Preventing Ransomware Using Alibaba Cloud Server Guard

Source: https://www.zhihu.com/question/59765277/answer/168898617
Zhihu Copyright belongs to the author. Please contact the author for permission before reprinting material for commercial purposes. For non-commercial use, please indicate the source.

"I'm very pessimistic on weapons of mass destruction generally although I don't think that nuclear probably is quite as likely as either primarily biological and maybe cyber." No one ever imagined that Warren Buffett's speech to Berkshire Hathaway's shareholders' meeting a week ago would prove accurate so quickly.

On the evening of May 12, the WanaCrypt0r 2.0 (WannaCry2.0 for short) ransomware broke out worldwide. WannaCry2.0 can scan the 445 file sharing ports open on a Windows machine and install malware without any user intervention.

The virus has already spread to hundreds of countries worldwide. 25 hospitals across the UK were attacked on a large scale, and many Chinese universities have also been attacked. Hackers blackmail the user by locking the computer files, and only accept bitcoins as payment.

According to analysis by Alibaba Cloud security experts, the global bitcoin blackmail virus is caused by the Windows system SMB / RDP remote command execution vulnerability leaked by the NSA.

With this vulnerability, hackers can remotely attack port 445 (for file sharing) in Windows. If Microsoft patches released in March of this year have not been installed in the system, as long as the computer is on and connected to Internet, hackers can execute code in the computer to implant the blackmail virus and other malicious programs.

In light of the risk of the Windows system SMB/RDP remote command execution vulnerability, many cloud service providers around the world disabled port 445 in April. However, many personal computers and machines in IDC physical data rooms still have port 445 exposed, which poses an opportunity for hackers.

According to news from Hangzhou Metropolis Daily, at 11 o'clock on the evening of May 12, the campus network in Xiasha Higher Education Park was hacked. Documents on students' computers were locked, and ransom had to be paid to unlock them. It was found that campus networks in many universities such as Zhejiang University Of Media And Communications, China Jiliang University, Zhejiang Sci-tech University were also hacked.

According to analysis from Alibaba Cloud Security experts, the blackmail incident spread rapidly across campus networks, the main reason being that most campus networks are basically a large interconnected LAN, and security zones were not defined for different applications. For example: student management systems, educational administration systems, etc. can be accessed through any connected device.

At the same time, IP addresses allocated for machines in labs and multimedia classrooms are mostly public IP addresses, so if the schools hadn't implemented the relevant permission restrictions, all the machines would be directly exposed.

In fact, not only campuses networks in China that were attacked but also campuses across the globe. According to the BBC, a large number of agencies worldwide in the United States, Britain, China, Russia, Spain, Italy, Vietnam and other places have reported attacks from "blackmail" software.

According to CNN, 25 hospitals in the UK were paralyzed on Friday due to "massive" hacking attacks. Surgeries were canceled and ambulances were forced to turn to other hospitals.

Medical workers said that their systems were locked and they could not get in. There was a message on the screen asking them to pay "ransom" to recover the system. Microsoft released a patch for the Windows vulnerability used by NSA hackers in March of this year.

Alibaba Cloud issued the first warning, and launched a one-click tool to detect and repair the vulnerability.

Alibaba Cloud now disables port 455 for ECS users and installs the official Windows patch by default. For all enterprises that have servers in their IDC hosting or self-built data centers, the patch from Microsoft is immediately installed for all Windows systems.

Installing the security patch is relatively simple. The user simply needs to install the patch before it is too late. But for large enterprises or organizations who have hundreds or even thousands of machines, it is better to use a client for centralized management. For example, Alibaba Cloud Server Guard provides real-time warning, defense, one-click repair, and other crucial features.

Reliable data backup can minimize the loss incurred by ransomware. You are recommended to enable the Alibaba Cloud snapshot function for data image backup, and at the same time add security protection to avoid being infected or damaged.