KPM

WannaCry/WannaCrypt
ransomware
Advisory
15 May 2017
KPMG Lower Gulf Limited

What is WannaCry?
WannaCry is malware – perhaps better categorized as ransomware – that has been
spreading globally since 12 May. Once a system is infected, the malware encrypts files
and then demands payment to decrypt files and restore access.
On an infected system, WannaCry will:
— Lock all data
— Instruct users on what to do next, which includes a ransom demand (typically US$300
to US$600 in bitcoins)
— Demand the ransom is paid within three days - otherwise the ransom and threat
increases, up to complete destruction of data
Carried out using

What you see
RSA-2048
Carried out using
encryption,
RSA-2048 there
have already
encryption, there
been over 45,000
have already been
attacks in over 70
over 70,000
countries.
infections in 150
countries
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms affiliated with KPMG International
Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2
How does it work?
WannaCry infects systems using two routes:
1Phishing email
2
EternalBlue
E-mails with the subjects An exploit, developed by the
FILE_<5 numbers>, US National Security Agency
SCAN_<5 numbers> , (NSA) and released by the
PDF_<4 or 5 numbers> - Shadow Brokers hacker group
attachment nm.pdf - on 14 April, which exploits a
others almost certainly vulnerability in the Microsoft
exist SMBv1 protocol. EternalBlue
allows an attacker to take
control over systems which:
— Have the SMBv1 protocol
enabled
— Are accessible from the
internet or through an
internal LAN
— Have not been patched by
the MS17-010 fix released
in March 2017
3
Once infected, what does it encrypt?
Drives and network shares with:
1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi)
2. Less common, nation-specific office formats (.sxw, .odt, .hwp)
3. Archives and media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
4. Emails and email databases (.eml, .msg, .ost, .pst, .edb)
5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
6. Developers’ source code and project files (.php, .java, .cpp, .pas, .asm)
7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes)
8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd)
9. Virtual machine files (.vmx, .vmdk, .vdi)
Full list:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks,
.wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw,
.xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp,
.602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak,
.tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd,
.ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg,
.vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch,
.dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,
.ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay,
.mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm,
.max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
4
What should you do?
Important: this is by no means a complete list - nor will these
steps guarantee that you will not be affected. Blocking ports
may adversely impact systems and operations so should only
be done after careful consideration. KPMG cannot be held liable
for any adverse effects caused by following these steps. No one
Reiterate key messages and take additional should act on any information without appropriate professional
precautions: advice after a thorough examination of the particular situation.
Turn off attachments in email - emails without

Advise users not to open emails from unknown sources
attachments are better than no email at all!
Be wary of unsolicited emails that demand immediate Do not click on links or download email attachments sent
action from unknown users or which seem suspicious
Block all *.onion sites at edge firewalls Block ports TCP 445/139 at edge firewalls
Push out MS17-010 to every machine as a matter of

Externally scan all internet-facing ranges to confirm ports
priority
are blocked
Ensure adequate testing before patching
For Windows XP/2003 machines, consider using the inbuilt

firewall to block ports TCP 445/139 – although this will have
severe repercussions for domain-joined machines
Disable SMBv1! Click here
Practice safe online behavior Report all incidents to your IT helpdesk immediately
5
Infection patterns – Extent of the infection
Credit: Malware Tec
6
How can KPMG help?
Develop
incident
response
Test incident
capabilities
response
capabilities
using credible Help improve
scenarios security
defences
Help test
defenses
using our
ethical
hacking
teams
7
Our services
Our four service lines help organizations build cyber capabilities:
Security assurance Cyber defense User Guide fortesting

Security Charging Cyber response
Expenses
Click the icon to view the file
1. Cyber audits 1. Security operations 1. Penetration tests 1. On demand cyber
2. Security strategy center 2. Vulnerability and response
implementation
planning compliance 2. Retained cyber
2. Data security assessment response
3. Security program
framework
implementation 3. Security architecture 3. Cyber table tops
implementation
4. Security compliance reviews
3. DevSecOps
and risk assessments implementation 4. Social engineering
5. Cyber maturity 4. Cloud security 5. Threat hunting
assessment implementation 6. Red teaming
5. OT security
implementation
6. Cyber crisis planning
8
IT Advisory contacts:
Rajeev Batra Tareq Dreiza
Partner | Head of Consulting Partner | Head of ITA
+971 2 401 4839 +971 56 508 5141
raajeevbatra@kpmg.com tareqdreiza@kpmg.com
Raman Bharadwaj Sheikh Shadab

Director Associate Director
+971 50 240 2476 +971 56 545 0883
rbhardwaj@kpmg.com snawaz1@kpmg.com
Dr. Yamen Hamze

Associate Director
+971 56 895 2177
yhamze@kpmg.com
9
kpmg.com/socialmedia kpmg.com/app
The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such
information without appropriate professional advice after a thorough examination of the particular situation.
© 2017 KPMG Lower Gulf Limited, operating in the UAE and Oman, member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name and logo are registered trademarks or trademarks of KPMG International.

KPM

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

KPM

Hochgeladen von

Copyright:

Verfügbare Formate

WannaCry/WannaCrypt

KPMG Lower Gulf Limited

Carried out using

Turn off attachments in email - emails without

Push out MS17-010 to every machine as a matter of

For Windows XP/2003 machines, consider using the inbuilt

Credit: Malware Tec

Security assurance Cyber defense User Guide fortesting

Raman Bharadwaj Sheikh Shadab

Dr. Yamen Hamze

Das könnte Ihnen auch gefallen