Shulou(Shulou.com)06/03 Report--

On May 12, the global blackmail virus WannaCry broke out, and a large number of enterprises and organizations were subjected to large-scale blackmail. Domestic university intranets, large-scale enterprise intranets and government agencies were recruited one after another.

After the system is poisoned, almost all types of files in the system, such as photos, pictures, documents, compression packages, audio, and so on, will be encrypted, and lawbreakers will demand extortion from the victims accordingly, and pay a high ransom to decrypt the recovered files, causing serious losses to important data.

one。 Preface

This operation guide is divided into three steps:

1. Isolate the infected host

2. Cut off the route of infection

3. Repair the hidden trouble of the system.

two。 Quarantine infected server host

If it is found that a host has been infected, quarantine the host immediately. For the host that is not sure whether it has been infected, do not confirm it one by one at this stage, please give priority to the following points 3 and 4.

Judging method: hosts with the following interface

Method of operation:

All servers are disconnected from the network, such as unplugging the network cable and disabling the network connection within the operating system. For services that have been infected with the virus, there is no effective solution in the industry at present. It is recommended to isolate and place them, and do not do anything for the time being.

Impact and possible problems:

The business system cannot be accessed.

three。 Cut off the transmission path of the virus

1. Cut off the transmission route of the intranet

Methods:

An access control policy is configured on the intranet switch to prohibit access to ports 135, 137, 139 and 445 between intranets. For the specific operation plan, please refer to the operation manual of the corresponding switch products.

For the wireless network also needs to be isolated, the specific method is suggested to confirm the scheme according to the characteristics of the wireless product; we suggest that the wireless access is temporarily turned off until all the terminal computers have been repaired before turning on the wireless.

Impact and possible problems:

1) it is recommended that all switches with access control policies, such as core switches, aggregation switches, access layer switches, be turned on.

2) ports such as 445 are those of network neighbors and shared applications, and the corresponding applications will not be able to do so after the port is disabled.

External system service. For example: printers, shared folders and other applications.

2. Cut off the transmission route of the external network.

Methods:

The following two methods can be executed as quickly as possible according to the actual situation.

1) Security gateway devices enable corresponding protection rules

Application layer firewall, IPS and other security gateways may integrate corresponding protection functions, which can prevent the spread of the external network to the internal network through the fire protection function of the application layer. It is recommended to confirm with the corresponding manufacturers.

2) Security gateways are protected by restricting access ports

If it cannot be protected by the first point mentioned above, access to port 135Unix 139Compact 445 in the network can be prohibited on the border firewall device, cutting off the external route of transmission.

four。 Fix or circumvent system vulnerabilities

After completing the above two steps, the internal and external channels of vulnerability transmission are basically cut off, and then the hidden dangers that may exist in the server will be repaired.

4.1 it is recommended that repairs be made according to the importance of the business system, as follows:

1. Important business system servers (high priority)

Suggested judgment criteria: production system, sales system, financial system, R & D system, supply chain system, AO system, mail system and so on.

2. The second most important business system server (priority)

Recommended criteria: internal forums, printers and other servers.

4.2 it is recommended that important business system data be backed up

It is recommended that important data be backed up to other external media, such as external storage such as NAS.

4.3 implement the repair scheme

According to the actual situation, your company chooses the fastest and most suitable way to implement the following three programs, and the corresponding business can be resumed after successful implementation.

1. Shut down the SMB service and port of the potential server (circumvention measures)

Methods:

Enable and open Windows Firewall, enter Advanced Settings, and create a new rule in the inbound rule.

2. Use quick repair tools (circumventing measures)

Methods:

Http://pan.baidu.com/s/1pLe64mn

3. Fix system vulnerabilities (thoroughly fix SMB vulnerabilities)

Methods:

To upgrade Microsoft's vulnerability patch for MS17-010, it is recommended to copy the patch on U disk and update it manually (to avoid the hidden danger of cross-infection caused by automatic update on the Internet). It is also recommended that patches be downloaded in a relatively secure environment. Microsoft patch reference list is as follows: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx

It is recommended to give priority to downloading the official Microsoft patch. If some of the patches may be slow to download, our company collates the Microsoft patch and provides the following reference for download:

Https://wx.xyclouds.com/static/bjsec/patch.zip

Impact and possible problems:

1. The above programs 1 and 2 are the evasion schemes of SMB vulnerabilities, which will cause some services of the system to stop at the same time, such as printers, shared folders and other applications.

2. Scheme 3 is a thorough repair of SMB vulnerabilities, which will not affect the salesman.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.