In this article, you will find best practices regarding security and the high availability of your data to prevent the spread of Wanacry, and other ransomware.
What is wanacry ?
Wanacry is a ransomware that is using a hole in SMB protocol called EternalBlue then, DoublePulsar is installed as a backdoor to run Wanacry. After you get infected, your files begin to be encrypted with AES-128-CBC cipher, and then a popup asks you for a ransom to get it back. It spread through the network using port TCP/445 (SMB v1)
{% twitter https://twitter.com/Snowden/status/863118311621615616 %}
Targeted systems: All Windows versions before Windows 10
It encrypts all files with the following extensions :
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der {: .notice–info}
To fix this breach immediately, Microsoft released MS17-010, and make this patch available to the unsupported OS like Windows Server 2003 and Windows XP (for free). It will stop the spread and prevent infection, but encrypted files won’t be available anymore (yet)
If you want to get a chance to get back your files, look at #WanaKiwi
{% twitter https://twitter.com/TheHackersNews/status/865480077647069184 %}
How to prevent this s**t from happening?
A few days ago, I hear someone saying:
Wanacry, I’ve no problem with that, I backup my sensitive data on Dropbox.
My heart was bleeding!
As you are aware, Dropbox, Google Drive, OneDrive, … are just a synchronized storage service, and it synchronizes a simple local folder to your storage in the cloud even if it’s a wanacry encrypted file.
My personal advice: B.U.F.E.S
- Backup
- Update
- Filter
- Encrypt
- Strong passwords
In any case, if you get encrypted, you should stop immediately your synchronization tools (GDrive, Dropbox, OneDrive, …)
Backup 💾
macOS Users
Timemachine on an external hard drive or a NAS is a good solution with versioning in addition to Dropbox sync as I told you. You need to get a backup solution with a snapshot-like solution, then you can revert to older backups if your files were encrypted with ransomware.
My personal solution is to do a monthly picture of my Dropbox folder synced with AWS S3. This S3 bucket had cross-region replication
enabled. (Ireland & Frankfurt)
I’m using this simple command in a cron: aws s3 sync dropbox_folder s3://s3_bucket/
If you delete a file or folder on your local Dropbox folder, this command will not delete the matching files on S3.
You can use --dryrun
to test your aws s3 sync
command before uploading a large number of files to S3.
This command is also folder aware even if S3 is not really, working only if the folder is not empty.
Win Users
In Windows, you can use WindowsBackup, and schedule a backup of your file and system every day with rotation. if you want to go further, then upload periodically to your favorite Cloud Provider.
Or you can use Azure Backup with your Windows 10: Announcing Backup of Windows 10 machines using Azure Backup
Updates ⬇️
macOS Users
Keep your system up-to-date regularly, it’s on by default. If you are using Brew:
brew upgrade && brew cleanup
Win Users
Keep your Windows Update turned on, and follow the Patch Tuesday. (first Tuesday of each month)
Firewall 🔥
macOS Users
TurnOn macOS firewall using:
Firewall Activation
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
Log Activation
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Stealh mode Activation
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Or with the GUI: System Preferences -> Security & Privacy -> Firewall -> Turn On Firewall
Win Users
Using netsh:
netsh advfirewall set allprofiles state on
Or with the GUI: Control Panel -> Firewall -> Turn On each profile
Encrypt 🔒
macOS Users
Activate macOS disk encryption service called FileVault (reboot required):
sudo fdesetup enable
or with GUI: System Preferences -> Security & Privacy -> FileVault
Win Users
Activate Bitlocker
Without TPM:
manage-bde –protectors -add C: -startupkey E:
manage-bde -on C:
With TPM:
manage-bde -on C:
Or with the GUI: Control Panel -> Bitlocker
More info here
Strong Passwords 💪
Generate
A good article on this password topic can be found on coding horror. A Must read.
Personally, I’m using random.org to generate strong unique passwords for each service I’m using. Don’t re-use the same passwords!
{% twitter https://twitter.com/Ryandanvers/status/866951590778986496 %}
Store
I recommend the use of a popular password manager: 1password ($$), KeePass (OpenSource), Lastpass ($) & co. Please rotate your master password!
2FA
Two-factor authentication need to be used everywhere it can be activated. In 2017, there is plenty of services where it is possible, a good repository is available at this website
{% twitter https://twitter.com/mhames/status/829348665936470019 %}
That’s all folks!
zoph.