Ransomware solution
1. Introduction to Ransomware
Nowadays, a computer ransomware virus has swept dozens of countries around the world. Windows computers in the United States, Russia, China, and European countries have suffered the most.
Unlike some previous large-scale outbreaks of viruses, such as panda burning incense, hackers developed this virus not to show off skills (single attack on computer software and hardware) but to earn money. When the computer is invaded by a disease, the text in the computer will be encrypted, making it impossible to open it.
The hacker will ask you to provide $300 (2,000 yuan) in bitcoins before giving you the password to unlock it. The reason why the ransom paid must be Bitcoin is that the account of this electronic currency is not easy to track, and it is easier to hide the true identity of the hacker.
The designer of the virus deliberately translated Bosso’s explanatory information into the language versions of more than 20 countries and regions, so that every person infected with the virus in the world can understand the payment information, which shows the great ambition. Moreover, if the computer infected with the virus belongs to a high-performance server, the virus will also plant a mining program in this computer, making this computer a tool for producing Bitcoin. The attacker can do everything to the greatest extent. Extract the economic value of the victim computer.
After the computer is infected with this virus, the files in the hard disk will be encrypted by the AES+RSA 4096-bit algorithm.
Encountering this level of encryption, it may take hundreds of thousands of years for all current home computers to brute force. So once he was so sick and encrypted the writings on his computer, Bai Ji couldn't decrypt his dad's files anyway. If the important files of the government or public institutions are encrypted, only the backup files can be restored.
It is worth noting that this virus attack also targeted specific groups of people, similar to "precise delivery. Daquan industry's public mailboxes, high-end restaurants' official websites, etc. are the key targets of the attack. At first, the virus disguised as a title is very attractive. Human e-mails, or ordinary documents disguised as PDFs or DOCs, if a vulnerable computer opens these links or files, it may be slapped.
If the recruited computer is in a local area network, then as long as one computer is infected with a virus, other computers will be infected immediately as long as they are turned on and connected to the Internet.
Viruses will launch attacks through vulnerabilities in file sharing and network printer sharing ports like port 445.
Two, server emergency preventive measures
1. Immediately organize intranet inspections and find all terminals and servers that open the 445SMB service port. Once a poisoned machine is found, immediately disconnect the network and deal with it. At present, it seems that formatting the hard disk can clear the virus.
2. Once you find a computer poisoned, immediately disconnect the Internet
3. Enable and open "Windows Firewall", enter "Advanced Settings", and disable "File and Printer Sharing" related rules in the inbound rules. Close UDP port 135, 445, 137, 138, 139 Close network file sharing
4. It is strictly forbidden to use U disk, mobile hard disk and other devices that can perform ferry attacks.
5. Back up important files in the computer as soon as possible.
6. Update the latest versions of operating systems and applications in a timely manner.
7. Under normal circumstances, the database server upgrade MS17-010 patch will not close port 1433. Sqlserver i uses port 1433 by default. In some cases, port 1433 may be closed. The situation is unknown.
Please refer to Article 6
3. Workstation preventive measures
It is currently known that Windows 10 operating system only has automatic updates turned on, and there is no risk of poisoning. At present, Windows 7 and even Windows XP computers that are widely used in China are relatively high-risk. Microsoft has already released system patches for all Windows systems. In addition, high-risk ports like 445 are best turned off for ordinary home computers.
1. Open the control panel and click on firewall
2. Click "Advanced Settings
3. Click the posting rule first and then click the new rule.
4. Check "Port", click "Protocol and Port
5. Check "Specific local port", fill in 445, and click Next
6. Click the block link", go to the next step, and name the rule, it's fine
Still, the best anti-virus software is not as good as a good security awareness. In this information age, a system vulnerability can be fixed with a patch, but people lack security awareness and do not know when it will be blocked.
Fourth, Kaspersky anti-virus deployment
Kaspersky Anti-Virus was deployed for the first time to detect and kill to help corporate office computers respond to the ransomware attack.
Responding to ransomware, boot operation guide:
1. Prepare a USB flash drive or mobile hard drive, which can be in a safe network environment at home before going to work on Monday.
2. After arriving at the company, first unplug the network cable of the office computer, turn off the wireless network switch, and then turn it on again.
3. Use the prepared U disk or mobile hard disk to insert into the office computer and install 360 Security Guard [Offline Disaster Relief Edition
4. Install and deploy Kaspersky Anti-Virus and immunization tools, and detect whether your computer has vulnerabilities. If your current system does not have a missing patch installed,
5. Please wait patiently during the process of fixing the loopholes, it usually takes 3-5 minutes.
6. After the repair is successful, a pop-up window will prompt you. Please restart your computer for the repair operation to take effect completely
7. After restarting the computer, you can run the NSA defense tool through the [ransomware virus relief] shortcut on the desktop to ensure that your system has been repaired.
Supplementary note: For some special systems (such as the GHOST streamlined system), due to the artificial modification of the system itself, the vulnerability fixes cannot be installed normally. For security reasons, the tool will directly close the network ports and network ports required for sharing for you. system service.
Five, return operation
When the patch has been installed and the security is confirmed, and the port must be opened, the return operation can be performed, and the steps are as follows:
1. Open the control panel and click on firewall
2. Click "Advanced Settings.
3. Click "Inbound Rules" first, and then select the rule you created.
4. Then click "Disable Rule" on the right.
5. At this time, the green ditching graphic in front of this rule disappears.
After the operation is completed, the closed port is reopened.
6. Network preventive measures
1. Identity authentication includes two aspects: host and application.
The host operating system login, database login and application system login must be authenticated. Identifiers and passwords that are too simple are easily cracked by brute force attacks. At the same time, illegal users can listen through the network, thereby gaining administrator rights, and can illegally access any resources and operate unauthorized operations. Therefore, the complexity of the user name/password must be increased, and to prevent it from being heard by the network: At the same time, the failure handling mechanism should be considered.
2. Access control
Access control includes two aspects: host and application.
Access control is mainly to ensure the legitimate use of host resources and application system resources by users. Illegal users may try to impersonate legitimate users to enter the system, and low-privileged legitimate users may also attempt to perform operations of high-privileged users. These behaviors will bring great security risks to the host system and application systems. The user must have a legal user identifier and operate under the established access control policy to prevent unauthorized operations.
3. System audit
System audit includes two aspects: host audit and application audit.
The operation behavior after logging in to the host must be audited by the host. Strict behavior control is required for services and important hosts, and necessary records and audits of user behaviors and commands used are required to facilitate future analysis, investigation, and evidence collection, and to standardize host use behavior. As for the application system, the requirement of application audit is also put forward, that is, to audit the usage behavior of the application system. Focus on auditing application layer information, which is closely related to the operation process of the business system.
It can provide sufficient information for security events, is closely related to identity authentication and access control, and provides audit records for related events.
4. Intrusion prevention
The host operating system is facing various targeted intrusion threats. Common operating systems have various security vulnerabilities, and now the time difference between the vulnerability being discovered and the vulnerability being exploited has become shorter and shorter, which makes the operating system itself The security brings huge security risks to the entire system. Therefore, requirements are put forward for the installation, use, and maintenance of the host operating system to prevent intrusions against the system.
5. Malicious code prevention
Viruses, bugs and other malicious codes are the hidden thoughts that cause the greatest harm to the computing environment. At present, viruses are very powerful. Not only the outbreak of pests, they will immediately spread to other subnets, launching network attacks and data theft. Occupies a large amount of the very limited bandwidth of normal business, causing serious degradation of network performance, server crash and even interruption of network training communication, information damage or leakage of demand. Seriously affect normal business development. Therefore, malicious code prevention software must be deployed for defense. At the same time, the malicious code base is kept up to date.
