About updating Windows from the WannaCry ransomware virus. How to protect yourself from the WannaCry ransomware attack

One of the ways to combat ransomware viruses is to prohibit renaming files. If we know what extension the file will receive after encrypting it with a virus, then we can simply prohibit the creation of files with this extension. We will also prohibit the creation of known text files that contain ransomware demands, which in turn will help protect against viruses that do not change the file extension during encryption.

Installing File Server Resource Manager and configuring the template.

First, let’s install the “File Server Resource Manager” role. This can be done through Server Manager or through Powershell. Let's consider the second option:

Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools

After installing FSRM, be sure to reboot the server.

After reboot Start -> Run -> fsrm.msc

Let's create a group Anti-Ransomware File Groups and add some extension to it that we want to block.

Adding everything manually takes a long time, so we automate the process. We will take the list of prohibited extensions from the site https://fsrm.experiant.ca

Let's create and run a Powershell script as administrator.

$gr_name = "Anti-Ransomware File Groups" $url_site = "https://fsrm.experiant.ca/api/v1/combined" $req=(Invoke-WebRequest -Uri $url_site).content | convertfrom-json | % ($_.filters) set-FsrmFileGroup -name $gr_name -IncludePattern @($req)

After executing the script, we check the group Anti-Ransomware File Groups, the extensions and file names to be blocked should appear in it.

In the template settings, select a group Anti-Ransomware File Groups press Ok. Additionally, you can set up an email alert, log entry, or launch a script or program based on an event.

Finally, go to the section File blocking filters.

Here we indicate the path to the directory that needs to be protected and the template used.

As a result, when you try to change the file extension to something that is in our list Anti-Ransomware File Groups we will get a recording ban.

Blocking the infected user.

Once an infection is detected, you need to take action against the source of the threat. It is necessary to deny access to the shared folder to the user who has caught the ransomware on their computer. To do this, we will place it on disk C:\ file SmbBlock.ps1 with the following content:

Param($username = “”) Get-SmbShare -Special $false | ForEach-Object ( Block-SmbShareAccess -Name $_.Name -AccountName “$username” -Force )

Let's go back to Blocking filter patterns and select the tab Team.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& (C:\smbblock.ps1 -username ‘’)"

As a result of executing the script, the infected user receives a personal ban on entering the folder.

This method of protection is not an absolute solution to this problem because Virus writers do not stand still, but as one of the components of comprehensive protection it is quite applicable.

A wave of a new encryption virus, WannaCry (other names Wana Decrypt0r, Wana Decryptor, WanaCrypt0r), has swept across the world, which encrypts documents on a computer and extorts 300-600 USD for decoding them. How can you tell if your computer is infected? What should you do to avoid becoming a victim? And what to do to recover?

After installing the updates, you will need to reboot your computer.

How to recover from the Wana Decrypt0r ransomware virus?

When the antivirus utility detects a virus, it will either remove it immediately or ask you whether to treat it or not? The answer is to treat.

How to recover files encrypted by Wana Decryptor?

We can’t say anything reassuring at the moment. No file decryption tool has yet been created. For now, all that remains is to wait until the decryptor is developed.

According to Brian Krebs, a computer security expert, at the moment the criminals have received only 26,000 USD, that is, only about 58 people agreed to pay the ransom to the extortionists. No one knows whether they restored their documents.

How to stop the spread of a virus online?

In the case of WannaCry, the solution to the problem may be to block port 445 on the Firewall, through which the infection occurs.

The new ransomware malware WannaCry (which also has a number of other names - WannaCry Decryptor, WannaCrypt, WCry and WanaCrypt0r 2.0) made itself known to the world on May 12, 2017, when files on computers in several healthcare institutions in the UK were encrypted. As it soon became clear, companies in dozens of countries found themselves in a similar situation, and Russia, Ukraine, India, and Taiwan suffered the most. According to Kaspersky Lab, on the first day of the attack alone, the virus was detected in 74 countries.

Why is WannaCry dangerous? The virus encrypts various types of files (using the .WCRY extension, making the files completely unreadable) and then demands a ransom of $600 for decryption. To speed up the money transfer procedure, the user is intimidated by the fact that in three days the ransom amount will increase, and after seven days the files will no longer be decryptable.

Computers running Windows operating systems are at risk of becoming infected with the WannaCry ransomware virus. If you use licensed versions of Windows and regularly update your system, you don’t have to worry about a virus entering your system this way.

Users of MacOS, ChromeOS and Linux, as well as mobile operating systems iOS and Android, should not be afraid of WannaCry attacks at all.

What to do if you are a victim of WannaCry?

The UK's National Crime Agency (NCA) recommends that small businesses who have been victims of ransomware and are concerned about the virus spreading online should take the following actions:

Immediately isolate your computer, laptop, or tablet from your corporate/internal network. Turn off Wi-Fi.
Change drivers.
Without connecting to a Wi-Fi network, connect your computer directly to the Internet.
Update your operating system and all other software.
Update and run your antivirus software.
Reconnect to the network.
Monitor network traffic and/or run a virus scan to ensure that the ransomware is gone.

Important!

Files encrypted by the WannaCry virus cannot be decrypted by anyone except attackers. Therefore, do not waste time and money on those “IT geniuses” who promise to save you from this headache.

Is it worth paying money to attackers?

The first questions asked by users faced with the new WannaCry ransomware virus are: how to recover files and how to remove a virus. Not finding free and effective solutions, they are faced with a choice: pay money to the extortionist or not? Since users often have something to lose (personal documents and photo archives are stored on the computer), the desire to solve the problem with money really arises.

But the NCA is strongly urging Notpay money. If you do decide to do this, keep the following in mind:

First, there is no guarantee that you will get access to your data.
Secondly, your computer may still be infected with a virus even after payment.
Thirdly, you will most likely simply give your money to cybercriminals.

How to protect yourself from WannaCry?

Vyacheslav Belashov, head of the information security systems implementation department at SKB Kontur, explains what actions to take to prevent infection with the virus:

The peculiarity of the WannaCry virus is that it can penetrate a system without human intervention, unlike other encryption viruses. Previously, for the virus to operate, it was necessary for the user to be inattentive - to follow a dubious link from an email that was not actually intended for him, or to download a malicious attachment. In the case of WannaCry, a vulnerability that exists directly in the operating system itself is exploited. Therefore, Windows-based computers that did not install the March 14, 2017 updates were primarily at risk. One infected workstation on the local network is enough for the virus to spread to others with existing vulnerabilities.

Users affected by the virus naturally have one main question: how to decrypt their information? Unfortunately, there is no guaranteed solution yet and it is unlikely to be foreseen. Even after paying the specified amount, the problem is not solved. In addition, the situation can be aggravated by the fact that a person, in the hope of recovering his data, risks using supposedly “free” decryptors, which in reality are also malicious files. Therefore, the main advice that can be given is to be careful and do everything possible to avoid such a situation.

What exactly can and should be done at the moment:

1. Install the latest updates.

This applies not only to operating systems, but also to antivirus protection tools. Information on updating Windows can be found here.

2. Make backup copies of important information.

3. Be careful when working with mail and the Internet.

You need to pay attention to incoming emails with dubious links and attachments. To work with the Internet, it is recommended to use plugins that allow you to get rid of unnecessary advertising and links to potentially malicious sources.

On May 12, around 1:00 p.m., the Wana Decryptor virus began spreading. In almost a couple of hours, tens of thousands of computers around the world were infected. To date, more than 45,000 infected computers have been confirmed.

With more than 40 thousand hacks in 74 countries, Internet users around the world witnessed the largest cyber attack in history. The list of victims includes not only ordinary people, but also servers of banks, telecommunications companies and even law enforcement agencies.

The computers of both ordinary users and work computers in various organizations, including the Russian Ministry of Internal Affairs, were infected with the Wanna Cry ransomware virus. Unfortunately, at the moment there is no way to decrypt WNCRY files, but you can try to recover encrypted files using programs such as ShadowExplorer and PhotoRec.

Official patches from Microsoft to protect against the Wanna Cry virus:

Windows 7 32bit/x64
Windows 10 32bit/x64
Windows XP 32 bit/x64 - no patch from WCry.

How to protect yourself from the Wanna Cry virus

You can protect yourself from the Wanna Cry virus by downloading a patch for your version of Windows.

How Wanna Cry spreads

Wanna Cry is distributed:

via files
mail messages.

As reported by Russian media, the work of departments of the Ministry of Internal Affairs in several regions of Russia has been disrupted due to a ransomware that has infected many computers and threatens to destroy all data. In addition, the communications operator Megafon was attacked.

We are talking about the WCry ransomware Trojan (WannaCry or WannaCryptor). He encrypts the information on the computer and demands a ransom of $300 or $600 in Bitcoin for decryption.
Ordinary users also report infections on forums and social networks:

WannaCry encryption epidemic: what to do to avoid infection. Step by step guide

On the evening of May 12, a large-scale WannaCryptor (WannaCry) ransomware attack was discovered, which encrypts all data on PCs and laptops running Windows. The program demands $300 in bitcoins (about 17,000 rubles) as a ransom for decryption.

The main blow fell on Russian users and companies. At the moment, WannaCry managed to infect about 57,000 computers, including the corporate networks of the Ministry of Internal Affairs, Russian Railways and Megafon. Sberbank and the Ministry of Health also reported attacks on their systems.

We tell you what you need to do right now to avoid infection.

1. The encryptor exploits a Microsoft vulnerability dated March 2017. To minimize the threat, you must urgently update your version of Windows:

Start - All Programs - Windows Update - Search for Updates - Download and Install

2. Even if the system was not updated and WannaCry got onto the computer, both corporate and home solutions ESET NOD32 successfully detect and block all its modifications.

5. To detect yet unknown threats, our products use behavioral and heuristic technologies. If a virus behaves like a virus, it is most likely a virus. Thus, the ESET LiveGrid cloud system successfully repelled the attack from May 12, even before the signature databases were updated.

What is the correct name for the Wana Decryptor virus, WanaCrypt0r, Wanna Cry or Wana Decrypt0r?

Since the first discovery of the virus, many different messages about this ransomware virus have appeared on the network and it is often called by different names. This happened for several reasons. Before the Wana Decrypt0r virus itself appeared, there was its first version Wanna Decrypt0r, the main difference being the method of distribution. This first variant was not as widely known as its younger brother, but due to this, in some news reports, the new ransomware virus is called by the name of its older brother, namely Wanna Cry, Wanna Decryptor.

But still the main name is Wana Decrypt0r, although most users instead of the number "0" type the letter "o", which leads us to the name Wana Decryptor or WanaDecryptor.

And the last name by which users often call this ransomware virus is WNCRY virus, that is, by the extension that is added to the name of the files that have been encrypted.

To minimize the risk of the Wanna Cru virus getting onto your computer, Kaspersky Lab specialists advise installing all possible updates on the current version of Windows. The fact is that the malware infects only those computers that run this software.

Wanna Cry virus: How it spreads

Previously, we mentioned this method of spreading viruses in an article about safe behavior on the Internet, so it’s nothing new.

Wanna Cry is distributed as follows: A letter is sent to the user's mailbox with a “harmless” attachment - it can be a picture, video, song, but instead of the standard extension for these formats, the attachment will have an executable file extension - exe. When such a file is opened and launched, the system is “infected” and, through a vulnerability, a virus is directly loaded into OS Windows, encrypting user data, therussiantimes.com reports.

Wanna Cry virus: description of the virus

Wanna Cry (the common people have already nicknamed it Wona's Edge) belongs to the category of ransomware viruses (cryptors), which, when it gets onto a PC, encrypts user files with a cryptographic algorithm, subsequently making it impossible to read these files.
At the moment, the following popular file extensions are known to be subject to Wanna Cry encryption:

Popular Microsoft Office files (.xlsx, reports therussiantimes.com.xls, .docx, .doc).
Archive and media files (.mp4, .mkv, .mp3, .wav, .swf, .mpeg, .avi, .mov, .mp4, .3gp, .mkv, .flv, .wma, .mid, .djvu, .png, .jpg, .jpeg, .iso, .zip, .rar).

WannaCry is a program called WanaCrypt0r 2.0, which exclusively attacks PCs running Windows OS. The program exploits a “hole” in the system - Microsoft Security Bulletin MS17-010, the existence of which was previously unknown. The program requires a ransom of $300 to $600 for decryption. By the way, currently, according to The Guardian, more than 42 thousand dollars have already been transferred to the hackers’ accounts.

In this article we will analyze the methodology for using the functionality File Server Resource Manager (FSRM) on the file server Windows Server 2012 R2 for detection and blocking work ransomware viruses(encoder Trojans, Ransomware or CryptoLocker). In particular, we will figure out how to install the FSRM service, configure detection of certain types of files and, if such files are detected, block user access to a directory on the file server.

Detecting ransomware using FSRM

If File Server Resource Manager is not already installed on your server, you can install it using the Server Manager graphical console or from the PowerShell command line:

Install-WindowsFeature FS-Resource-Manager -IncludeManagementTools

Let's check that the role is installed:

Get-WindowsFeature -Name FS-Resource-Manager

After installing the component, the server must be rebooted.

Configuring SMTP FSRM parameters for sending email notifications

The next step is to configure the SMTP parameters of the FSRM service, thanks to which the administrator can configure the sending of email notifications to his mailbox. To do this, launch the console fsrm.msc, right-click on the root of the File Server Resource Manager console and select ConfigureOptions.

Specify the SMTP server address, administrator mailbox and sender name.

You can check the correctness of the SMTP server settings by sending a test letter using the button Send Test Email.

You can also configure FSRM service SMTP settings using Powershell:

Set-FsrmSetting -AdminEmailAddress " [email protected]" –smtpserver smtp.adatum.com –FromEmailAddress " [email protected]"

Creating a group of file extensions created by ransomware

The next step is to create a group of files that will contain known extensions and file names that ransomware creates during its operation.

This list can be set from the FSRM console. To do this, expand chapterFile Screening Management -> File Groups and select from the menu Create File Group.

You must specify the group name (for example, Crypto-files) and add all known extensions to the list using the field Files to include.

The list of known file extensions created by ransomware is quite large, so it is much easier to create one using PowerShell.

In Windows Server 2012, you can create a group of files using PowerShell like this:

New-FsrmFileGroup -Name "Crypto-files" –IncludePattern @("_Locky_recover_instructions.txt","DECRYPT_INSTRUCTIONS.TXT", "DECRYPT_INSTRUCTION.TXT", "HELP_DECRYPT.TXT", "HELP_DECRYPT.HTML", "DecryptAllFiles.txt", "enc_files.txt", "HowDecrypt.txt", "How_Decrypt.txt", "How_Decrypt.html", "HELP_RESTORE_FILES.txt", "restore_files*.txt", "restore_files.txt", "RECOVERY_KEY.TXT", " how to decrypt aes files.lnk", "HELP_DECRYPT.PNG", "HELP_DECRYPT.lnk", "DecryptAllFiles*.txt", "Decrypt.exe", "AllFilesAreLocked*.bmp", "MESSAGE.txt","*. locky","*.ezz", "*.ecc", "*.exx", "*.7z.encrypted", "*.ctbl", "*.encrypted", "*.aaa", "*. xtbl", "*.abc", "*.JUST", "*.EnCiPhErEd", "*.cryptolocker","*.micro","*.vvv")

In Windows Server 2008 R2 you will have to use the filescrn.exe utility:

Advice. You can compile a list of known file extensions for various ransomware yourself, or use ready-made, periodically updated lists maintained by enthusiasts:

https://www.bleib-virenfrei.de/ransomware/

https://fsrm.experiant.ca/api/v1/combined

In the second case, the current list of file extensions for FSRM can be downloaded directly from the web server using

new-FsrmFileGroup -name "Anti-Ransomware File Groups" -IncludePattern @((Invoke-WebRequest -Uri "https://fsrm.experiant.ca/api/v1/combined").content | convertfrom-json | % ($ _.filters))

Or use a ready-made file: . This file can be saved to disk and used to update the created group of FSRM files:

$ext_list = Get-Content .\crypto_extensions.txt
Set-FsrmFileGroup -Name "Crypto-files" -IncludePattern ($ext_list)

Setting up File Screen Templates

Let's create a new File Screen Template that defines the actions that FSRM should take when it encounters the specified files. To do this, in the FSRM console, go to the section File Screen Management -> File Screen Templates. Let's create a new template Create File Screen Template.

On the settings tab, specify the name of the template “ Block_crypto_files”, type of screening – Active screening(it is prohibited to create the specified file types) and select Crypto-Files in the list of file groups.

On the tab Email Message Let's enable sending email notifications by customizing the notification text to your liking.

On the tab Event Log enable event recording in the system log. With the instruction to record only the username:

On the tab Command You can specify the action to take when this type of file is detected. More on this below.

Save your changes. Another one should appear in the list of templates.

Applying a File Screen template to a drive or folder

All that remains is to assign the created template to a disk or network folder on the server. Let's create a new rule in the FSRM console.

In the File screen path field, we need to specify the local drive or path to the directory for which we want to enable ransomware protection, and in the list of templates, select the Block_crypto_files template created earlier.

Automatic blocking of access for a user infected with ransomware

All that remains is to configure the action that FSRM will perform when it detects files created by ransomware. We will use a ready-made script: Protect your File Server against Ransomware by using FSRM and Powershell(https://gallery.technet.microsoft.com/scriptcenter/Protect-your-File-Server-f3722fce). What does this script do? When you try to write a “forbidden” file type to a network directory, FSRM runs this script, which analyzes the event log and at the share level prohibits writing to the user who attempted to write the prohibited file type. Thus, we will block the infected user's access to the network folder.

Download the specified script and unpack it to the root of the C:\ directory on the file server. Copy the utility to the same folder (needed to change permissions on a network directory). The catalog should contain the following files:

StartRansomwareBlockSmb.cmd
subinacl.exe

Note. In the PS script I had to change the lines:

$SubinaclCmd = "C:\subinacl /verbose=1 /share \\127.0.0.1\" + "$SharePart" + " /deny=" + "$BadUser"

if ($Rule -match "Crypto-Files")

Remaining in the template settings “Block crypto files” on the tab Command specify that the command line should be launched with the StartRansomwareBlockSmb.cmd argument:

Run this command or script: c:\windows\system32\cmd.exe

Command arguments: /c “c:\StartRansomwareBlockSmb.cmd”

The command must be executed with local system rights ( LocalSystem).

FSRM Security Testing

Let's test how FSRM protection against ransomware works. To do this, let’s create a file with an arbitrary extension in the protected directory and try to change it to the prohibited one.locky.

Event ID: 8215
Source: SRMSVC

The script RansomwareBlockSmb.ps1, based on data from the event, will deny the current user access to this directory by setting the personal deny in the permissions on the share:

Protection works! At the root of the disk in the log you can see the directory and user under which the ransomware attempted to run.

If you need to provide an even higher level of security, you can switch from a black list of files to a white list, when only allowed file types can be stored on the file server.

So, we looked at how to use FSRM to automatically block access to network directories for users whose computers are infected with a ransomware virus. Naturally, using FSRM in this mode cannot provide a 100% guarantee of protecting files on servers from this class of viruses, but as one of the echelons of protection, the technique is quite suitable. In the following articles, we will look at several more options for countering ransomware viruses.