Summary of events

Since the evening of May 12, Beijing time, a ransomware worm called Wanna Decrypt0r has hit the global network. Users in nearly 100 countries have been attacked so far. Wanna Decrypt0r encrypts the files on the victim’s computer and requires a bitcoin ransom to decrypt and restore the files. China’s higher education networks have been hit hardest, and other industries, such as some government and corporate intranets, have also been affected.




Wanna Decrypt0r What is ransomware?

• Wanna Decrypt0r extorts money (in the form of Bitcoin) from the victim by encrypting the data files on the victim’s computer. This encryption is so strong that it is almost impossible to decrypt successfully unless a corresponding decryption tool is available.

• The ransomware is a worm that can automatically attack and infect other Windows computers on the same network through the MS17-010 vulnerability.





Event timeline

  • In August 2016, a hacker Group called Shadow Brokers claimed to have hacked another hacker Group, the Equation Group. Equation group, an alleged NSA hacking group, has been active for more than 20 years with technology that is more sophisticated and advanced than most hacker groups. Shadow Brokers released a trove of what it said were NSA tools for cyber surveillance and hacking on the Internet. It also kept some of its files for public auction.
  • On April 8, 2017, Shadow Brokers released a partial decompression password of the retained portion.
  • On April 14, 2017, the Shadow Brokers released a second wave of retained files, including 23 new hacking tools, one of which exploits Microsoft’s MS17-010 vulnerability, the same vulnerability used by the Wanna Decrypt0r ransomware.
  • On April 14, 2017, Microsoft MSRC issued an announcement, stating that most of the vulnerabilities have been fixed and issued corresponding patches, which MS07-010 was fixed in the March patch.
  • On May 12, 2017, Wanna Decrypt0r ransomware broke out using the MS17-010 vulnerability, which has so far hit users in nearly 100 countries.


Not yet. What can I do to prevent it?

  • If you’re running a legitimate operating system, patching is the best option. Microsoft released a patch for the vulnerability in March, which was installed using automatic updates. According to the latest news, Microsoft has just decided today (May 13) Beijing time to release a special security patch for this attack for Windows XP and some Server versions of Windows Server 2003, which have been stopped maintenance.
  • If you’re running a pirated operating system that doesn’t support automatic updates, try using various third-party security software to install patches.
  • If you really can’t install the patch, for example, the patch will crash and won’t boot, use Windows’s built-in system firewall to disable access to port 445. Concrete steps can according to their own operating system version, reference some online tutorials, such as jingyan.baidu.com/article/d62… . If you don’t know how to do it after reading the tutorial, you can use some immune tools launched by security companies, such as t.cn/RX6FcHb
  • For enterprise server users, after installing patches and ensuring that services do not need port 445, use a firewall to disable access to port 445. Enterprises that use third-party security services or products can consult the companies that provide security services or products for you.
  • Users using domestic public cloud (Ali cloud, UCloud, etc.), due to the outbreak of worm events using port 139,445 and other ports, operators have blocked port 445 (not blocked education network and each enterprise Intranet become

    origin

    A question from Zhihu: How to implement Djangos sub-tables?

    This is a sore point with Django ORM. Django provides excellent support for multiple databases/branches. Using and db routers allow you to operate with multiple databases. But when it comes to scoring, it’s a little less friendly. But it’s not that hard to handle, it’s just not very elegant to handle.

    parsing

    In Django, the database access logic is basically done in a Queryset, a query request such as user.objects.filter (group_id=10).

    The objects are essentially models.Manager, which in turn is a wrapper around QuerySet. QuerySet, in turn, is an intermediate layer that will eventually be converted to SQL (that is, ORM, the part that converts Model operations into SQL statements). So when we write user.objects, we already know which table to access. This is determined by the DB_Table in the Class Meta.

    class User(models.Model):
    username = models.CharField(max_length=255)
    class Meta:
        db_table = 'user'Copy the code

    In theory, we could modify db_table at run time to implement CRUD, but the5Fire looked at the source code again and again and couldn’t figure out how to do it. Objects.filter (group=10) is simply adding a WHERE statement to the SQL statement already generated. Therefore, there is no way to dynamically set db_table when executing filter.

    The same is true for get in the question, because get itself is the data retrieved from the _result_cache list (_result_cache[0]) after the filter is executed.

    Plan a

    According to the5Fire, it is no longer possible to modify the DB_Table when executing specific queries (of course, if you are going to rewrite the Meta logic of the Model and the Queryset logic, I have to respect that).

    So you have to start at the definition level. I need to define multiple models, the same fields, and different DB_tables. Something like that.

    class User(models.Model): username = models.CharField(max_length=255) class Meta: abstract = True class User1(User): Class Meta: db_table = 'user_1' # By default, Django uses' <app>_<model_name> '.lower() for the table name class User2(User): class Meta: db_table = 'user_2'Copy the code

    Get (id=3), user01.objects.get (id=3), dict = user01.objects.get (id=3);

    user_sharding_map = {
    1: User1,
    2: User2
}
def get_sharding_model(id):
    key = id % 2 + 1
    return user_sharding_map[key]
ShardingModel = get_sharding_model(3)
ShardingModel.objects.get(id=3)
Copy the code

    If you do that, what’s the use of Python as a dynamic language? Try 128 tables. We should dynamically create User01,User02,…. A table like UserN.

    class User(models.Model):
    @classmethod
    def get_sharding_model(cls, id=None):
        piece = id % 2 + 1
        class Meta:
            db_table = 'user_%s' % piece
        attrs = {
            '__module__': cls.__module__,
            'Meta': Meta,
        }
        return type(str('User%s' % piece), (cls, ), attrs)
    username = models.CharField(max_length=255, verbose_name="the5fire blog username")
    class Meta:
        abstract = True
 ShardingUser = User.get_sharding_model(id=3)
user = ShardingUser.objects.get(id=3)Copy the code

    Well, that looks a little bit better, but there is a problem, id=3 needs to be passed twice, if the two times are inconsistent, then there is a problem. The Model layer needs to provide a unified entry point to the upper layer.

    Class MyUser(models.model): # add method BY the5fire @classmethod def sharding_get(CLS, id=None, **kwargs) assert id, 'id is required! ' Model = cls.get_sharding_model(id=id) return Model.objects.get(id=id, **kwargs)Copy the code

    For upper-level books, just run myuser.sharding_get (id=10). But this changes the call-objects.get convention.

    Anyway, this is a solution, too, and a more perfect one to explore, but it’s frustrating to drill through Djangos ORM to find a hook point.

    Let’s look at plan two

    Scheme 2

    The ORM process looks like this, Model — > SQL — > Model, and in scenario 1 we’ve been working on the Model — > SQL part. We can skip this step and just use RAW SQL.

    QuerySet provides an interface like RAW that lets you ignore layer 1 transformations, but there are SQL to Model transformations that can be used. SELECT only cases:

    class MyUser(models.Model): id = models.IntegerField(primary_key=True, verbose_name='ID') username = models.CharField(max_length=255) @classmethod def get_sharding_table(cls, id=None): piece = id % 2 + 1 return cls._meta.db_table + str(piece) @classmethod def sharding_get(cls, id=None, **kwargs): assert isinstance(id, int), 'id must be integer! ' table = cls.get_sharding_table(id) sql = "SELECT * FROM %s" % table kwargs['id'] = id condition = ' AND '.join([k + '=%s' for k in kwargs]) params = [str(v) for v in kwargs.values()] where = " WHERE " + condition try: Return cls.objects.raw(SQL + where, params=params)[0] # the5fire: DoesNotExist DoesNotExist doesnot return None class Meta: db_table = 'user_'Copy the code

    That’s the idea. The code could be a little more rigorous.

    conclusion

    Simply looking at scenario 1, you might think that you should not use Django for such a data-heavy project. The5fire’s first attempt to find an elegant way to hack db_tables was a complete failure. However, all projects grow from small to large, and as the data/business grows larger, technical people should become more knowledgeable about Django, and at some point, they may find that using other, more flexible frameworks costs about as much as customizing Django directly.


    —-EOF—– 



    Scan the code to follow, or search the wechat official account: Miannong Wufan


    Click on {read original} to enter the tutorial

    So the attack from the public network can basically do not worry aboutHowever, it is still recommended to use the firewall provided by cloud vendors to block ports 139,445 and so on.





I’ve been tricked. What should I do?

  • For the students who have been recruited, express deep sympathy. There are alleged victims who have paid a ransom, but still do not have access to the decryption program. It is advised not to pay bitcoin ransom, paying ransom will only strengthen the ransomware industry and there will be more and more extortion incidents.
  • Save the encrypted files and keep an eye on security companies or ransomware authors to see if any decryption programs have been released
  • Reinstall the system, install patches according to the security suggestions, take preventive measures, and maintain good security habits when installing patches.





A fall into the pit, a gain in wisdom, what should be done afterwards?

For the individual

  • Develop good security habits, patch in time, install security protection software, download software from formal channels, etc., these small habits often in the critical moment, can avoid your loss.
  • The most effective means, looking for a security industry male (female) friend 🙂 what? You have also been recruited, that needs to change a, I have resources here, please chat privately.

For business

  • Set aside some budget, create your own security team, or use third-party professional security services/products.
  • Domestic public cloud users can use the image and data backup services provided by cloud vendors to recover data in a timely manner even if they are attacked. For example, the data Ark product of UCloud, China’s largest neutral cloud computing service provider, can restore data status for any second in a 12-hour period.
  • Be nice to the security posts in the company, invite them to dinner and give them a raise.





This article is provided by the UCloud Security Team.





UCloud organization number will exclusively share technical insights, industry information and anything you need to know about cloud computing.

Questions & attention are welcome (*////, ////*)


The above.