Learning: Reversing Malware

Have you ever wanted to learn about reversing malware? There is no better way to understand exploits and infections. It’s essential as attacks evolve and we need to understand what’s being leveraged, how and why. It’s fascinating, and yes – you can do this. Dream big! Aim high!

@MalwareUnicorn (Twitter) is one of the best there is at this and she shares her wisdom and knowledge online. I’ll make you a deal – let’s start learning this together. I promise regular progress updates.

Here is her site. Let’s get going!


Current Safeguards Against Ransomware

First and foremost: backups. Test them. Make sure the restore is what you need it to be.

Have an Incident Response plan in place specific to cyber and ransomware. Have a DRP that is specific to this. Designate one person, one, to be your crisis spokesperson because not everyone should have the talking stick.

I have taken this directly from the National Cyber Security Center in Britain, which suffered a big hit to its hospitals with WannaCry:

For Home and Small Business Users:

To update your version of Windows:

Note: We strongly recommend that you do not continue to use unsupported operating systems, but instead upgrade to one which receives regular security updates from the vendor.

2. Run antivirus

  • Make sure your antivirus product is turned on and up to date. Windows has a built in malware protection tool (Microsoft Defender) which is suitable for this purpose.
  • Run a full scan to make sure your computer is currently free of all known malware.

3. Keep a safe backup of your important files

  • Regularly create a backup copy of your important files (such as photos, documents, and other files that can’t be replaced). If you have backups of files that you can recover, you can’t be blackmailed.
  • Make sure that this copy is kept separate from your computer. If it’s on a USB stick, or a hard drive, or on any type of removable media, do not leave it connected (or anywhere on your network) or it may also be attacked by ransomware.
  • You should consider using cloud services to back up your files. Many cloud service providers (for example, email providers) offer an amount of cloud storage space for free.


From Sophos:

What to do if you get ransomware:

If a small business has been a victim of ransomware and are worried about the infection spreading to other parts of your network, these steps may help guide your actions:

  • Immediately disconnect you computer, laptop or tablet from network. Turn off your Wi-Fi.
  • Safely format or replace your disk drives.
  • Whilst you’re still disconnected from your network, directly connect this computer to the Internet.
  • Install and update the operating system and all other software.
  • Install, update, and run antivirus software.
  • Reconnect to your network.
  • Monitor network traffic and/or run antivirus scans to identify if any infection remains.

Files encrypted by the WannaCry attack have no way of being decrypted by anyone other than the attacker. Don’t waste your time or money on services that are promising to do it.

The NCA encourages industry and the public not to pay the ransom. If you do:

  • There is no guarantee that you will get access to your data.
  • Your computer will still be infected unless you complete extensive clean-up activities.
  • You will be paying criminal groups.


For Enterprise and Larger Organizations:

Deploy the patch for MS17-010 on Windows systems

If you are running a supported version of Windows and have been applying patches automatically from Windows Update as recommended by the NCSC, then you should already be protected against this malware.

If updates have not been applied automatically, the patch for this specific vulnerability can be found at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx or via Windows Update for currently supported operating systems.

For legacy platforms such as Windows XP, Server 2003 and Windows 8, an out-of-band patch has been made available by Microsoft. This patch cannot be applied via Windows Update, and must be installed specifically in this case. This patch is available from https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

If it is not possible to apply this patch, disable SMBv1

As SMBv1 is a vector by which the malware spreads, this can be disabled to prevent further infection if specific systems within an organisation become affected. Guidance for Windows systems is available at https://support.microsoft.com/en-us/help/2696547

If the above is not possible, you may be able to block SMBv1 ports on network devices and host-based firewalls on workstations. These ports are:

  • UDP: 137 and 138
  • TCP 139 and 445

If this is not possible, isolate the use of legacy technology as much as possible within your organisation

If it is not possible to completely disable SMBv1 or apply the necessary patches, then the devices still vulnerable to MS17-010 should be isolated within your enterprise network to the maximum extent possible. The use of network segregation techniques, other approaches for minimising the chances of compromise, and limiting the subsequent harm, are described in the NCSC’s guidance for obsolete technologies.

Ensure antivirus products are updated

Antivirus vendors are increasingly able to detect and remediate this malware, therefore ensuring that any on-host and boundary antivirus products in use within your organisation are up-to-date with will likely provide additional protection.

Further Information

Work done in the security research community has prevented a number of potential compromises. To benefit, ensure that your systems can resolve and connect on TCP port 80 to the following domains:



Unlike most malware infections, you should not block these domains. Note that the malware is not proxy aware so a local DNS record may be required. This does not need to point to the internet, but can resolve to any accessible server which will accept connections on TCP port 80.

As variants of WannaCry emerge, additional domains and alternative command-and-control mechanisms are being observed. Additional information can be found on the Cyber Security Information Sharing Partnership (CiSP) platform.


From Sophos:

Global Ransomware Attack Happening Now

Stemming from a series of cyber attacks against banks and utilities in Ukraine, now ransomware is spreading to other countries. This appears to be a Petya variant leveraging the Eternal Blue exploit. Sound familiar? It’s WannaCry take 2.


from Motherboard article June 27 2017

Countries so far: Russia, Ukraine, India, France, Spain and UK.

Per Costin Raiu, security researcher with Kaspersky Lab: “We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours.”  MalwareHunterteam  told Motherboard “they believed the attack was from the same malware family as the one identified by Raiu.”

More updates to come. Please follow standard ransomware security practices.


Get an IR plan and playbook together if you don’t already have one. And make sure it addresses cyber attacks and incidents specifically. Appoint a crisis spokesperson. Because not everyone should have a turn with the talking stick!

Collaborate and communicate so we can act on this asap, get people on board and systems secured.



Live At InteropITX

Just listening to Kevin Mandia live, speaking about global affairs and international cybersecurity. I am in heaven. This is beyond amazing!

Thank you to our friends at DarkReading who made this opportunity possible for Haydn and I to speak at this conference. ALL the learning!

Update: WannaCry Ransomware



real time botnet tracking map by http://www.malwaretech.com

The number of countries impacted is over 1 00. We are expecting version 2.0 to hit by Monday, because that’s the nature of  these attacks: the attackers know when they have their victims over a barrel, and the maximize the opportunity. Microsoft has issued patches. But what everyone can and must do, over and above applying these specific patches, is this:

  • Ensure you have full, and working backups that are offline and removed from the network.
  • Have a Disaster Recovery/Business Continuity plan that specifically addresses cyber events like this one
  • Be ready with a crisis communications designated spokesperson and prepared statements. If you’ve been hit, and things are going terribly wrong, then you don’t want to be dealing with that and trying to say the right things to press, staff, stakeholders
  • Check in with and listen to your network and sysadmins. They know what’s going on out there. They’ve seen the sh*t that happens, what breaks, and why
  • Don’t evade or deflect this topic. Don’t underplay it, and of course don’t focus on the fear. Have honest discussions with your staff because this is how you creating lasting awareness and create change in behaviours that will better secure your organization

I follow these two experts on the risks to specialized systems, notably ICS or Industrial Control Systems and SCADA, Supervisory Control and Data Acquisition. Note that medical facilities, mass transit, manufacturing and utilities all rely on these specialized systems that are proprietary;  are often set up with hard coded or default passwords that are NOT secure; and with older equipment that just can’t be upgraded so is left to run unpatched until it fails. There is so much more we need to address.

Here is a global snapshot (per CTV news):


Russian Train Control Center Ransomwared

EUROPEAN UNION: Europol’s European Cybercrime Centre, known as EC3, said the attack “is at an unprecedented level and will require a complex international investigation to identify the culprits.”
BRITAIN: Britain’s home secretary said the “ransomware” attack hit one in five of 248 National Health Service groups, forcing hospitals to cancel or delay treatments for thousands of patients — even some with serious aliments like cancer.
GERMANY: The national railway said Saturday departure and arrival display screens at its train stations were affected, but there was no impact on actual train services. Deutsche Bahn said it deployed extra staff to help customers.
RUSSIA: Two security firms — Kaspersky Lab and Avast — said Russia was hit hardest by the attack. The Russian Interior Ministry, which runs the country’s police, confirmed it was among those that fell victim to the “ransomware,” which typically flashes a message demanding payment to release the user’s data. Spokeswoman Irina Volk was quoted by the Interfax news agency Saturday as saying the problem had been “localized” and that no information was compromised. Russia’s health ministry said its attacks were “effectively repelled.”
UNITED STATES: In the U.S., FedEx Corp. reported that its Windows computers were “experiencing interference” from malware, but wouldn’t say if it had been hit by ransomware. Other impacts in the U.S. were not readily apparent.
TURKEY: The head of Turkey’s Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack. Omer Fatih Sayan said the country’s cyber security centre is continuing operations against the malicious software.
FRANCE: French carmaker Renault’s assembly plant in Slovenia halted production after it was targeted. Radio Slovenia said Saturday the Revoz factory in the southeastern town of Novo Mesto stopped working Friday evening to stop the malware from spreading.
BRAZIL: The South American nation’s social security system had to disconnect its computers and cancel public access. The state-owned oil company Petrobras and Brazil’s Foreign Ministry also disconnected computers as a precautionary measure, and court systems went down, too.
SPAIN: The attack hit Spain’s Telefonica, a global broadband and telecommunications company.


No Accidental Hero Here – Amazing!

There are many in our community of extraordinary souls who do amazing things at the hardest of times. This is one of those stories. Thank you!

And because he tells the story so much better than I ever could, please read his blog post as linked here. You can copy and paste the URL provided in your browser to be extra safe. 


It’s THAT Bad

PATCH YOUR STUFF! Ms17-010, that fun little exploit leaked by the most recent ShadowBrokers dump, has been making the rounds in the worst way. WannaCry ransomware is everywhere. Get your backups in place. NOW! And don’t put them on the same network.

Countries around the globe have been hit by a massive ransomware attack  that has already earned 100 bitcoins. It started early this morning when hospitals in the UK were struck. There were confirmations that a telecom and businesses in Spain were also hit. 

Two hours ago, judging by the tweet storm, Russia, Israel, the US and 70 other countries were all infected.

Kevin Beaumont or @gossithedog on Twitter has recommended, in addition to patching your stuff, because Microsoft had this patch available before this happened and we know, WE KNOW, that attacker move this fast:

Make a group policy for the Windows firewall. Block SMB between all endpoint PCs. Limit between servers that need. So that way if you miss a patch in future ( but you won’t after today will you?) or if AV doesn’t work, then you can really make it harder for the ransomware to spread. Buying you time to control and contain.

Which prompts me to ask: How is your IR plan? Is it geared to cyber events like this? And oh yeah, do you have DR/ BCP cuz you sure as heck are going to need that ready to roll out. And – have you set up a policy on who says what for crisis communications? Because you really want to control how that happens too.

If you answered no to any of the above, just get on it now. Because you don:t know who is gonna get hit next on this round of rushin’ roulette.