What is the "Wanna Cry" ransomware's possible impact on Linux users?

windows wine malware

49,053

Solution 1

If it helps and to complement Rinzwind's answer, first the questions:

1. How does it spread?

Via Email. 2 friends were affected by it. They send the email to me to test under a supervised environment, so you would basically need to open the email, download the attachment and run it. After the initial contamination, it will systematically check the network to see who else can be affected.

2. Can I get affected by using Wine?

Short answer: Yes. Since Wine emulates almost every behavior of the Windows environment, the worm can actually try to find ways on how it can affect you. The worst case scenario is that depending on the direct access wine has to your Ubuntu system, some or all parts of your home will be affected (Did not fully test this. See answer 4 below), although I see a lot of roadblocks here for how the worm behaves and how it would try to encrypt a non ntfs/fat partition/files and what non-super admin permission would it need to do this, even coming from Wine, so it does not have full powers like on Windows. In any case, it's better to play on the safe side for this.

3. How can I test the behavior of this once I get an email that has it?

My initial test which involved 4 VirtualBox containers on the same network ended in 3 days. Basically on day 0, I contaminated on purpose the first Windows 10 system. After 3 days, all 4 were affected and encrypted with the "Whoops" message about the encryption. Ubuntu on the other hand was never affected, even after creating a shared folder for all 4 guests that is on the Ubuntu desktop (Outside of Virtualbox). The folder and the files in it were never affected, so that's why I have my doubts with Wine and how this can propagate on it.

4. Did I test it on Wine?

Sadly I did (Already had a backup and moved critical job files from the desktop before doing so). Basically, my desktop and music folder were doomed. It did not however affect the folder I had in another drive, maybe because it was not mounted at the time. Now before we get carried away, I did need to run wine as sudo for this to work (I never run wine with sudo). So in my case, even with sudo, only the desktop and the music folder (for me) was affected.

Note that Wine has a Desktop Integration feature where as, even if you change the C: drive to something inside the Wine folder (Instead of the default drive c), it will still be able to reach your Linux Home folder since it maps to your home folder for documents, videos, download, saving game files, etc.. This needed to be explained since I was send a video about a user testing WCry and he changed the C Drive to "drive_c" which is inside the ~/.wine folder but he still got affected on the home folder.

My recommendation if you wish to avoid or at least lower the impact on your home folder when testing with wine is to simply disable the following folders by pointing them to the same custom folder inside the wine environment or to a single fake folder anywhere else.

Am using Ubuntu 17.04 64-Bit, partitions are Ext4 and I have no other security measures apart from simply installing Ubuntu, formatting the drives and updating the system every day.

Solution 2

What steps do Linux users need to protect from this if for example they are using wine?

Nothing. Well maybe not nothing but nothing extra. The normal rules apply: make regular backups of your personal data. Also test your backups so you know you can restore them when needed.

Things to note:

Wine is not Windows. Don't use wine to:
1. open mails,
2. open dropbox links
3. browse the web.
  
  Those 3 are the way this seems to spread onto machines. If you need to do that use virtualbox with a normal install.
It also uses encryption and encrypting in Linux is a lot more difficult than in Windows. If this malware would be able to touch your Linux system, at worst your personal files in your $home are compromised. So just restore a backup if that ever happens.

No word if wine is doing anything about a security update.

It is not a wine problem. "Fixing" this would mean you need to use Windows components that have this fixed. Or use a virus scanner in wine that can find this malware. Wine itself can not provide any form of fix.

Again: even though wine can be used as the attack vector you still need to do things as a user you should not be doing from wine to get infected: you need to use wine to open a malicious website, malicious link in a mail. You should already never do that since wine does not come with any form of virus protection. If you need to do things like that you should be using windows in a virtualbox (with up to date software and virus scanner).

And when you do get infected over wine: it will only affect files that are yours. Your /home. So you fix that by deleting the infected system and restoring the backup we all already make. That's it from the Linux side.

Oh when a user is 'not so smart' and uses sudo with wine it is the USER'S problem. Not wine.

If anything: I myself am already against using wine for anything. Using a dual boot with no interaction between linux and windows or using a virtualbox with an up to date Windows and using a virus scanner is far superior to anything wine can offer.

Some of the affected companies by this:

Telephonica.
Fedex.
National Health Services (Britain).
Deutsche Bahn (German Railroad).
Q-park (Europe. Parking service).
Renault.

All used unpatched Windows XP and Windows 7 systems. Baddest was the NHS. They use Windows on hardware where they can not upgrade the operating systems (...) and had to ask patients to stop coming to hospitals and use the general alarm number instead.

As of yet not a single machine using Linux or a single machine using wine got infected. Could it be done? Yes (not even "probably"). But the impact would probably be a single machine and not have a cascading effect. They would need our admin password for that. So "we" are of little interest to those hackers.

If anything to learn from this ... stop using Windows for mail and general internet activities on a company server. And no, virus scanners are NOT the correct tool for this: updates for virusscanners are created AFTER the virus is found. That is too late.

Sandbox Windows: do not allow shares. Update those machines. -Buy- a new operating system when Microsoft cans a version. Don't use pirated software. A company still using Windows XP is asking for this to happen.

Our company policies:

Use Linux.
Don't use shares.
Use a password safe and do not save passwords outside the safe.
Use online mail.
Use online storage for documents.
Only use Windows inside virtualbox for things Linux can not do. We have some VPNs our clients use that are Windows only. You can prepare a vbox and copy it over when you have all the software in it you would need.
Windows systems that are used inside our company (personal notebooks for instance) are not allowed on the company network.

Solution 3

This malware appears to spread in two steps:

First, via good ol' e-mail attachments: a Windows user receives an e-mail with an attached executable and runs it. No Windows vulnerability involved here; just user ineptitude in running an executable from an untrusted source (and ignoring the warning from their antivirus software, if any).
Then it tries to infect other computers on the network. That's where the Windows vulnerability comes into play: if there are vulnerable machines on the network, then the malware can use it to infect them without any user action.

In particular, to answer this question:

As I haven't booted Windows 8.1 in 6 to 8 weeks can I apply this patch from Ubuntu without booting Windows first?

You can only become infected through this vulnerability if there is an infected machine on your network already. If that is not the case, it is safe to boot a vulnerable Windows (and install the update right away).

This also means, by the way, that using virtual machines does not mean you can be careless. Especially if it is directly connected to the network (bridged networking), a Windows virtual machine behaves like any other Windows machine. You may not care very much if it gets infected, but it can also infect other Windows machines on the network.

Solution 4

Based on what everyone wrote and spoke about this subject already:

WannaCrypt ransomware is not coded to work on other OS than Windows (not including Windows 10) because it is based on the NSA Eternal Blue exploit, which takes advantage of a Windows security breach.

Running Wine under Linux is not unsafe but you can infect yourself if you use this software for downloads, e-mail exchange and web-browsing. Wine does have access to many of your /home folder paths, which makes possible for this malware to encrypt your data and "infect" you in some way.

Briefly speaking: Unless the cyber-criminals intentionally design WannaCrypt to affect Debian (or other Linux distro) based OSs you should not be worried on this subject as an Ubuntu user, although it is healthy to keep yourself aware on cyber-threads.

View more solutions

49,053

WinEunuuchs2Unix

Software development is my main hobby. Check out the new websites created in October 2021: www.pippim.com and pippim.github.io

Updated on September 18, 2022

Comments

WinEunuuchs2Unix almost 2 years

It's just come to light that there's a $300 ransom you have to pay because ransomware targeting Microsoft Windows has encrypted your data. What steps do Linux users need to protect from this if for example they are using wine?

This ransomware is widely reported to be based on a tool developed by the NSA to hack into computers. The NSA tool was used by a hacker group called the Shadow Brokers. The code can be found in Github.

Microsoft released a patch (MS17-010) against this vulnerability on March 14, 2017. The mass infection is reported to have begun spreading on April 14th. This is discussed here.

As I haven't booted Windows 8.1 in 6 to 8 weeks, can I apply this patch from Ubuntu without booting Windows first? (After research it may be possible ClamAV could report the vulnerability from the Linux side looking into Windows partition but it's unlikely it could apply the patch. The best method would be to reboot into Windows and apply patch MS17-010.)

Individuals and small companies who subscribe to Microsoft Automatic Updates are uninfected. Larger organizations who delay apply patches as they are tested against organization intranets are more likely to be infected.

On May 13, 2017, Microsoft took the extraordinary step of releasing a patch for Windows XP which has been unsupported for 3 years.

No word if wine is doing anything about a security update. It was reported in a comment below that Linux can be infected too when users run wine.

An "accidental hero" registered a domain name that acted as a kill-switch to the ransomware. I presume the non-existent domain was used by the hackers on their private intranet so they didn't infect themselves. Next time they will be smarter so don't rely on this current kill-switch. Installing the Microsoft patch, which prevents exploiting a vulnerability in the SMBv1 protocol, is the best method.

On May 14, 2017 Red Hat Linux said they are not affected by "Wanna Cry" ransomware. This might mislead Ubuntu users along with Red Hat, CentOS, ArchLinux and Fedora users. Red Hat supports wine which answers below confirm can be effected. In essence Ubuntu and other Linux distro users googling this issue might be mislead by the Red Hat Linux Support answer here.

May 15, 2017 Update. Over the last 48 hours Microsoft released patches called KB4012598 for Windows 8, XP, Vista, Server 2008 and Server 2003 to protect against "Wanna Cry" ransomware. These Windows versions are no longer on automatic updates. Although I applied security update MS17-010 on my Windows 8.1 platform yesterday, my old Vista Laptop still needs patch KB4012598 downloaded and manually applied.

Moderator note: This question is not off topic - it asks about whether or not any Linux users need to do any steps for protecting against the risk.

It is perfectly on topic here, because it's relevant to Linux (which Ubuntu is), and it's also relevant for Ubuntu users running Wine or similar compatibility layers, or even VMs on their Ubuntu Linux machines.
- DK Bose about 7 years
  
  "VBA which LibreOffice is starting to support in beta?" is interesting. Can you please add a link to that? Would it be help.libreoffice.org/Common/VBA_Properties?
- WinEunuuchs2Unix about 7 years
  
  @DKBose I added the link and removed the "beta" reference. IIRC VBA is supported but with limitations. Personally I've only used LO's native BASIC.
- vassil philipov about 7 years
  
  It works under wine and a repacked version of it encrypts the whole system - twitter.com/hackerfantastic/status/863359375787925505
- dobey about 7 years
  
  No, you cannot apply patches for Windows, from within Ubuntu directly. It may be possible to boot a Windows partition in a VM with limited network access and install the patch that way, but patches for Windows cannot be applied externally. They are "applied" during the Windows boot process.
- dobey about 7 years
  
  Please re-word your "question" to avoid implying the ransomware is a product of Microsoft (you continually use Microsoft's to indicate possessive). It is an attack which targets a Microsoft product, rather.
- Rinzwind about 7 years
  
  10 print "spreading of the virus has been stopped" 20 print "see malwaretech.com/2017/05/… "
- Ceda EI about 7 years
  
  Shouldn't this be in Unix and Linux because it is not Ubuntu specific?
- Carlos Manuel Escalona Villeda about 7 years
  
  well there is a way. you can download the patch, store it in the Windows partition, disconnect from the network and reboot on Windows to install it before connect network again.
- Thomas Ward about 7 years
  
  @CedaEl The question asks about the Linux impact and Ubuntu is linux. It is on topic at both sites and does not need to be migrated.
- Andrea Lazzarotto about 7 years
  
  This "question" contains several questions and is as broad as WannaCry's spread. IMHO you should narrow it down significantly.
- WinEunuuchs2Unix about 7 years
  
  @AndreaLazzarotto Agreed. I will take out LibreOffice Visual Basic for Applications macro methodology as we now know anyways how the ransomware spreads.
- Bruni about 7 years
  
  I miss any reference to the dangers of a mis-configured samba server in the answers here...
- WinEunuuchs2Unix about 7 years
  
  @Bruni I don't use Samba Server but I found this about Microsoft Server: "security professionals should block Server Message Block (SMB) ports, particularly ports 139 and 445 from external hosts, along with User Datagram Protocol (UDP) ports 137 and 138, from the local network to the wide area network (WANO)." in this article: securityintelligence.com/… I presume this should apply to Samba Server too.
- Bruni about 7 years
  
  @WinEunuuchs2Unix though this would render my samba server non-functional...
- WinEunuuchs2Unix about 7 years
  
  In that case the article also recommends client policy kits that disable SMBv1 and SMBv2 and allow SMBv3 if I remember correctly. Sorry on my phone now.
- WinEunuuchs2Unix about 7 years
  
  @Bruni according to this article: forums.theregister.co.uk/forum/1/2017/01/18/… Samba can be configured using min protocol = SMB2 or server min protocol = SMB2 or client min protocol = SMB2. But as I posted this morning I don't use Samba Server so I don't know if this is helpful to you.
- Rinzwind about 7 years
  
  Warning: A 2nd run of this virus has been started.
sudodus about 7 years

Yes, the normal rules apply: make regular backups of your personal data. Also test your backups so you know you can restore them when needed.
DK Bose about 7 years

Oldish post: security.stackexchange.com/questions/5119/…
WinEunuuchs2Unix about 7 years

Specifically the patch you want to apply is MS17-010 as per: symantec.com/connect/blogs/… github.com/RiskSense-Ops/MS17-010 and renditioninfosec.com/2017/05/…
Thomas Ward about 7 years

Confirmed through a friend at my cyber-security company: Wine can be an infection vector, if your filesystem is shared in an insecure way with Wine virtual drive mounts. While that's evil and rare, people using Wine should be extra cautious, and those that aren't using Wine should be less concerned (but still cautious - Common Sense applies here of course)
nobody about 7 years

Does the malware encrypts only local files? What if I have a samba share and mount it on a Windows computer? Will the files get encrypted on a network drive too? There is also another risk. A vulnerability has been found, where user do not need to open and run the attachment. It is enough that windows malware scanner scans a specially crafted file (pcworld.com/article/3195434/security/…, technet.microsoft.com/en-us/library/security/4022344), Fortunately, there is a patch.
Rinzwind about 7 years

Any file you have access to from the share can be infected. So if you use "sudo" it means ANY file on your whole system or when you use "chmod 777" or "chown $USER" on an external disk it means any file on that disk. For it to touch files that you can not touch yourself (unless you use sudo) the virus also needs to get hold of your password. Oh: it is always best to use a different user for mounts from windows (then the problem is limited to that user)
WinEunuuchs2Unix about 7 years

I totally agree about not using wine. When I want to run Windows (for example to do gaming with nVidia) I reboot with Windows. Today I rebooted Windows 8.1 for the first time in 4 months for the sole purpose of installing security updates (against "Wanna Cry"). After 1/2 hour including running Window's Defender on Malware fingerprints I immediately rebooted to my comfortable Ubuntu installation with nice fonts, conky display, custom indicators, auto adjusting screen brightness based on sunrise and sunset, etc. etc.
Rinzwind about 7 years

Yeah, my personal opinion: windows should not be used to connect to the internet. And when you do feel the need to use windows: only when sandboxed.
WinEunuuchs2Unix about 7 years

@sudodus " test your backups so you know you can restore them when needed" sounds worthy of a new Q&A. I imagine a semi-annual test using md5sum to compare files but I wonder what you and others would do?
Rinzwind about 7 years

@WinEunuuchs2Unix the general idea is to restore them. To another location then your current files.
Mark about 7 years

Sophos provides on access linux antivirus that is free for non-commerical purposes. While I haven't looked, I would expect it to have been updated for this ransomware. sophos.com/en-us/products/free-tools/…
Dorian about 7 years

Sophos runs on commandline with a manual interface. I meant an actual program capable of running itself and scanning files on its own, without the user needing to run a scan. So when a threat is detected the software can warn you and ask you what to do about it.
Mark about 7 years

That's explicitly what "on access" is. It does exactly what you've described.
Dorian about 7 years

I must be blind or completely noob if I never managed to run a working Sophos deamon. Could you tell me how?
Mark about 7 years

I'm happy to help to the extent I can. No worries about not being an expert - we are all on our own paths of learning. Here is there documentation on how to install: sophos.com/en-us/medialibrary/PDFs/documentation/… It is very well written. If you have difficulties throw up a new thread and send me a message to make sure I see your post. HTH