If you have not heard about Hakuna Matata outside Disney's Lion King story, then you are well guarded and not attacked by a ransomware. Ransomware attacks have been widespread since early 2016 and Hakuna Matata is one among other known such as Cryptolocker, Reveton.
Couple of weeks ago, my home server was attacked rendering important files in the server useless. While we monitor and keep work servers up-to-date, home server does not get the same attention. This is my experience dealing with it and raising importance of home server to shield from future mishaps.
Attack & Detection
- Attack was detected when home server stopped working. Upon inspection, media files and documents in the server were encrypted with extension changed to .hakunamatata. Files were beyond recovery due to AES encryption and only a proper key could decrypt the files.
- A ransom note is left to contact on Tor web site/messaging service with a unique key for communication. Upon logging in Tor site, the attacker requested 2 bitcoins DONATION, which translates to $2480 today.
The ransom does not guarantee the files recovery. It is a mere promise from someone who stole it at first place.
Impact Analysis
First Steps
- Take the server off home network and boot in safe mode to prevent further damage to files/server.
Validate Backups
- My wife for long maintained offline backup of *photos*. It was a big relief that they were safe and with no threat to loss. Also, personal files were backed up last month.
- OneDrive files were corrupted and synced to the cloud. Fortunately, Microsoft keeps them in OneDrive recycle bin and was easy restore.
- Virtual machines archive were lost but could be built again. Not a big loss.
Root Cause Analysis - that left the system vulnerable to compromise
- Ransom website claimed that weak network security caused the attack.
- Windows Remote Desktop password was complex 9 characters length, which could be cracked unthrottled from 3 days to 6 months. Windows relies on network servers to limit the brute force.
- Windows server is manually updated and couple of days behind, possibly leaving a known vulnerability.
- Switched from Clam Anti Virus program to built-in Windows Defender, not sure if this would have helped.
Being a hacker myself, I'm well aware of this attack vector and left the network relatively weak as hackers have traditionally used malware or targeted attacks to cause harm.
Rise in usage of exploit kits and automation is appalling. Wired explains the challenges and criminal nature of this attack.
Next Steps
Since the impact was limited, I continued to implement better prevention strategies.
It is strongly advised to not pay ransom as it will embolden the attackers to further continue with this tactic. Also, engage FBI if you decide to do so.
Prevention Strategies
While using service like dropbox.com or google drive could easily protect from ransomware, it is not sufficient as the next attacker could access your information and exploit your identity or credit profile.
If you do not need to access home server remotely, lock down all access. If you do not run media server, shutdown after every use.
If you need to use remotely, tighten system access, network security and irrespectively follow secure browsing practices.
Secure browsing practices
- Change all passwords, as personal information may have leaked to the hackers.
- Enable 2 factor authentication for all websites where available.
- Use password generator programs or create a strong passwords for sites (estimate password strength)
- Install Ad Block on all browsers, they maintain a malware protection list that keep you off unwanted sites.
- Never download software from 3rd party sites and torrents including Academic Torrents, even if it takes longer to download from official channels.
- When you are unsure or need to visit untrusted site, use a separate virtual machine.
- Setup automatic updates of security fixes and operating system
Cleanup
Quick search on google provides a number of removal tools for HakunaMatata but it is always recommended to reinstall the infected system for guaranteed cleanup.
Ubuntu Desktop for Home Server
Some benefits over retired Windows server.
- Root access is locked by default
- Easy firewall setup with support for IP blocking and request throttling (instructions below).
- Advanced networking support to replace home router, which are difficult to stay up-to-date and have regular vulnerabilities.
- Hard disk partition protection with password, so ransomware or hackers cannot load the backup partition to encrypt the files.
- Less vulnerabilities or zero-day attacks in general
Ubuntu Setup
- Install Ubuntu Desktop 16.04. Release supported till 2021 with path to upgrade.
- Setup Firewall to access home computer from office.
sudo ufw allow from <home-subnet>/24 to any sudo ufw allow from <office-ip> to any sudo ufw enable
- Install Remote Desktop or enable VNC access to access server.
- Install Squeezebox music server or DLNA media server.
- Enable automatic Ubuntu updates
# Enable daily automatic updates with these settings # APT::Periodic::Update-Package-Lists "1"; # APT::Periodic::Download-Upgradeable-Packages "1"; # APT::Periodic::AutocleanInterval "7"; # APT::Periodic::Unattended-Upgrade "1"; sudo vi /etc/apt/apt.conf.d/10periodic
- (Optional) Install and configure SSH server for access from anywhere
- - - - -- - - -- - -- - - -- - - -- - -- -- -- -
- Setup Router DMZ to linux server or connect directly server to Cable modem.
This is a good solution for home network media server. It provides minimal surface attack and protects from unwarranted access, brute force attack, ransomware and unauthorized file system access. I will still continue to take manual backups regularly and save it offline as secondary solution, which saved the day!
If you follow alternate strategies or have suggestions, I would love to hear in the comments.
Update 05/15/2017: With Wanna Cry ransomware on loose and possible variants to come in future, it is time to have backup strategy and secure your home servers. Also, how annoying or poor Microsoft's Update process could be, still keep it running to keep your system secure (see comments from Troy Hunt).