Sunday, May 14, 2017

WannaCry Ransomware

1 Million Dollars

I found this many times repeated Tweet:

So far, Criminals behind WannaCry Ransomware have received nearly 100 payments from victims, total 15 Bitcoins, equals to USD $26,090.

First note that I despise all Terrorists and Cyber Criminals equally and feel they should be 'rubbed out' without compassion based on the suffering and harm that they cause.  However, one has to rather chuckle as to the WannaCry criminals who are extorting relatively small amounts of money per compromised machine  (230 GBP?).

I think the attack was supposed to go more prolific, but it has been blocked thanks predominantly to researcher MalwareTech, oh and the criminals design that included a 'kill switch' within their Malware, namely the existence of the internet domain, which if registered would stop any further WannaCry ransoming.

NB: I predict further strains of this Malware will not be so relatively benign. (Already another domain)

Recovery Actions

- Recover your system from a backup you made earlier.   This plan has 2 huge flaws

01 When was the last time you made a backup  (and tested a recovery) ?
02 And data entered since the time of the last backup that you have restored,  will be lost

- Option #2
Pay the modest ransomware demand

Remove the Infection

Protect your systems as described below

Make a Backup

Test the Restore

Schedule a Regular Backup

Protecting Your Systems

01 Read this Article

Your company should stop using SMB1 windows file sharing protocol. It is about 30 years old!

Microsoft posted the above article in 2016 but nobody really took any notice. Many older systems are known to use SMBv1. The commands in the above article will trigger logging and you can check etc.

02 Remove SMB1 (Server Message Block) networking V1
For a Microsoft Windows 2012 2016 server this  Powershell comand removes SMB1

Remove-WindowsFeature FS-SMB1

For a Windows 10 system the corresponding command in Powershell

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Caveat: If you use SMB1 then removing it will work but stop some of your Applications working.

03 Install Fixes 

Additionally, make sure this fix is installed on your 32 Windows 10 or 64 bit Windows 10 / 2016 server

This stems from  MS17-010

Note if you are on the latest Windows 10 build   (use winver command), example I am on build 1703,  not the older 1607,  the bugfix wont apply presumably since its already in build 1703

04 Older Systems 

And if you are on a lower than Windows 10/ Windows Server 2012/2016 there are actually fixes. Very generous of Microsoft

Inline images 1

05 On Linux
Whilst Linux is not yet vulnerable to this Malware it would be good citizenship to ensure that your Linux server uses at least SMB version 2 protocol.

Add the following 2 lines into smb.conf, in my [global] section
vi /etc/samba/smb.conf

# Lets try to be secure eh

  min protocol = SMB2

Restart samba
/etc/init.d/ssh restart
[ ok ] Restarting ssh (via systemctl): ssh.service

06 And Finally
Your IT dept can track down SMB1 using code from this article

And they should also of course be Subscribed to and  avid viewers and supporters of Computerphile.

Computerphile: Wana Decrypt0r