In this article, you will find best practices regarding security and the high availability of your data to prevent the spread of Wanacry and other ransomware.
What is wanacry?
Wanacry is a ransomware that uses a hole in the SMB protocol called EternalBlue, then DoublePulsar is installed as a backdoor to run Wanacry. After you get infected, your files begin to be encrypted with the AES-128-CBC cipher, and then a popup asks you for a ransom to get them back. It spreads through the network using port TCP/445 (SMB v1).
Targeted systems: All Windows versions before Windows 10.
It encrypts all files with the following extensions:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der {: .notice–info}
To fix this breach immediately, Microsoft released MS17-010 and made this patch available for the unsupported OS like Windows Server 2003 and Windows XP (for free). It will stop the spread and prevent infection, but encrypted files won’t be available anymore (yet).
If you want a chance to get your files back, look at #WanaKiwi.
How to prevent this s**t from happening?
A few days ago, I heard someone say:
Wanacry, I’ve no problem with that, I backup my sensitive data on Dropbox.
My heart was bleeding!
As you are aware, Dropbox, Google Drive, OneDrive, etc. are just synchronized storage services. They synchronize a simple local folder to your storage in the cloud, even if it’s a wanacry-encrypted file.
My personal advice: B.U.F.E.S
- Backup
- Update
- Filter
- Encrypt
- Strong passwords
In any case, if you get encrypted, you should immediately stop your synchronization tools (GDrive, Dropbox, OneDrive, etc.).
Backup 💾
macOS Users
Time Machine on an external hard drive or a NAS is a good solution with versioning, in addition to Dropbox sync as I mentioned. You need a backup solution with snapshots so you can revert to older backups if your files get encrypted with ransomware.
My personal solution is a monthly snapshot of my Dropbox folder synced with AWS S3. This S3 bucket has cross-region replication enabled (Ireland & Frankfurt).
I’m using this simple command in a cron: aws s3 sync dropbox_folder s3://s3_bucket/
If you delete a file or folder in your local Dropbox folder, this command will not delete the matching files on S3.
You can use --dryrun to test your aws s3 sync command before uploading a large number of files to S3.
This command is also folder-aware, even if S3 is not really, working only if the folder is not empty.
Win Users
On Windows, you can use WindowsBackup and schedule a backup of your files and system every day with rotation. If you want to go further, then upload periodically to your favorite Cloud Provider.
Or you can use Azure Backup with your Windows 10: Announcing Backup of Windows 10 machines using Azure Backup
Updates ⬇️
macOS Users
Keep your system up-to-date regularly. It’s on by default. If you are using Brew:
brew upgrade && brew cleanup
Win Users
Keep your Windows Update turned on, and follow Patch Tuesday (first Tuesday of each month).
Firewall 🔥
macOS Users
Turn on the macOS firewall using:
Firewall Activation
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
Log Activation
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Stealth mode Activation
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Or with the GUI: System Preferences -> Security & Privacy -> Firewall -> Turn On Firewall
Win Users
Using netsh:
netsh advfirewall set allprofiles state on
Or with the GUI: Control Panel -> Firewall -> Turn On each profile
Encrypt 🔒
macOS Users
Activate the macOS disk encryption service called FileVault (reboot required):
sudo fdesetup enable
Or with GUI: System Preferences -> Security & Privacy -> FileVault
Win Users
Activate BitLocker.
Without TPM:
manage-bde -protectors -add C: -startupkey E:
manage-bde -on C:
With TPM:
manage-bde -on C:
Or with the GUI: Control Panel -> BitLocker
More info here.
Strong Passwords 💪
Generate
A good article on this password topic can be found on coding horror. A must read.
Personally, I’m using random.org to generate strong unique passwords for each service I’m using. Don’t reuse the same passwords!
Store
I recommend using a popular password manager: 1Password ($$), KeePass (OpenSource), LastPass ($) & co. Please rotate your master password!
2FA
Two-factor authentication needs to be used everywhere it can be activated. In 2017, there are plenty of services where it is possible. A good repository is available at this website.
That’s all folks!
zoph.