAN_<5 numbers> , (NSA) and released by the
PDF_<4 or 5 numbers> - Shadow Brokers hacker group
attachment nm.pdf - on 14 April, which exploits a
others almost certainly vulnerability in the Microsoft
exist SMBv1 protocol. EternalBlue
allows an attacker to take
control over systems which:
— Have the SMBv1 protocol
enabled
— Are accessible from the
internet or through an
internal LAN
— Have not been patched by
the MS17-010 fix released
in March 2017
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
3
Once infected, what does it encrypt?
Drives and network shares with:
1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi)
2. Less common, nation-specific office formats (.sxw, .odt, .hwp)
3. Archives and media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
4. Emails and email databases (.eml, .msg, .ost, .pst, .edb)
5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
6. Developers’ source code and project files (.php, .java, .cpp, .pas, .asm)
7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes)
8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd)
9. Virtual machine files (.vmx, .vmdk, .vdi)
Full list:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks,
.wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw,
.xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp,
.602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak,
.tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd,
.ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg,
.vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch,
.dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,
.ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay,
.mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm,
.max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
4
What should you do?
Important: this is by no means a complete list - nor will these
steps guarantee that you will not be affected. Blocking ports
may adversely impact systems and operations so should only
be done after careful consideration. KPMG cannot be held liable
for any adverse effects caused by following these steps. No one
Reiterate key messages and take additional should act on any information without appropriate professional
precautions: advice after a thorough examination of the particular situation.
Be wary of unsolicited emails that demand immediate Do not click on links or download email attachments sent
action from unknown users or which seem suspicious
Block all *.onion sites at edge firewalls Block ports TCP 445/139 at edge firewalls
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
5
Infection patterns – Extent of the infection
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
6
How can KPMG help?
Develop
incident
response
Test incident
capabilities
response
capabilities
using credible Help improve
scenarios security
defences
Help test
defenses
using our
ethical
hacking
teams
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
7
Our services
Our four service lines help organizations build cyber capabilities:
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
8
IT Advisory contacts:
Rajeev Batra Tareq Dreiza
Partner | Head of Consulting Partner | Head of ITA
+971 2 401 4839 +971 56 508 5141
raajeevbatra@kpmg.com tareqdreiza@kpmg.com
The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such
information without appropriate professional advice after a thorough examination of the particular situation.
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.