Wanacry or Wanasmile ?

In this article, you will find best practices regarding security and high availability of your data to prevent the spread of Wanacry, and other ransomware.

alt

What is wanacry ?

Wanacry is a ransomware that is using a hole in SMB protocol called EternalBlue then, DoublePulsar is installed as a backdoor to run Wanacry. After you get infected, your files begin to be encrypted with AES-128-CBC cipher, and then a popup asks you for a ransom to get it back. It spread through the network using port TCP/445 (SMB v1)

Targeted systems: All Windows versions before Windows 10

It encrypts all files with the following extensions :

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

To fix this breach immediately, Microsoft released MS17-010, and make this patch available to unsupported OS like Windows Server 2003 and Windows XP (for free). It will stop the spread and prevent infection, but encrypted files won’t be available anymore (yet)

If you want to get a chance to get back your files, look at #WanaKiwi

How to prevent this s**t from happening?

A few days ago, I hear someone saying:

Wanacry, I’ve no problem with that, I backup my sensitive data on Dropbox.

My heart was bleeding!

alt

As you are aware, Dropbox, Google Drive, OneDrive, … are just a synchronized storage service, and it synchronizes a simple local folder to your storage in the cloud even if it’s a wanacry encrypted file.

My personal advice: B.U.F.E.S

  1. Backup
  2. Update
  3. Filter
  4. Encrypt
  5. Strong passwords

In any case, if you get encrypted, you should stop immediately your synchronization tools (GDrive, Dropbox, OneDrive, …)

Backup 💾

macOS Users

Timemachine on an external hard drive or a NAS is a good solution with versioning in addition to Dropbox sync as I told you. You need to get a backup solution with a snapshot-like solution, then you can revert to older backups if your files were encrypted with a ransomware.

My personal solution is to do a monthly picture of my Dropbox folder synced with AWS S3. This S3 bucket had cross-region replication enabled. (Ireland & Frankfurt)

I’m using this simple command in a cron: aws s3 sync dropbox_folder s3://s3_bucket/

If you delete a file or folder on your local Dropbox folder, this command will not delete the matching files on S3.

You can use --dryrun to test your aws s3 sync command before uploading a large amount of files to S3.

This command is also folder aware even if S3 is not really, working only if the folder is not empty.

Win Users

In Windows, you can use WindowsBackup, and schedule a backup of your file and system every day with rotation. if you want to go further, then upload periodically to your favorite Cloud Provider.

Or you can use Azure Backup with your Windows 10: Announcing Backup of Windows 10 machines using Azure Backup

Updates ⬇️

macOS Users

Keep your system up-to-date regularly, it’s on by default. If you are using Brew:

brew upgrade && brew cleanup

Win Users

Keep your Windows Update turned on, and follow the Patch Tuesday. (first Tuesday of each month)

Firewall 🔥

macOS Users

TurnOn macOS firewall using:

Firewall Activation

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on

Log Activation

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on

Stealh mode Activation

sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on

Or with the GUI: System Preferences -> Security & Privacy -> Firewall -> Turn On Firewall

Win Users

Using netsh:

netsh advfirewall set allprofiles state on

Or with the GUI: Control Panel -> Firewall -> Turn On each profile

Encrypt 🔒

macOS Users

Activate macOS disk encryption service called FileVault (reboot requiered):

sudo fdesetup enable

or with GUI: System Preferences -> Security & Privacy -> FileVault

Win Users

Activate Bitlocker

Without TPM: manage-bde –protectors -add C: -startupkey E:

manage-bde -on C:

With TPM:

manage-bde -on C:

Or with the GUI: Control Panel -> Bitlocker

More info here

Strong Passwords 💪

Generate

A good article on this password topic can be found on coding horror. A Must read.

Personally, I’m using random.org to generate strong unique passwords for each service i’m using. Don’t re-use same passwords!

Store

I recommend the use of a popular password manager: 1password ($$), KeePass (OpenSource), Lastpass ($) & co. Please rotate your master password!

2FA

Two-factor authentication need to be used everywhere it can be activated. In 2017, there is plenty of services where it is possible, a good repository is available at this website

That’s all folks, hope this help.

Leave a Comment