# Anyone get hit by WannaCry?



## Mt Spokane Photography (May 16, 2017)

I've been reviewing my backup system and came to the conclusion that it is weak. While I do have some backups on removable drives, I've been updating backups on my NAS, and it backs up to another NAS. Both could be hit. I did get emails with links to WannaCry about 10 days ago, I found them in my spam filter tonight and deleted them.

My NAS has the capability to use snapshots which I never quite understood or saw a need for. Now, I'm setting it up, since they can restore any files that get deleted or encrypted, and the snapshots cannot be affected by wannaCry or similar Malware. Its a time consuming process to set it up, but snapshots will restore my files in just a few minutes should I need to.

In the meantime, I updated my 2nd NAS with all my data and disk images, and shut it down, just in case.

We have several users in our home on my network, if anyone slips up, we will be at risk. I've updated my antivirus/internet security, it claims to have caught all attempts for the past several days, but I'm not sure I believe them.


----------



## Mikehit (May 16, 2017)

From reports here in UK, I thought systems vulnerable to Wannacry were Windows XP? 

_ I've updated my antivirus/internet security, it claims to have caught all attempts for the past several days, but I'm not sure I believe them._
I'm always sceptical of things like this - how do they know?


----------



## Mikehit (May 16, 2017)

Just read this report on Wikipedia:



> A "critical" patch had been issued by Microsoft on 14 March 2017 to remove the underlying vulnerability for supported systems, nearly two months before the attack,[20] but many organizations had not yet applied it.[21]
> 
> Those still running exposed older, unsupported operating systems were initially at particular risk, such as Windows XP and Windows Server 2003, but Microsoft has now taken the unusual step of releasing updates for these.[3][22]



My guess is that those most at risk are people who apply patches manually, and with XP no longer being supported the organisation would have to do this. I assume any decent antiviral software would have applied it as an essential update when first released.


----------



## jolyonralph (May 16, 2017)

All versions of windows from Windows XP to Windows 10 are vulnerable if they haven't been kept up to date with the latest Windows updates.

Sadly many people turn automatic updates off. I've heard people comparing those who suggest turning automatic updates off to anti-vaxxers. A bit harsh, but they have a point.

And remember, if your NAS is mapped to a mounted drive on your system and your system is affected then there's a very good chance that Ransomware will start encrypting files on your NAS too. And then you're only hope is to pay the ransom (although the general advice I'm hearing about WannaCry is that the heat is so high now they are unlikely to be responding to people who pay so you're files are likely history)

I have a Mac which means I am smugly complacent - although a friend did point out today that just means I paid the ransom at time of purchase


----------



## meywd (May 16, 2017)

Mt Spokane Photography said:


> I've been reviewing my backup system and came to the conclusion that it is weak. While I do have some backups on removable drives, I've been updating backups on my NAS, and it backs up to another NAS. Both could be hit. I did get emails with links to WannaCry about 10 days ago, I found them in my spam filter tonight and deleted them.
> 
> My NAS has the capability to use snapshots which I never quite understood or saw a need for. Now, I'm setting it up, since they can restore any files that get deleted or encrypted, and the snapshots cannot be affected by wannaCry or similar Malware. Its a time consuming process to set it up, but snapshots will restore my files in just a few minutes should I need to.
> 
> ...



Why not setup access as readonly? and the write access requires a password that you enter everytime, I know its annoying but its safer.



jolyonralph said:


> All versions of windows from Windows XP to Windows 10 are vulnerable if they haven't been kept up to date with the latest Windows updates.
> 
> Sadly many people turn automatic updates off. I've heard people comparing those who suggest turning automatic updates off to anti-vaxxers. A bit harsh, but they have a point.
> 
> ...



I am one of those people who turn updates off, at least before windows 10, I am a programmer, and I have been playing with computers since 4th grade, I know the need to update windows, but I hate the way it's forced, and I really like to keep my PC on 24/7, I use antiviruses, although I am not sure if it would matter if I didn't, as I always manually disinfect my system if it were ever compromised, and I think that mostly it's caused by bad habits of users, I always review links before I click them, check if an email is really from whoever they claim it's from, and never visit sites that look shady.


----------



## LDS (May 16, 2017)

Mt Spokane Photography said:


> My NAS has the capability to use snapshots which I never quite understood or saw a need for. st in case.



Snapshot offer a good layer of protection, as long as the ransomware is unaware of them - WannaCry attempts to delete Windows Shadow Copies (a form of snapshots) on machines it infects (of course, if your NAS is not running Windows, it can't).

Just remember they "accumulate" over time, and you may need to delete older one. Much depends on how often files are modified, usually when files are not modified very little space is used for a snapshot (just some metadata).

There are some more sophisticated ways to replicate to a secondary backup that doesn't use technologies a ransomware usually use (i.e. snapshots + rsync, or something alike, no SMB share needed), but they are a bit more complex to setup and manage. An offline backup for most important data, even a USB external disk, may be useful as the last line of protection. Or a cloud one.



Mt Spokane Photography said:


> We have several users in our home on my network, if anyone slips up, we will be at risk. I've updated my antivirus/internet security, it claims to have caught all attempts for the past several days, but I'm not sure I believe them.



You could use permissions on shared folders to limit who can change files. Of course it may not help if someone with write permission is hit by the ransomware, but it may limit damages.

Antivirus may not catch the latest and newer threats quickly enough, but it's another layer of protection anyway.


----------



## Orangutan (May 16, 2017)

meywd said:


> I am one of those people who turn updates off, at least before windows 10, I am a programmer, and I have been playing with computers since 4th grade, I know the need to update windows, but I hate the way it's forced, and I really like to keep my PC on 24/7, I use antiviruses, although I am not sure if it would matter if I didn't, as I always manually disinfect my system if it were ever compromised, and I think that mostly it's caused by bad habits of users, I always review links before I click them, check if an email is really from whoever they claim it's from, and never visit sites that look shady.



A few comments from someone who has worked in several IT roles.


This vulnerability in Windows was known, and a patch available, over a month ago. Waiting longer than a month to update manually is asking for trouble. (I've occasionally been guilty of this myself)
Prevention is best: use a script blocker (NoScript) as much as you can tolerate, and you'll have an extra layer of protection for most malware transmitted via the Web or email.
Use VirusTotal before opening/running any file you're not 100% sure about: https://www.virustotal.com.
Bottom-line: this was Microsoft's fault. If they allowed users to auto-install *true security patches only*, and did not force/coerce/trick Windows10 upgrades and other unwanted/unneeded updates, more users would leave auto-update enabled.
-O


----------



## LDS (May 16, 2017)

meywd said:


> I use antiviruses, although I am not sure if it would matter if I didn't, as I always manually disinfect my system if it were ever compromised, and I think that mostly it's caused by bad habits of users, I always review links before I click them, check if an email is really from whoever they claim it's from, and never visit sites that look shady.



This ransomware uses a vulnerability in SMB that is remotely exploitable. All that is needed is an infected machine in the same network as yours, and you have SMB version 1 enabled and accessible. Then the infection is fully automatic.

Once files are encrypted, you may manually disinfect a system (as long as you have a full understanding on what changes have been made, otherwise my advice is reinstall from scratch...), but you won't recover encrypted files unless the ransomware has a flaw, or you have a backup.

"mostly it's caused by bad habits of users", yes, mostly, but there are situations when even good habits won't save you if you have an upatched machine.


----------



## Joe M (May 16, 2017)

Not caught out as all computers are patched as they ought to be. That doesn't mean of course that I don't have everything of value backed up (four (yes I'm extreme because I've had many drives die in the past) separate rotating backups) and don't take precautions. So far so good, knock on wood. 

As far as XP goes, MS actually had the good graces to come out with a patch for those who still use it for whatever reason in order to prevent the spread. I thought that was nice of MS but again, I think it was simply to stop the spread and not encourage people to keep using XP of course. I doubt anyone on this forum is using XP (pretty sure CC doesn't work on it  ) but in case you know anyone who still is for some reason (like nostalgia), apply this now if it isn't too late...https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/


----------



## meywd (May 16, 2017)

LDS said:


> meywd said:
> 
> 
> > I use antiviruses, although I am not sure if it would matter if I didn't, as I always manually disinfect my system if it were ever compromised, and I think that mostly it's caused by bad habits of users, I always review links before I click them, check if an email is really from whoever they claim it's from, and never visit sites that look shady.
> ...



I was talking about personal computers, not within an organization, if you join a network that you don't trust then its your problem, and if in an organization its the issue of the IT department and not the user to make sure all devices are updated.


----------



## weixing (May 16, 2017)

Hi,
Luckily, none of my client affected by it at the moment.

But last year, one of my client hit by a ransomware (can't remember the name) by accidentally open an unknown email attachment and all his documents (words, excel & etc) in his PC got encrypted, but luckily there is a bug in the ransomware that it didn't manage to encrypted the "previous version", so I manage to get back most of my client files through the "previous version" and backup after I clean the malware.

Anyway, make sure you backup all your important files regularly.

Have a nice day.


----------



## peterzuehlke (May 16, 2017)

Not yet. I back-up on two external drives physically separated from the desktop, one off-site. I haven't yet had to restore because of a virus. (crashes and bad software installation, yes) I was a little tense because I run XP 64 bit on one of my partitions (some legacy software). I did install the Microsoft XP patch about 4 hours after it became available.

I manually install Windows Updates on my other partition mainly because I don't use Internet Explorer so I don't update it, and Microsoft seems to like filling the SSD I use for OS and Program code with bloat patches for IE.  (It now has twice the content of my XP partition. (and my XP partition has Photoshop on it in addition)

stay safe out there.


----------



## Mt Spokane Photography (May 16, 2017)

My NAS is rebuilt this morning, files loaded, and snapshot taken. I spent lots of time the few two days reading technical reports and from what I read there appear to be many misconceptions. Its no wonder it spread so fast. I'm also very sure that more info is coming, since researchers all over the world are digging into it. My NAS needed additional memory to take snapshots, and by coincidence, I had decided to add more memory last week after noticing it was a bottleneck. The memory arrived yesterday and was immediately popped in.

1. Affected computers were running all versions of Windows, it runs a small program that encrypts files with one of over 100 extensions. Thinking its only Windows XP is a big mistake. My error was thinking that encrypted backups on my NAS were safe. I do not have MY NAS mapped to a drive, that makes no difference, it will easily find it. The virus jumps accross different sub networks too, there is no hiding place for connected devices. 

2. Norton claims that no one with updated Norton Internet Security / Antivirus was infected, it was supposedly blocked indirectly by heuristics, and now, more directly. I see internet security programs as being generally initially venerable, but quickly patched.

3. Having Windows patched had nothing to do with getting infected, all that did was to prevent spreading the virus quickly across a network, but the local PC which acquired the virus is toast. Microsoft did patch all versions of Windows, even XP, but that was due to Eternal Blue, which used a Windows exploit to spread infection across networks. WannaCry used the same exploit to spread itself. So, now other computers on your network should not spread the virus if they are up to date.

4. Reports say that no one who paid the ransom received a key to unlock their files, they were gone. There is no hope.

5. A block level snapshot on my NAS at least is kept in a secure vault, the files themselves use a different file system which supposedly cannot be encrypted. Unfortunately, my backup NAS is older and does not support storing snapshots by rsync. I have a huge number of older pc's and a ton of hard drives, as well as some larger server cases, so I may configure a freenas server for a backup, it has better snapshot options than my Qnap TS-451. I have a older NAS yet that needs a power supply that could be brought online.

As far as sloppy practices, that's ignoring the facts of life. People do slip up, and all it takes is a click of a mouse. No one is perfect. A apparent bill arriving from some one you deal with arriving by email is all it takes. Then your computer sends out emails to everyone in your address book with the virus attached. A few will get infected. I run a online business, and there are 10's of thousands with my email address in their computers, so I get tons of email every day from compromised accounts. Occasionally, one gets thru my filters though. I had no idea that I was getting emails over a week ago linking to a supposed Google Docs file. I have never had a bad virus get thru, but I believe in belt and suspenders approaches.


----------

