Preventing Ransomware Using Alibaba Cloud Server Guard-阿里云开发者社区

开发者社区> 芷沁> 正文

Preventing Ransomware Using Alibaba Cloud Server Guard

简介: On the evening of May 12, the WanaCrypt0r 2.0 (WannaCry2.0 for short) ransomware broke out worldwide.


Zhihu Copyright belongs to the author. Please contact the author for permission before reprinting material for commercial purposes. For non-commercial use, please indicate the source.

"I'm very pessimistic on weapons of mass destruction generally although I don't think that nuclear probably is quite as likely as either primarily biological and maybe cyber." No one ever imagined that Warren Buffett's speech to Berkshire Hathaway's shareholders' meeting a week ago would prove accurate so quickly.

On the evening of May 12, the WanaCrypt0r 2.0 (WannaCry2.0 for short) ransomware broke out worldwide. WannaCry2.0 can scan the 445 file sharing ports open on a Windows machine and install malware without any user intervention.


The virus has already spread to hundreds of countries worldwide. 25 hospitals across the UK were attacked on a large scale, and many Chinese universities have also been attacked. Hackers blackmail the user by locking the computer files, and only accept bitcoins as payment.


According to analysis by Alibaba Cloud security experts, the global bitcoin blackmail virus is caused by the Windows system SMB / RDP remote command execution vulnerability leaked by the NSA.

With this vulnerability, hackers can remotely attack port 445 (for file sharing) in Windows. If Microsoft patches released in March of this year have not been installed in the system, as long as the computer is on and connected to Internet, hackers can execute code in the computer to implant the blackmail virus and other malicious programs.

In light of the risk of the Windows system SMB/RDP remote command execution vulnerability, many cloud service providers around the world disabled port 445 in April. However, many personal computers and machines in IDC physical data rooms still have port 445 exposed, which poses an opportunity for hackers.

According to news from Hangzhou Metropolis Daily, at 11 o'clock on the evening of May 12, the campus network in Xiasha Higher Education Park was hacked. Documents on students' computers were locked, and ransom had to be paid to unlock them. It was found that campus networks in many universities such as Zhejiang University Of Media And Communications, China Jiliang University, Zhejiang Sci-tech University were also hacked.



According to analysis from Alibaba Cloud Security experts, the blackmail incident spread rapidly across campus networks, the main reason being that most campus networks are basically a large interconnected LAN, and security zones were not defined for different applications. For example: student management systems, educational administration systems, etc. can be accessed through any connected device.

At the same time, IP addresses allocated for machines in labs and multimedia classrooms are mostly public IP addresses, so if the schools hadn't implemented the relevant permission restrictions, all the machines would be directly exposed.

In fact, not only campuses networks in China that were attacked but also campuses across the globe. According to the BBC, a large number of agencies worldwide in the United States, Britain, China, Russia, Spain, Italy, Vietnam and other places have reported attacks from "blackmail" software.


According to CNN, 25 hospitals in the UK were paralyzed on Friday due to "massive" hacking attacks. Surgeries were canceled and ambulances were forced to turn to other hospitals.


Medical workers said that their systems were locked and they could not get in. There was a message on the screen asking them to pay "ransom" to recover the system. Microsoft released a patch for the Windows vulnerability used by NSA hackers in March of this year.

Alibaba Cloud issued the first warning, and launched a one-click tool to detect and repair the vulnerability.


Alibaba Cloud now disables port 455 for ECS users and installs the official Windows patch by default. For all enterprises that have servers in their IDC hosting or self-built data centers, the patch from Microsoft is immediately installed for all Windows systems.

Installing the security patch is relatively simple. The user simply needs to install the patch before it is too late. But for large enterprises or organizations who have hundreds or even thousands of machines, it is better to use a client for centralized management. For example, Alibaba Cloud Server Guard provides real-time warning, defense, one-click repair, and other crucial features.

Reliable data backup can minimize the loss incurred by ransomware. You are recommended to enable the Alibaba Cloud snapshot function for data image backup, and at the same time add security protection to avoid being infected or damaged.


如果在创建实例时没有设置密码,或者密码丢失,您可以在控制台上重新设置实例的登录密码。本文仅描述如何在 ECS 管理控制台上修改实例登录密码。
9294 0
在应用中,有时会遇到用户询问如何使单台云服务器具备多个公网IP的问题。 具体如何操作呢,有了NAT网关这个也不是难题。
26710 0
2909 0
阿里云服务器初级使用者可能面临的问题之一. 使用tomcat或者其他服务器软件设置端口号后,比如 一些不是默认的, mysql的 3306, mssql的1433,有时候打不开网页, 原因是没有在ecs安全组去设置这个端口号. 解决: 点击ecs下网络和安全下的安全组 在弹出的安全组中,如果没有就新建安全组,然后点击配置规则 最后如上图点击添加...或快速创建.   have fun!  将编程看作是一门艺术,而不单单是个技术。
10778 0
虽然0.0.0.0/0使用非常方便,但是发现很多同学使用它来做内网互通,这是有安全风险的,实例有可能会在经典网络被内网IP访问到。下面介绍一下四种安全的内网互联设置方法。 购买前请先:领取阿里云幸运券,有很多优惠,可到下文中领取。
11784 0
购买阿里云ECS云服务器后如何登录?场景不同,阿里云优惠总结大概有三种登录方式: 登录到ECS云服务器控制台 在ECS云服务器控制台用户可以更改密码、更换系.
12998 0
腾讯云服务器 设置ngxin + fastdfs +tomcat 开机自启动
在tomcat中新建一个可以启动的 .sh 脚本文件 /usr/local/tomcat7/bin/ export JAVA_HOME=/usr/local/java/jdk7 export PATH=$JAVA_HOME/bin/:$PATH export CLASSPATH=.
4608 0
阿里云ECS云服务器初始化是指将云服务器系统恢复到最初状态的过程,阿里云的服务器初始化是通过更换系统盘来实现的,是免费的,阿里云百科网分享服务器初始化教程: 服务器初始化教程方法 本文的服务器初始化是指将ECS云服务器系统恢复到最初状态,服务器中的数据也会被清空,所以初始化之前一定要先备份好。
6858 0