In this article, you will find best practices regarding security and high availability of your data to prevent the spread of Wanacry, and other ransomware.
What is wanacry ?
Wanacry is a ransomware that is using a hole in SMB protocol called EternalBlue then, DoublePulsar is installed as a backdoor to run Wanacry. After you get infected, your files begin to be encrypted with AES-128-CBC cipher, and then a popup asks you for a ransom to get it back. It spread through the network using port TCP/445 (SMB v1)
If NSA builds a weapon to attack Windows XP—which Microsoft refuses to patches—and it falls into enemy hands, should NSA write a patch? https://t.co/TUTtmc2aU9— Edward Snowden (@Snowden) May 12, 2017
Targeted systems: All Windows versions before Windows 10
It encrypts all files with the following extensions :
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
To fix this breach immediately, Microsoft released MS17-010, and make this patch available to unsupported OS like Windows Server 2003 and Windows XP (for free). It will stop the spread and prevent infection, but encrypted files won’t be available anymore (yet)
If you want to get a chance to get back your files, look at #WanaKiwi
How to prevent this s**t from happening?
A few days ago, I hear someone saying:
Wanacry, I’ve no problem with that, I backup my sensitive data on Dropbox.
My heart was bleeding!
As you are aware, Dropbox, Google Drive, OneDrive, … are just a synchronized storage service, and it synchronizes a simple local folder to your storage in the cloud even if it’s a wanacry encrypted file.
My personal advice: B.U.F.E.S
- Strong passwords
In any case, if you get encrypted, you should stop immediately your synchronization tools (GDrive, Dropbox, OneDrive, …)
Timemachine on an external hard drive or a NAS is a good solution with versioning in addition to Dropbox sync as I told you. You need to get a backup solution with a snapshot-like solution, then you can revert to older backups if your files were encrypted with a ransomware.
My personal solution is to do a monthly picture of my Dropbox folder synced with AWS S3. This S3 bucket had
cross-region replication enabled. (Ireland & Frankfurt)
I’m using this simple command in a cron:
aws s3 sync dropbox_folder s3://s3_bucket/
If you delete a file or folder on your local Dropbox folder, this command will not delete the matching files on S3.
You can use
--dryrun to test your
aws s3 sync command before uploading a large amount of files to S3.
This command is also folder aware even if S3 is not really, working only if the folder is not empty.
In Windows, you can use WindowsBackup, and schedule a backup of your file and system every day with rotation. if you want to go further, then upload periodically to your favorite Cloud Provider.
Or you can use Azure Backup with your Windows 10: Announcing Backup of Windows 10 machines using Azure Backup
Keep your system up-to-date regularly, it’s on by default. If you are using Brew:
brew upgrade && brew cleanup
Keep your Windows Update turned on, and follow the Patch Tuesday. (first Tuesday of each month)
TurnOn macOS firewall using:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on
Stealh mode Activation
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on
Or with the GUI: System Preferences -> Security & Privacy -> Firewall -> Turn On Firewall
netsh advfirewall set allprofiles state on
Or with the GUI: Control Panel -> Firewall -> Turn On each profile
Activate macOS disk encryption service called FileVault (reboot requiered):
sudo fdesetup enable
or with GUI: System Preferences -> Security & Privacy -> FileVault
manage-bde –protectors -add C: -startupkey E:
manage-bde -on C:
manage-bde -on C:
Or with the GUI: Control Panel -> Bitlocker
More info here
Strong Passwords 💪
A good article on this password topic can be found on coding horror. A Must read.
Personally, I’m using random.org to generate strong unique passwords for each service i’m using. Don’t re-use same passwords!
A password is like a toothbrush - choose a good one, share it with no-one, change it occasionally.— Ryan Danvers (@Ryandanvers) May 23, 2017
Two-factor authentication is like eating healthy. It is harder, but you won't regret it down the road.— Matt Hames (@mhames) February 8, 2017
That’s all folks, hope this help.