GlobeImposter ransomware strikes again, data protection is imperative!
Recently, a new variant of the ransomware GlobeImposter spread on the Internet, and the virus has been infected in several provinces across China. Once infected with the ransomware, the network system's database files will be encrypted by the virus, and ransom funds must be paid to restore the files.
The harm of ransomware
GlobeImposter is currently one of the most popular ransomware in China. The ransomware attack method is targeted blasting and delivery ransomware. It attacks the server through RDP remote desktop, uses ProcessHacker to end the antivirus software process, and uses other hacker tools such as scanners and password capture. The tool carries out further attacks and then executes the ransomware causes the files are encrypted. The main characteristics of the virus infection include Windows server files being encrypted, the encrypted suffix *.snake4444, and users are required to communicate the ransom and key via email.
Attack methods of ransomware
The main attack steps of the virus are as follows:
The first step is to infiltrate the server. Hackers use attack methods such as weak password blasting and port scanning to remotely log in to open ports such as 3389, use automated attack scripts, and brute force the administrator account with a password dictionary.
The second step is to infiltrate other machines in the internal network. After opening the breach of the internal network, the attacker will conduct password blasting on other hosts internally and use tools such as network sniffing and multi-protocol blasting to carry out blasting.
The third step is to implant the ransomware. After moving to a new host on the intranet, it will try to manually or use tools to uninstall the protection software installed on the host, and manually implant the ransomware.
The fourth step is to run the virus, the virus automatically executes the program, encrypts the files in the computer, and completes the virus attack process.
Carry out self-check and verification
The national cyber and information security related query platform can be used to query the network equipment information such as your respective IPs and ports exposed on the Internet, and timely security reinforcement measures can be taken to further improve the pertinence of security prevention.
Strengthen terminal and server protection
All servers and terminals should enforce complex password policies to eliminate weak passwords; install anti-virus software and terminal security management software and update virus databases in time; install vulnerability patches in time; servers enable key log collection functions to provide a basis for the traceability of security events.
Strictly control port management
Try to close unnecessary file sharing permissions and unnecessary ports; it is recommended to close the Remote Desktop Protocol.
Reasonably divide the security domain of the internal network
Important business systems and core databases should be set up with independent security areas, and security defenses should be done at regional boundaries, and access rights to important areas should be strictly restricted.
Enhance business data backup
"Back up your data” is the last line of defense against ransomware. If all the previous steps fail to stop the attack of ransomware, at least after your files being encrypted by ransomware, you don't have to pay huge extortion money for those data. Backups rescue you, as you can quickly use the backups to recover your business to the latest previous state from a ransomware attack in a short time.
Verify the availability of the backup data and make it recoverable at any time
It's not enough to back up your data, as data can be unavailable even you backed it up. So it's necessary to verify the backup data.
Vinchin always insists that recovery is the purpose of backup. After being infected with the ransomware, we have to make sure that our user can efficiently restore the data and applications to a usable state, and can quickly restore the data to any previous state in time, rather than unrecoverable. With Vinchin Instant VM Recovery, you can quickly verify the backup data availability in 2 mins without any interruption to your business.
Ransomware has never died out. Any weakness of network security protection may be exploited and broken. Therefore, preventing ransomware cannot be solved by a single method, such as patching, antivirus software, port blocking, security isolation, backup, etc. The combination of boxing should be the first choice to ensure information security and prevent ransomware. Data backup and disaster recovery are the last line of defense for data security. Network security personnel should strengthen the awareness of network security, nip in the green, not to give any ransomware opportunity, so as to ensure the normal and continuous operation of IT business.