Websites are brimming over with information about a dangerous ramsomware called WannaCry, which can be spread, among other things, by a bug in Windows OS. The magnitude of the bug is so serious that even Microsoft has decided to release a patch to already unsupported operating system Windows XP. You can easily get the impression that this danger is limited to desktop operating systems. However, this is not true!
It has been explained many times, but for complex information: the ransomware is a type of malware that prevents access to your computer and your data files by encrypting these. In order to access encrypted files, a ransom payment is required. Most of malware of this type (ransomware) penetrates the computer via email, however, the exact method of WannaCry spreading has not been detected yet. However the use of the EtheralBlue exploit and the DoublePulsar backdoor developed by the NSA has already been identified. And due to the seriousness of these exploits and backdoors, an update was released to all Windows OS, and, as mentioned above, even to the already unsupported Windows XP.
By the way, WannaCry’s ramsomware was not the first, which made use of EternalBlue exploit for its expanding. Two weeks ago, Adylkuzz malware has been spreading by same way, however it did not receive such a media attention like ransomware. This malware exploited the infected machines for mining the Monero cryptocurrency.
Coolhousing leases MS Windows Server licence to its customers under the SPLA agreement. Media often describe the WannaCry’s ransomware as dangerous for desktop operating systems only, primarily targeting the MS Windows XP. Someone can easily get the impression that other Windows operating systems can only be infected by the standart way for ransomware – by email or something downloaded from the Internet.
Unfortunately, in the past two weeks, Coolhousing technicians and our CSIRT team have solved many problems associated with WannaCry ransomware and Adylkuzz malware on customer servers. Coolhousing regularly makes backup of customers data, thus our customers have been saved from ransom payments for their files. Data recovery was matter of few seconds and clicks in the client section. The number of cases was so huge that we selected the spreading of the ransom disease by the usual way.
We looked for what infected servers have in common. The first common feature in most cases was the operating system Windows Server 2008 R2, which proves that ransomware, not only WannaCry, is the threat to server operating systems! Across versions of operating systems we found another common features, which were caused by not obeying of 3 basic security rules:
- 1) Weak or default passwords
- 2) Non-updated operating system
- 3) Insufficient server security (firewall,..)
As a provider of hosting services not only with the Windows operating systems, and as the member of the secure network FENIX, we appeal to all physical or virtual server administrators:
- 1) Set strong passwords
- 2) Keep your operating system actual and enable automatic update of your operating system
- 3) Basic security protection of Windows Firewall and good configuration can save you against many problems
If you do not know, how to improve security of your server, please contact our administrators. They will be happy to help you with the configuration of the server as part of the extra administration to the hosting service.
And finally a bit of icing on the cake: we launched the Windows virtual server VPS with the freshly installed MS Windows Server 2008 R2 as part of the test. We left everything in the default setup., enabled RDP connections and we surfed on the Internet. We declare, that we have not visited sites where malware is to be expected. Within just 3 hours, the server was infected with the WannaCry ransomware.
Do not underestimate the security of your desktops and not even on your servers!