Ransomware strategy for someone with midlevel skills?

[sonoferu]

I have Windows 7 Pro, so from what I have read about MS trying to patch things, I dont know how secure I might be. I dont do a lot of online stuff except reading the news, and I never open an email attachment without thinking. I have AVG Free version and keep it updated. I'm not expert, just midlevel system skills.

My question is that I have EaseUS Todo Backup and once every week or so I do an image of the whole system to an external hard drive. As long as I have a boot disk for EaseUS and keep the drive unplugged between images, could I get out of a ransomware attack by booting in and restoring the whole image? Or would I even need to do that extensive a step, could I just restore files from the image?

I presume I would need to remove the ransomware itself, or else any restored files would just get encrypted, right? All I know is what I have read in the news the last few days. I have never had a virus in almost 20 years not with Windows, so AVG seems good at what it does

Thanks

 

[Elixer]

If you clone, and store that on a offline backup (only connect drive when needed), that is good.
If you system is infected, then, you wouldn't necessarily know which files are the "bad" versions, so, a complete restore from the clone is the best practice.

I rather you have a firewall, that shows inbound & outbound connections, use noscript on sites you don't trust, & adblocker (a huge security issue with ads using flash & others).
Don't open ANY attachments, unless you can confirm where they are coming from.

As for AVG... sorry, no, same goes for norton, symantec, and the others, they are all resource hogs.
They give you a false sense of security.
If you really insist on having something running all the time, then the better product is from these guys https://www.emsisoft.com/en/.
The occasional running of anti-malware software like malwarebytes, or Search&Destroy are nice free programs as well.

 

[Jaskalas]

I run Windows 10. For me it was simply going to Programs -> Features and -> unchecked SMB v1. Rebooted. Done.

Here's how to disable SMB v1.
Over the weekend I also reinstalled my file server to upgrade it from OpenSuse 12.3 -> 42.2. Then I took SAMBA and disabled SMB v1 there as well. Now none of my Windows machines or the Linux file server are vulnerable through that Windows XP era protocol.

 

[John Connor]

You can still just use your clone. Just format the current HDD, pop in you CD and attach the external HDD and clone back to the main HDD. That's it. Just be sure to format the target machine first.

Ransomware is polymorphic. Meaning your run of the mill anti-virus won't catch it as there's no virus signature for it. There's a couple of things you can do to make sure you don't get ransomware. Use Sandboxie for your browser or buy Sandboxie and use it for your E-mail client too. Note that if you use Sandboxie you should allow access to the browser's profile otherwise saved bookmarks won't stick when you close Sandboxie. Also, you can't update the browser with Sandboxie. The update won't stick. You have to update outside of the sandbox. The idea of Sandboxie is that everything stays in the sandbox and doesn't touch your computer.

The other thing you can do is use NoScript. Allow base 2nd level domains to ease cumbersomeness. But this may be very restrictive and thus Sandboxie might be your better bet.

Another option to add is uBlock. This will block ADs and thus you won't get infected by a malware laden AD.

NoScript and uBlock are Firefox-based add-ons. They work in Pale Moon as well. That's what I use. You don't need to use these add-ons and just use Sandboxie, but be aware that you shouldn't recover any files in the sandbox you didn't download.

I wrote a post about this at my forum in my sig under the Security subforum.

 

[John Connor]

I run Windows 10. For me it was simply going to Programs -> Features and -> unchecked SMB v1. Rebooted. Done.

Here's how to disable SMB v1.
Over the weekend I also reinstalled my file server to upgrade it from OpenSuse 12.3 -> 42.2. Then I took SAMBA and disabled SMB v1 there as well. Now none of my Windows machines or the Linux file server are vulnerable through that Windows XP era protocol.

The primary vector isn't SAMBA. It's through an E-mail attachment. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Not too bad I guess. They made over 33k dollars.

 

[Jaskalas]

The primary vector isn't SAMBA. It's through an E-mail attachment. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Not too bad I guess. They made over 33k dollars.

I appreciate that, but without the need to talk to Windows XP machines it's definitely an option for me to block SMB v1 as it has been repeatedly exploited recently. I'd rather not have machine A's infection spread throughout an entire network.

 

[KeithP]

You might consider adding a second backup drive. As they say, one backup is no backup.

-KeithP

 

[sonoferu]

Thanks all, thats a lot for a midlevel guy. Gotta go look some things up

I didnt find SMB v1 in Win7 "Turn Windows features on and off" Is it somewhere on Win 7? I googled for Win 7 SMB v1 and found lots of links but none tell me how to do it on 7, just the other Windowses.

I do have AdBlockPlus, and have added NoScript.

Again, thanks

 

[corkyg]

The first line of defense is email discipline. The capability to blacklist senders and domains, and be able to examine email without downloading is useful. Be "street smart" with email.

 

[HutchinsonJC]

I don't understand the seeming focus in this thread of being careful about opening emails with attachments. I mean, obviously you should be careful with that sort of thing, but this malware is a worm. It will traverse the internet and do what it does to unpatched machines with or without your approval, with or without your opening of an email attachment. All taking advantage of something that went public (WikiLeaks) that the NSA identified who knows when ago, and built tools of their own to take advantage of the flaw... to what end, who knows. NSA decided not to tell Microsoft about the flaw (screw up #1 IMO) and then couldn't keep their stuff from prying eyes (screw up #2 IMO).

The saving grace for the version of the malware that launched just this last Friday, is some 22 year old anonymous guy going by name of MalwareTech saw that the malware wanted to connect to a really long domain name of seeming random as all characters. The domain didn't exist, he created it, and now the malware is in self-kill mode. If your stuff was already encrypted, then it'd still be encrypted, but that exact version of the malware is basically dead now except via email attachments. That is of course, unless you're blocking that domain, as was recommended by various entities... then it might still spread across machines on internal networks like the worm it is all because one person opens an attachment.

Apparently, that version of the malware had a kill switch built inside that basically said "If I can connect to this website, destroy yourself."

Personally, I have my suspicions about the kill switch. Why put in there at all? And why make the kill switch that simple? Any tech guy who would have had this malware on their machines and wanted to poke and figure it out, would have been able to see that it was attempting to reach out to this domain. So this 22 year old pays up something like 10.99 euro to register the domain that this malware was looking for, and now he's a hero. How did this guy know that by bringing that domain online it would kill the malware? Odds are, he didn't. He probably didn't know if it would make the situation bad or good, and possibly even thought that he could intercept the goodies of the malware by creating the domain, but I don't know what was in his head when he decided to buy the domain name.

And it's not like the domain being created killed all probability of taking advantage of the Microsoft flaw. It wouldn't be hard for the original creator of the malware to adjust the kill switch in some way, or outright remove the kill switch. It's also not out of the question that entirely new malwares could be created to take advantage of the flaw.

How many people will buy a new computer, connect it to the internet, and get *some* kind of malware (spyware, keylogger, ransomware, who knows?) based on this worm/flaw *before* they can even do windows updates. This ain't over yet. And it's not just email attachments you need to be worried about. It's a worm.

Probably a good idea to put some updates to a USB stick that you consider as mandatory installs before even connecting to a machine to a network.

 

[Jaskalas]

I didnt find SMB v1 in Win7 "Turn Windows features on and off" Is it somewhere on Win 7? I googled for Win 7 SMB v1 and found lots of links but none tell me how to do it on 7, just the other Windowses.

Here's how to disable SMB v1.

Though I appreciate it was not easy to pick out from the link provided. Here's a copy off that page.

• WARNING, I have not tested these commands, I cannot verify them. Use at your own risk.

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

• To disable SMBv1 on the SMB client, run the following commands:
  
  • sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
  • sc.exe config mrxsmb10 start= disabled

• To enable SMBv1 on the SMB client, run the following commands:
  
  • sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    
  • sc.exe config mrxsmb10 start= auto

 

[KeithP]

How many people will buy a new computer, connect it to the internet, and get *some* kind of malware (spyware, keylogger, ransomware, who knows?) based on this worm/flaw *before* they can even do windows updates.

None? From what I have read, Windows 10 was never vulnerable.

-KeithP

 

[HutchinsonJC]

I just bought several windows 7 machines a few months ago, one of which is still in the box unopened, are you sure none is the correct answer?

Edit:
Windows 7 based machines can still be found on online retailers: New... Refurbished

Some companies make it a practice to buy in bulk and/or have machines at the ready as replacements if another machine in their company dies.

Some businesses may not approve Windows 10 for their network. Let's be honest, this isn't exactly a rare thing that the latest and greatest OS isn't approved until years have passed by that it's been available.

Some people might reload a Windows 7 operating system because they got a new SSD or they just want a clean install for whatever reason.

Someone out there is gonna reload from an image or a backup and forget that their image or backup didn't include the update.

There are several people out there that will do something that will put themselves and/or their companies at risk because they put an unpatched machine on their network. Most of these, I have a guess, will be mom and pop or small business kind of places.

 

[John Connor]

Like previous ransomware, the attack spreads by phishing emails,[16] but also uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA)[17][18] to spread through a network which has not installed recent security updates to directly infect any exposed systems.

https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

May want to edit Wikipedia.

 

[John Connor]

I actually have all of the Shadow Broker Tools. Should I give them back to the NSA?

Such is the free and open Internet. I did get rid of the pile though.... Wait, let me check my FTP server. Yep! They're gone. encrypted them in a SFX archive and I don't see it.

 

[Elixer]

The primary vector isn't SAMBA. It's through an E-mail attachment. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Not too bad I guess. They made over 33k dollars.

SMB (Server Message Block) is not SAMBA.
They are totally different things.

The initial vector might be e-mail (still hasn't been confirmed), but, it can still spread via SMBv1 exploit from machine to machine.
That is why you need to block SMB ports, or at the very least, turn off SMBv1 and apply the security patch for XP.

 

[John Connor]

Ah! Yeah, I have scanned my most common ports at GRC's Shields Up and all are stealthed.

 

[ImpulsE69]

You might consider adding a second backup drive. As they say, one backup is no backup.

-KeithP

Agreed. I do nightly backups. Then I back those backups to a secret base on the opposite side of the planet. Then, those backups get backed up to the moon base. Then those backups get backed up to Voyager 2. You can never be too prepared.

 

[PliotronX]

While the constant theme should be backups, backups, and more backups - you might want to give this freeware tool a whirl. It was able to stop the recent variants without relying on definition updates because it looks for the encryption behavior rather than a signature. It complements traditional AV so it can't hurt to try out.

We used to joke in networking class about the eighth layer of the OSI model (the user) being the biggest problem. This certainly applies to security because it doesn't matter what you have dragging down a system in the name of security, there is always a risk so true security is more of a state of mind and methodical rumination on actions like clicking links and opening attachments - be suspicious!

 

[John Connor]

I used to Have Ransomfree installed, but I think it was doing something and that's why I uninstalled it.

 

[sonoferu]

Here's how to disable SMB v1.

Jaskalas - I saw that link, and it seems to be how to disable SMB1 for a client machine. higher up in the page there it says how to do it for an SMB server. I have a home network, just my desktop with Win7 and my wife's laptop with Win10. Mine is served by a cable from the router, hers from a wireless router in her office. So we are both clients, right?

And some questions that are just curiosity questions. I'm always curious. When you're a midlevel guy you are always running into things you didnt know yet.

So the command uses sc.exe. Several years ago in my job I ran sc.exe to configure a service we used. That's the same sc.exe?

And the command edits the registry keys for
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10

Going curiouser, I see the commands on that MS page
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

Looking at the registry here, under "LanmanWorkstation" I see a value named "DependOnService" but not one for "depend". Could that be an error on the MS page? If there is no value for "depend" does the command create one?

Just wondering what will happen if I run them. As you say, it's my own risk. But just curious.

And final curious - what does SMB do anyway? I have read some stuff which says what it does but I dont know much network stuff and all the explanations are in network-speak.

And I never ever open attachments in emails unless I know the sender and I always read the URL when I hover over links in emails

Thx

SonOfEru

 

[KeithP]

I just bought several windows 7 machines a few months ago, one of which is still in the box unopened, are you sure none is the correct answer?

No, I wasn't sure. That is why I had the "?" after "None".

-KeithP

 

[ImpulsE69]

You can download the standalone security fix from MS and install it on it before you ever put it on the net, but I have 3 systems that didn't have the patch and had no issues.

https://support.microsoft.com/en-us...sp1-windows-server-2008-r2-sp1-update-history

 

[HutchinsonJC]

You had no issues because the version of the malware that came out on the 12th had a kill switch built-in. The kill-switch was brought online rendering the malware dead on arrival.

Another version of the malware came out on the 14th, and another kill-switch was activated. This particular kill-switch has been registering something like 300 deaths of the malware (or *hits* registering against the new domain of the kill-switch) per hour the first half of TODAY. And that's saying something when you consider the kill-switch was brought online for that version of the malware the 15th.

The reason you've been relatively safe, is because no malware has been written to take advantage of this worm that hasn't had a kill switch built-in, yet. And I emphasize the "yet". It'll happen.

And yes, you can do an update without connecting the machine to a network. I mentioned saving the update to a USB drive in an above post.

 

[Elixer]

The reason you've been relatively safe, is because no malware has been written to take advantage of this worm that hasn't had a kill switch built-in, yet. And I emphasize the "yet". It'll happen.

There are already quite a few "copy-cats" out there with no kill-switch at all.
It started shortly after the original was released.