It's just come to light that there's a $300 ransom you have to pay because ransomware targeting Microsoft Windows has encrypted your data. What steps do Linux users need to protect from this if for example they are using wine?
This ransomware is widely reported to be based on a tool developed by the NSA to hack into computers. The NSA tool was used by a hacker group called the Shadow Brokers. The code can be found in Github.
Microsoft released a patch (MS17-010) against this vulnerability on March 14, 2017. The mass infection is reported to have begun spreading on April 14th. This is discussed here.
As I haven't booted Windows 8.1 in 6 to 8 weeks, can I apply this patch from Ubuntu without booting Windows first? (After research it may be possible ClamAV could report the vulnerability from the Linux side looking into Windows partition but it's unlikely it could apply the patch. The best method would be to reboot into Windows and apply patch MS17-010.)
Individuals and small companies who subscribe to Microsoft Automatic Updates are uninfected. Larger organizations who delay apply patches as they are tested against organization intranets are more likely to be infected.
On May 13, 2017, Microsoft took the extraordinary step of releasing a patch for Windows XP which has been unsupported for 3 years.
No word if wine is doing anything about a security update. It was reported in a comment below that Linux can be infected too when users run wine.
An "accidental hero" registered a domain name that acted as a kill-switch to the ransomware. I presume the non-existent domain was used by the hackers on their private intranet so they didn't infect themselves. Next time they will be smarter so don't rely on this current kill-switch. Installing the Microsoft patch, which prevents exploiting a vulnerability in the SMBv1 protocol, is the best method.
On May 14, 2017 Red Hat Linux said they are not affected by "Wanna Cry" ransomware. This might mislead Ubuntu users along with Red Hat, CentOS, ArchLinux and Fedora users. Red Hat supports wine which answers below confirm can be effected. In essence Ubuntu and other Linux distro users googling this issue might be mislead by the Red Hat Linux Support answer here.
May 15, 2017 Update. Over the last 48 hours Microsoft released patches called KB4012598 for Windows 8, XP, Vista, Server 2008 and Server 2003 to protect against "Wanna Cry" ransomware. These Windows versions are no longer on automatic updates. Although I applied security update MS17-010 on my Windows 8.1 platform yesterday, my old Vista Laptop still needs patch KB4012598 downloaded and manually applied.
Moderator note: This question is not off topic - it asks about whether or not any Linux users need to do any steps for protecting against the risk.
It is perfectly on topic here, because it's relevant to Linux (which Ubuntu is), and it's also relevant for Ubuntu users running Wine or similar compatibility layers, or even VMs on their Ubuntu Linux machines.
If it helps and to complement Rinzwind's answer, first the questions:
1. How does it spread?
Via Email. 2 friends were affected by it. They send the email to me to test under a supervised environment, so you would basically need to open the email, download the attachment and run it. After the initial contamination, it will systematically check the network to see who else can be affected.
2. Can I get affected by using Wine?
Short answer: Yes. Since Wine emulates almost every behavior of the Windows environment, the worm can actually try to find ways on how it can affect you. The worst case scenario is that depending on the direct access wine has to your Ubuntu system, some or all parts of your home will be affected (Did not fully test this. See answer 4 below), although I see a lot of roadblocks here for how the worm behaves and how it would try to encrypt a non ntfs/fat partition/files and what non-super admin permission would it need to do this, even coming from Wine, so it does not have full powers like on Windows. In any case, it's better to play on the safe side for this.
3. How can I test the behavior of this once I get an email that has it?
My initial test which involved 4 VirtualBox containers on the same network ended in 3 days. Basically on day 0, I contaminated on purpose the first Windows 10 system. After 3 days, all 4 were affected and encrypted with the "Whoops" message about the encryption. Ubuntu on the other hand was never affected, even after creating a shared folder for all 4 guests that is on the Ubuntu desktop (Outside of Virtualbox). The folder and the files in it were never affected, so that's why I have my doubts with Wine and how this can propagate on it.
4. Did I test it on Wine?
Sadly I did (Already had a backup and moved critical job files from the desktop before doing so). Basically, my desktop and music folder were doomed. It did not however affect the folder I had in another drive, maybe because it was not mounted at the time. Now before we get carried away, I did need to run wine as sudo for this to work (I never run wine with sudo). So in my case, even with sudo, only the desktop and the music folder (for me) was affected.
Note that Wine has a Desktop Integration feature where as, even if you change the C: drive to something inside the Wine folder (Instead of the default drive c), it will still be able to reach your Linux Home folder since it maps to your home folder for documents, videos, download, saving game files, etc.. This needed to be explained since I was send a video about a user testing WCry and he changed the C Drive to "drive_c" which is inside the ~/.wine folder but he still got affected on the home folder.
My recommendation if you wish to avoid or at least lower the impact on your home folder when testing with wine is to simply disable the following folders by pointing them to the same custom folder inside the wine environment or to a single fake folder anywhere else.
Am using Ubuntu 17.04 64-Bit, partitions are Ext4 and I have no other security measures apart from simply installing Ubuntu, formatting the drives and updating the system every day.
Nothing. Well maybe not nothing but nothing extra. The normal rules apply: make regular backups of your personal data. Also test your backups so you know you can restore them when needed.
Things to note:
Wine is not Windows. Don't use wine to:
Those 3 are the way this seems to spread onto machines. If you need to do that use virtualbox with a normal install.
It also uses encryption and encrypting in Linux is a lot more difficult than in Windows. If this malware would be able to touch your Linux system, at worst your personal files in your
$homeare compromised. So just restore a backup if that ever happens.It is not a wine problem. "Fixing" this would mean you need to use Windows components that have this fixed. Or use a virus scanner in wine that can find this malware. Wine itself can not provide any form of fix.
Again: even though wine can be used as the attack vector you still need to do things as a user you should not be doing from wine to get infected: you need to use wine to open a malicious website, malicious link in a mail. You should already never do that since wine does not come with any form of virus protection. If you need to do things like that you should be using windows in a virtualbox (with up to date software and virus scanner).
And when you do get infected over wine: it will only affect files that are yours. Your
/home. So you fix that by deleting the infected system and restoring the backup we all already make. That's it from the Linux side.Oh when a user is 'not so smart' and uses
sudowith wine it is the USER'S problem. Not wine.If anything: I myself am already against using wine for anything. Using a dual boot with no interaction between linux and windows or using a virtualbox with an up to date Windows and using a virus scanner is far superior to anything wine can offer.
Some of the affected companies by this:
All used unpatched Windows XP and Windows 7 systems. Baddest was the NHS. They use Windows on hardware where they can not upgrade the operating systems (...) and had to ask patients to stop coming to hospitals and use the general alarm number instead.
As of yet not a single machine using Linux or a single machine using wine got infected. Could it be done? Yes (not even "probably"). But the impact would probably be a single machine and not have a cascading effect. They would need our admin password for that. So "we" are of little interest to those hackers.
If anything to learn from this ... stop using Windows for mail and general internet activities on a company server. And no, virus scanners are NOT the correct tool for this: updates for virusscanners are created AFTER the virus is found. That is too late.
Sandbox Windows: do not allow shares. Update those machines. -Buy- a new operating system when Microsoft cans a version. Don't use pirated software. A company still using Windows XP is asking for this to happen.
Our company policies:
This malware appears to spread in two steps:
First, via good ol' e-mail attachments: a Windows user receives an e-mail with an attached executable and runs it. No Windows vulnerability involved here; just user ineptitude in running an executable from an untrusted source (and ignoring the warning from their antivirus software, if any).
Then it tries to infect other computers on the network. That's where the Windows vulnerability comes into play: if there are vulnerable machines on the network, then the malware can use it to infect them without any user action.
In particular, to answer this question:
You can only become infected through this vulnerability if there is an infected machine on your network already. If that is not the case, it is safe to boot a vulnerable Windows (and install the update right away).
This also means, by the way, that using virtual machines does not mean you can be careless. Especially if it is directly connected to the network (bridged networking), a Windows virtual machine behaves like any other Windows machine. You may not care very much if it gets infected, but it can also infect other Windows machines on the network.
Based on what everyone wrote and spoke about this subject already:
WannaCrypt ransomware is not coded to work on other OS than Windows (not including Windows 10) because it is based on the NSA Eternal Blue exploit, which takes advantage of a Windows security breach.
Running Wine under Linux is not unsafe but you can infect yourself if you use this software for downloads, e-mail exchange and web-browsing. Wine does have access to many of your /home folder paths, which makes possible for this malware to encrypt your data and "infect" you in some way.
Briefly speaking: Unless the cyber-criminals intentionally design WannaCrypt to affect Debian (or other Linux distro) based OSs you should not be worried on this subject as an Ubuntu user, although it is healthy to keep yourself aware on cyber-threads.