eGambit EDR versus WannaCrypt Ransomware

This article will explore eGambit features to fight against massive ransomware attacks WannaCrypt. The reader will discover how Cyber Robots & Artificial Intelligence engines might get stronger than malwares…

Introduction

On May 12, 2017 before noon, the cybersecurity community discovered a massive spread of a new ransomware abusing a well know vulnerability against Microsoft Windows operating systems.

MS17-010 security issues, with a patch proposed on 14th March 2017.

Many computers were not protected against related threats as old Windows XP and many recent unpatched Windows as well (Production Infrastructures like SCADA stuff, Unmanaged PC…). Indeed, many infrastructures were not applying these needed principles : Containment & Detection.

This article will not focus on the attack itself, as many web sites already shared interesting information.

Instead, we will explain how enhanced mechanisms proposed in eGambit product had the power to detect and/or neutralize the threats automatically, worldwide without human actions.

eGambit protection

ABOUT THE WANNACRYPT RANSOMWARE

This malware got multiple names such as Wcry, WanaCry, WanaCrypt, Wanna Decryptor, etc.

Multiple virus strains were observed (with or without the famous kill switch…)

According to our security experts at TEHTRIS, the malware WannaCrypt was poorly written, as the attackers decided to work with a “mass market” feeling.

Indeed, as explained by our stealth pentesters at TEHTRIS, it would have been more efficient for the attackers if they had built a file-less attack thanks to the EternalBlue exploit.

Hopefully, the attack was not that dangerous despite what was said in some newspapers. A far more horrible attack could have exist, destroying tons of computers worldwide (especially when exploits are known for months).

This is extremely interesting because eGambit is able to analyze and to fight against unknown programs when they appear on an infrastructure.

AUTOMATIC FIGHT AGAINST UNKNOWN THREATS

The full eGambit arsenal is able to automatically work against unknown threats.

Quick scenario example regarding a new threat (Ransomware, APT…) :

  • An eGambit Endpoint Security agent detects an unknown programs (unknown worldwide)
  • This program is analyzed and sent back to the nearest available connected appliance for further analysis
  • The eGambit Forensics portal with its API is used by multiple robots to cut and analyze potential weapons
  • Analyzed with Internal Antivirus engines > Might remain an unknown threat (signatures cannot always work with new stuff)
  • Requests into worldwide databases like VirusTotal > Unknown threat until someone would submit it
  • eGambit Internal Sandboxes > DETECTION + Interesting IOC > eGambit Endpoint Security agent will know it in minutes
  • eGambit Artificial Intelligence > DETECTION > Detection rate = 98.1% even with unknown Windows malwares

eGambit can automatically detect & fight new threats like WannaCrypt and the survival time is less than few minutes for the malware worldwide.

NETWORK ANALYSIS

eGambit robots are able to automatically analyze new threats like humans would do, thanks to our powerful eGambit Forensics portal. This allows eGambit end-users to have a 24/7 protection with humans + robots & artificial intelligence.

Example: with the WannaCry Ransomware, here are the evidences of network traffic found :

Network activity 1
Network activity 2

DNS REQUEST

Security experts quickly found out the binary code in order to connect to a specific web site :

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

(le lien ne fonctionne pas, nouveau lien actif ?)

This HTTP ping-like mechanism was a kind of kill-switch already included in the malware :

  • What would happen if this domain name was not created quickly enough ?
  • The attack slowed down when this domain was registered by a security expert
  • Nevertheless, new versions came out without the kill switch option…
    DNS Request

    NETWORK BEHAVIOR ANALYSIS

    NETWORK BEHAVIOR ANALYSIS 1
    NETWORK BEHAVIOR ANALYSIS 2

    BEHAVIOR ANALYSIS THANKS TO eGambit HONEYTOKEN FILES

    eGambit use honey token files such as fake Office Documents

    • Each time a program will try to attack these files, it will trigger an alert

    Ransomwares are easily detected with this method

    • This Ransomware added new file extensions to multiple modified files (WNCRY, WNCRYT)
    • The Recycle Bin was also removed
    • Shadow Copies were potentially deleted
    • eGambit detected many weird related executions (see next slide) on these fake Microsoft binaries
    BEHAVIOR ANALYSIS THANKS TO eGambit HONEYTOKEN FILES

    BEHAVIOR ANALYSIS THROUGH EXECUTED COMMANDS IN eGambit FORENSIC PORTAL

    Execution of multiple commands easily found by the eGambit Sandboxing system (not stealth). Beyond the fact that TOR was detected, new startups keys were detected in the Registry.

    BEHAVIOR ANALYSIS THANKS TO eGambit HONEYTOKEN FILES 2

    THE DROPPER TRIED TO CREATE A NON STEALTH WINDOWS SERVICE LOOKING LIKE MS STUFF

    THE DROPPER TRIED TO CREATE A NON STEALTH WINDOWS SERVICE LOOKING LIKE MS STUFF

    eGambit FORENSICS versus WANNACRYPT

    Our eGambit Forensics portal and its related API, were able to detect WannaCrypt and to share the related IOC to all our robots worldwide in few minutes, without human interaction.

    The powerful Sandboxing system was able to automatically identify these threats.

    WannaCrypt message

    eGambit A.I. versus WANNACRYPT – DETECTION RATE 100% : 1 – 0

    Beyond previous eGambit sensors, our Artificial Intelligence engine had to work on the malware.

    The programs used by the WannaCrypt Ransomware (dropper, etc) were fully detected by the eGambit Artificial Intelligence engine with a strong confidence.

    Recently, an independent testing company in China (SKD-Labs) credited eGambit Artificial Intelligence engine with 98.1% of detection. This engine has no signature (deep learning & neural networks).

    eGambit Artificial intelligence
    Schéma

    eGambit EDR versus WANNACRYPT : 1 – 0

    Fighting against the ransomware with the eGambit Endpoint Security agent worked better than traditional security, though we remain humble as new threats could try to be more stealth.

    Once the programs were identified automatically thanks to our robots and artificial intelligence engines worldwide, then the threats could be detected and neutralized directly.

    Customers just need to apply for a good neutralization inside eGambit.

    eGambit EDR versus WANNACRYPT : 1 – 0
    Threat blocked

    INTERESTING RELATED HASHES (IOC)

    00fdb4c1c49aef198f37b8061eb585b8f9a4d5e6c62251441831fe2f6a0a25b7

    043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2

    09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

    201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9

    24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

    2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

    2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

    4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982

    4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

    4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32

    5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

    5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

    7108d6793a003695ee8107401cfb17af305fa82ff6c16b7a5db45f15e5c9e12d

    76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf

    7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff

    7e369022da51937781b3efe6c57f824f05cf43cbd66b4a24367a19488d2939e4

    9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640

    aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c

    b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

    be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

    c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9

    ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

    dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696

    ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

    f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

    f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

    fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

    CONCLUSION

    • Nothing will replace a good patch management policy, and this terrible incident worldwide reminds all of us, that nobody shall wait for attacks. We will all remain humble regarding the IT Security threats that can happen, especially because of the related proliferation of advanced weapons like the exploits used by WannaCrypt (~Nation State sponsored).
    • On top of the basic Windows security principles, we strongly recommend to deploy advanced Endpoint Security agents with enhanced features (like eGambit for example) in order to :
    • Help your antivirus against unknown threats (Sandbox, Artificial Intelligence…)
    • Follow local system activity (Spawn tree protections, persistent threats tracking, real time process tracking…)
    • Analyze your Windows system logs (SIEM features, even on Workstations)
    • Audit your Windows Security (check CVE issues and improve patch management…)
    • For now, we recorded 0 compromising worldwide, by the WannaCrypt threat, for all the Windows protected by the eGambit Endpoint Security agent with the neutralization activated