Emergency Handling Against the Bitcoin Ransomware for Desktop Cloud

[复制链接]
发表于 : 2017-5-14 23:49:30 最新回复:2017-05-14 23:49:50
3627 1
wangxm
wangxm  导师

Emergency Handling Against the Bitcoin Ransomware for Desktop Cloud

 

This document applies to the following desktop cloud versions:

l   FusionAccess V100R005C10/C20/C30

l   FusionAccess V100R006C00/C10

1         Background

Bitcoin  ransomware attacks are launched by taking advantage of Windows SMB v1 vulnerabilities MS17-010 (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148).

2         Impact Scope and Handling Strategy

The following virtual machines (VMs) are affected:

1.      Infrastructure VMs (AD and ITA servers (R5))

2.      User VMs and application virtualization VMs

Handling strategy: Handle infrastructure VMs first and user VMs later.

3         Patch Installation for Currently Unaffected Sites

3.1        Back up and isolate data on infrastructure VMs in the environments:

On the Loggetter (R5) or Backup Server (R6) server, back up data from the VMs to offline storage media, such as USB flash disks.

3.2        Protect infrastructure VMs of the desktop cloud:

Note: For AD and ITA servers, install Microsoft’s official patches. Do not close ports on AD servers or enable firewalls on VMs because this will make desktop cloud services unavailable.

 

Method:

     Install Microsoft’s official patch

KB4012212 (for Windows Server 2008 R2 SP1)

KB4012213 (for Windows Server 2012 R2. You need to install the KB2919442 patch and then the KB2919355 dependent package in the operating system in advance)

KB4012214(for Windows Server 2012)



a)      Download the patch.

Path 1:

Dependent package for Windows Server 2012 R2:

https://support.microsoft.com/en-us/help/2919442/march-2014-servicing-stack-update-for-windows-8.1-and-windows-server-2012-r2

https://support.microsoft.com/en-us/help/2919355/windows-rt-8.1,-windows-8.1,-and-windows-server-2012-r2-update-april-2014

Patch package for Windows Server 2012 R2:

https://technet.microsoft.com/zh-cn/library/security/MS17-010

Path 2 (You must log in to the Huawei enterprise cloud forum.):

http://support.huawei.com/huaweiconnect/enterprise/thread-401709-1-1.html

Path 3 (web disk):

http://pan.baidu.com/s/1cpMl34

b)      Copy the patch to the servers and install them on the servers (the operating system needs to be restarted during the installation).

c)      In the CMD, run the systeminfo  | findstr KB number command to check that the patch is installed.

For example, run systeminfo |findstr 4012212.

20170514234810516001.png

 

3.3        Protect user VMs of the desktop cloud:

Note: User VMs can only be protected by the official patch.

If you cannot install the patch at the moment, disable the SMB v1 protocol to mitigate the impact.

If the firewall is disabled in the operating system of the VM, do not enable it because this will make desktop cloud services unavailable.

3.3.1        Patch upgrade method 1: the WSUS patch server

l   KB4012598 (for Windows XP SP3)

l   KB4012212 (for Windows 7 SP1/Windows Server 2008 R2 SP1)

l   KB4012213 (for Windows 8.1/Windows Server 2012 R2 ,Windows Server 2012 R2 need dependent package KB2919442 patch and then the KB2919355

l   KB4012214 (for Windows Server 2012)

a)      Confirm that a WSUS server has been deployed in your site.

b)      Confirm that patches on the WSUS server are updated at least to March 15, 2017.

c)      Find the required patch, approve it, and apply it to your computers.

d)      Choose Computer Configuration  > Administrative Templates > Windows components > Windows Update and configure the patch update policy in the group policy.

Configure Automatic Updates: enabled  (Auto download and Schedule install)

Specify Intranet Microsoft updates service location: enabled (server address: http://IP address of the patch server:8530)

e)      Restart the VM to trigger the patch installation.

f)       Check the patch installation on the WSUS server.

 

3.3.2        Patch upgrade method 2: manual installation

l   KB4012598 (for Windows XP SP3)

l   KB4012212 (for Windows 7 SP1/Windows Server 2008 R2 SP1)

l   KB4012213 (for Windows 8.1/Windows Server 2012 R2, Windows Server 2012 R2 dependent package KB2919442 patch and then the KB2919355)

1    KB4012214(for Windows Server 2012)

a)      Download the patch (for Windows 7/Windows Server 2008 R2/Windows 8.1/Windows Server 2012/Windows Server 2012 R2).

Path 1:

https://technet.microsoft.com/zh-cn/library/security/MS17-010

Path 2 (You must log in to the Huawei enterprise cloud forum.)  (for Windows 7 32bit and Windows 7 64bit):

http://support.huawei.com/huaweiconnect/enterprise/thread-401701.html

Path 3 (web disk):

http://pan.baidu.com/s/1cpMl34

 

Download the patch (for Windows XP-KB4012598).

Path 1:

http://www.catalog.update.microsoft.com/search.aspx?q=4012598

Path 2(You must log in to the Huawei enterprise cloud forum.):

 http://support.huawei.com/huaweiconnect/enterprise/thread-401713-1-1.html

Path 3 (web disk):

http://pan.baidu.com/s/1cpMl34

 

b)      Copy the patch to the VM and install it on the VM (the operating system needs to be restarted during the installation).

c)      In the CMD, run the systeminfo |findstr KB number command to check that the patch is installed.

For example, run systeminfo |findstr 4012212.

20170514234810516001.png

 

 

3.3.3        Workaround for Windows 7

Note: This workaround is only for the situation where the patch is not pushed promptly. You still need to install the patch to solve the problem.

This workaround affects the file sharing service, for example, you cannot use shared files. Therefore, it cannot be used as a final solution.

 

Use a group policy to push a script disable the SMB v1 protocol.

a)      Copy the following script to the AD server:

20170514234810129002.png

b)      Add a group policy that applies to all Windows 7 user VMs.

c)      Choose Computer Configuration > Windows Settings > ScriptsLogon/Logoff to add the DisableSMBv1.bat script mentioned in step a as a startup script.

d)      In the command-line interface (CLI) of the AD server, run gpupdate /force to refresh the group policy.

e)      Restart the VM to enable the group policy to take effect. The script will be executed automatically.

 

4         Restoring Affected Sites

Shut down affected VMs and restore them one by one to prevent them from getting affected again.

4.1        Back up and isolate data on the infrastructure VMs in your environments:

On the Loggetter (R5) or BackupServer (R6) server, copy data on the VMs to offline storage media such as USB flash disks.

4.2        Restore affected infrastructure VMs

4.2.1        Restore ITA VMs

These VMs do not store data on themselves. Linux VMs are used to store data. Therefore, restore the ITA VMs as instructed in section “Operation and Maintenance > System Management > Backup and Restoration” in the corresponding solution document.

4.2.2        Restore AD VMs

Data on AD VMs is backed up online using a backup server during operation. Therefore, restore the AD VMs as instructed in section “Operation and Maintenance > System Management > Backup and Restoration”  in the corresponding solution document.

4.3        Restore affected user VMs

a)      Make a new VM template.

b)      Install antivirus software on it and check as well as kill virus on it.

c)      Update operating system patches on it.

d)      Enable the firewall on it. Then configure port exceptions based on the desktop cloud port matrix.

e)      Provision user VMs again.

 


本帖最后由 wangxm 于 2017-05-15 22:05 编辑

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册

x

本帖被以下专题推荐:

  • x
  • 常规:

点评 回复

跳转到指定楼层
wangxm
wangxm  导师 发表于 2017-5-14 23:49:50 已赞(0) 赞(0)

Emergency Handling Against the Bitcoin Ransomware for Desktop Cloud
  • x
  • 常规:

点评 回复

发表回复
您需要登录后才可以回帖 登录 | 注册

警告 内容安全提示:尊敬的用户您好,为了保障您、社区及第三方的合法权益,请勿发布可能给各方带来法律风险的内容,包括但不限于政治敏感内容,涉黄赌毒内容,泄露、侵犯他人商业秘密的内容,侵犯他人商标、版本、专利等知识产权的内容,侵犯个人隐私的内容等。也请勿向他人共享您的账号及密码,通过您的账号执行的所有操作,将视同您本人的行为,由您本人承担操作后果。详情请参看“隐私声明
如果附件按钮无法使用,请将Adobe Flash Player 更新到最新版本!
登录参与交流分享

登录参与交流分享

登录