|
Recently,
researchers from Huawei Weiran Labs have captured a new ransomware sample.
After analysis, it is found that the behavior of the sample is almost
identical to that of the ransomware family GlobeImposter's samples. The notice
is as follows: https://isecurity.huawei.com/sec/web/viewBlog.do?id=1980.
According
to the monitoring of Huawei Enterprise GSC, the ransomware may burst in the
near future. The impact and suggestions are as follows:
1. Impact on Services
The
ransomware can encrypt audio, video, database, text, and other types of
files and add the file name extension .****4444, such as Rat4444,
Tiger4444, Snake4444, Monkey4444, and Dog4444.
The
GlobeImposter uses the RSA2048 algorithm to encrypt data. Currently, there
is no effective solution to restore the encrypted data.
2. Solution
2.1
Remove the network cable from the infected host for disconnection.
The asymmetric encryption algorithm is used. After a host is
compromised, it is difficult to restore data. However, there is a
possibility to restore data because some ransomware has software logic
bugs. To defend against ransomware, multiple antivirus software companies
jointly provide decryption tools in https://www.nomoreransom.org/ to help victims crack part of ransomware families. Victims
can try the tools to restore their data.
2.2
For a survival host, the following operations are suggested:
As the ransomware uses brute force to crack weak passwords
and uses port 3389 to remotely log in to the system and implant viruses:
(1) Disable
RDP on the host (the remote desktop function becomes unavailable) and block
ports 445, 3389, 135, and 139 on the firewall and switch to prevent spread.
(Note: Blocking the ports may affect normal
services. Before doing so, check whether services are carried on the ports
to avoid the adverse impact on services.)
(2)
Do not click emails or attachments from unknown sources, especially
attachments with the following extensions:
.js, .vbs, .exe, .scr,
and .bat because such attachments may contain password capture tools or
viruses.
2.3
Host security hardening
(1)
Change the default password of the administrator account and disable guest
accounts.
2)
Change the simple password to a complex password that contains at least 10
characters of uppercase letters, lowercase letters, digits, and special
characters. Do not use a string of digits, such as a phone number or an
employee ID, as the account password.
(3) Set an account locking policy. For example, if incorrect
passwords are input for five consecutive times, the login is prohibited.
(4)
Update Windows patches in a timely manner, install antivirus software, and
set a password for exiting or changing the settings of the antivirus
software to prevent the antivirus software from being disabled.
(5) Periodically back up data. If a cloud server is used,
take snapshots.
3. Suggestions for Protecting Security Devices
For
the USG series next-generation firewalls, FireHunter6000 series sandboxes,
and IPS, update the detection engine and virus database to the latest
versions. Deploying Huawei USG firewalls and the sandbox FireHunter6000
together can effectively defend against ransomware attacks:
(1) Deploy the NGFW/NGIPS to block the reconnaissance
behavior (such as vulnerability exploitation) before the ransomware is
delivered.
(2) Deploy switches and
firewalls that support the network deception function to deceive the
ransomware to intrude simulated services and capture their intrusion
behaviors, reducing the probability of attacks on the real system and
minimizing the loss.
(3) Deploy a sandbox to
inspect email attachments. A firewall can restore traffic to files and send
the files to the sandbox for inspection.
4. Summary of Defense Configuration Methods for Involved
Products
(1) Firewall and sandbox
(2) AR
(3) CE series switches
(4) S series switches
|
