As a company stuck supporting out-of-date operating systems, what options do you have?

This article assumes that vulnerable operating systems, such as Windows XP, cannot be upgraded in the short term, and therefore, what options are available to help mitigate the risk.

Most of us have now heard about WannaCrypt (also known as WannaCry) ransomware and the damage it caused to the NHS and other companies and institutions around the world. If you haven’t heard about recent events you can read more over at Microsoft: https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Note: Microsoft have released a patch for WannaCrypt/WannaCry for all affected Windows versions, including unusually, Windows XP (since it’s past official support): https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

WannaCrypt ransomware is being delivered by the recently leaked NSA hacking tool (Double Pulsar). There was a quieter period after the “killswitch” was activated (a set of hardcoded domain names, which if registered and resolvable, would stop the application spreading).

But, new WannaCrypt iterations are being created, mitigating this “fix”.

Sadly, there are still countless IT systems running on vulnerable unsupported operating systems, such as Windows XP or older, which are easy targets for hackers since the software vendors, such as Microsoft, have stopped providing security updates. Upgrading the OS is often not a simple process, especially if the software running on the OS doesn't support the newer version. This makes upgrades costly and expensive, since the legacy software must also be upgraded, and what happens if the original vendor has gone out of business, or the upgrade is cost prohibitive? There are many potential complications and challenges which explain why many companies continue to use legacy software on vulnerable operating systems.

When engaging with our customers and the professional community at large, we hear from CTOs and IT managers struggling with technical debt. They tell us upgrading is not a top priority, because “it just works”, or “we’re awaiting a new system which should be ready in X months”. Other times it’s a lack of internal resources or just a lack of CIS (Continuous improvement strategy) within the company.

Whatever the reasons, if you are reading this article and operate vulnerable systems, you are probably researching what options you may have. We have detailed a few of our ideas below.


Option 1: Virtualise the vulnerable operating system

Ransomware viruses, such as WannaCrypt, encrypt all your files and do not present an easy recovery option. There is usually no way to boot the operating system into any sort of recovery mode and roll back to an earlier state; not that system restore or related tools would help you much, since your files are being encrypted and are unrecoverable without the decryption key, making traditional recovery a futile option.

To summarise the steps; the first requirement is to create a virtual machine image from the original vulnerable system. Then, using the original (or new) hardware, install a newer, supported operating system, then run the older operating system as a virtual machine sat on top (this newly installed operating system is known as a host, the old operating system, now virtualised, is known as a guest).

This setup enables the possibility of snapshotting the vulnerable operating system (which is now a virtual machine), and all its files, regularly, and at the click of a button. If any issues occur, you can roll back to a previous state as required.

As most older operating systems are 32 bit, they will not require advanced virtualisation features from your processor, such as VT (Intel Virtualisation Technology). This is especially useful if you need to continue running the older hardware. Without VT, the system will run slower, but the tradeoff is worth it in this case.

Virtualisation also provides the opportunity to upgrade the computer hardware without fear of backward compatibility, since the older hardware can be emulated - this may also be a consideration as older hardware tends to become less reliable (especially hard disks).

There are various virtualisation options on the market, some paid and others free.

  • We are fans of open source and the security and stability offered by using Linux, so our first recommendation is to install Ubuntu 16.04 as a host machine, combined with a virtualisation stack on top.
    • On the lower end of complexity is VirtualBox, which offers point and click virtualisation. With this software you can get setup very quickly.
      • Here is a guide on how to migrate a physical Windows XP machine to a VirtualBox image. Forewarning: Windows XP isn’t the easiest OS to migrate. This is due to the way Windows XP sets up and configures its HAL and IDE drivers, but it’s achievable by following how-to guides.
      • https://www.virtualbox.org/wiki/Migrate_Windows
  • Hyper-V on a later Windows platform (such as Windows 10)
    • Migrate your old OS to a virtual machine image with the Microsoft Tool (Disk2vhd)
    • This tool creates a virtual machine image from a running physical machine, which can then be booted within Microsoft Virtual PC or Hyper-V. If this option is preferred, then it is recommended the new host operating system is the latest Windows 10, with Windows XP or 7 running as a guest virtual machine
  • VMware vSphere
    • Build a dedicated VMware server (or more, depending on your requirements)
    • Migrate your legacy Windows machine to a VMware image
    • Access the old Windows (now a virtual machine) using remote desktop services from a new computer, running a supported OS.

Once your chosen virtualisation platform has been set up and the virtual machine is running, the next step is to enable daily snapshotting of your virtual machine, with at least 7 days of full backups.

Note: This can use a lot of disk space, but you may have to rollback a few days to find a clean restore.

Useful links

Summary

While this is not a simple solution, It abstracts the vulnerable operating system and provides you with more control if the machine becomes infected. It also allows for network isolation which may not have previously been an option.


Option 2: Try and decrypt the files

If you are faced with an already infected computer, without adequate backups and/or need to get operational fast, you can try to decrypt the files. Over the last few days, various tools have been released which can scan the memory of the computer and locate prime numbers, then reverse engineer the encryption key, making it possible to decrypt your files under certain circumstances. This option is very smart, but not without pitfalls. Decryption is possible as long as the machine has not been rebooted since it was infected and if you haven’t waited too long (the memory space where the prime numbers are stored can be overwritten).

So far it has been reported to work on XP and 7, but various iterations of Windows of the same generation are also supported (Windows 2003/2007/2010), etc.

In the case of WannaCrypt, decrypting files is possible with WanaKiwi.

https://github.com/gentilkiwi/wanakiwi

Decryption in action

wannacry

Wanakiwi also recreates the .dky files which the ransomware expects upon successful payment, preventing WannaCrypt from encrypting more files.


Option 3: Perform regular, incremental backups of all your files

This option may sound obvious, but mounting a network drive from an infected machine presents obvious challenges. The files on the mapped drive will likely be encrypted too once WannaCrypt starts.

However, it’s possible to set up backups in such a way that the backup system connects to your computer and synchronise the files, rather than your computer connecting and mounting remote drives.

Open source software offers cost effective options for this. We have been using BackupPC for a number of years. Despite its name we use it to backup server(s) securely, it offers deduplication, incremental backup and other advanced backup functionality. Backups are performed using rsync, which is available on Windows with a client installation. http://www.michaelstowe.com/backuppc/

This is most effective when combined with Option 1, which will provide both full snapshot and easy rollback options with incremental backups throughout the day.


Option 4: Isolate the vulnerable machines from the Internet and shared networks

One option is to effectively quarantine the vulnerable machines into their own virtual LAN without Internet access. Setting up groups of vulnerable machines into different VLANS can help slow down the infection.

Machines which are totally isolated probably require a manual process for moving files around , which can be achieved with USB keys, or by dropping files into a quarantined storage (see option 3). But, using USB has its own drawbacks, with some Crypto ransomware viruses having morphed the ability to use USB as a proxy to your vulnerable machine.


To summarise

With the options above, it is possible to provide some level of “damage limitation” caused by malware and ransomware, but it’s clear that prevention is better than cure. Every company which runs and relies on software should have a clear and defined continuous improvement strategy (CIS) being devised or set in motion. A modern CIS programme is key to ensuring your company remains ready to do business in a compliant and sustainable way.

If you would like more information about how to virtualise your existing legacy infrastructure and encapsulate it into modern hardware, or for a more general discussion about CIS strategies, contact us today. Our expert Managed Services team are on hand to discuss your challenges.

Thanks for reading,

file

Stuart Buckell

Tags:

security ransomware

Published by: Stuart Buckell

Published on: 21.05.2017

"Buckhill Ltd is very knowledgeable and works quickly. We got bogged down and stuck trying to implement SAML on our own but Buckhill Ltd stepped in and immediately executed a working setup and made insightful recommendations for enhanced security."

Ken Snyder - Chief Technology Officer
Sharpr, Salt Lake City, Utah, USA

"I was impressed by the enthusiasm and professionalism of the Buckhill team and their 'can do' attitude."

Matthew Oliver - Director
M3 Corporate Finance LLP, Bristol, United Kingdom

"Working with Buckhill was a pleasure. Right from the consultation process, through to their depths of knowledge & obvious enterprise experience - I would have no hesitation recommending their services."

Reece Griffin, Technical Director
TBA Digital, Canada

"We were working with one of our vendors to configure SSO via ADFS to access their web application. We needed additional expertise and guidance to move the project forward so we contacted Buckhill Ltd. In a matter of days they had their developers working on it. They quickly determined the configuration issues we were having and provided explanation on how to get them resolved. We were very impressed with their knowledge, professionalism and diligence in assisting us on this project."

David O'Boyle CCNA, MCSE - Technology Services
The Richards Group, Dallas, Texas, USA

"I contacted Buckhill as I needed expert advice regarding a complex SAML integration requirement. The project involved integration with the US Health Care API (Obamacare eligibility). The developers assigned to the project were highly capable and professional, with real passion and determination to see the project through to completion even when issues presented themselves. Looking forward to working with you guys in the future, you're awesome! All the best, Carlos."

Carlos Arias - Owner
Carlos Ja Design, Florida, USA

"Buckhill provided us with consultancy to implement SimpleSamlPHP and configure it for use with a major client's SSO.
They were incredibly helpful, easy to work with and delivered in very short timescales within our agreed budget.
I am extremely happy with the service they provided."

Eddie Robins - Technical Director
Groovy Gecko, London, UK

"We asked Buckhill to provide us with a robust, reliable and faster server infrastructure so that we could deliver a better and more consistent service to our customers. Buckhill delivered results quickly, in a friendly and professional manner. We have been impressed by the knowledge they bring to the table and with the honest and helpful communication throughout the process. We are happy to receive continued support and maintenance for a core part of the business."

Brian Kavanagh
Field Gibson Media Ltd, UK

"We have been using Buckhill for several years for all our industry software requirements.

Their systems are reliable and affordable and the team are always friendly and knowledgeable.

If you're looking for an innovative software solutions provider, I would highly recommend them."

Mandy Brown, Director
Litigation Protection, UK

"Working with Buckhill was a pleasure. Right from the consultation process, through to their depths of knowledge & obvious enterprise experience - I would have no hesitation recommending their services."

Reece Griffin, Technical Director
TBA Digital, Canada

"Buckhill provided us with excellent service throughout our project. From the detailed initial meeting, to explaining the process, to final delivery, prompt response and assistance with follow up questions. We have been thoroughly impressed.

Kevin Hoggard, Director
CRM Innovations, Canada

"I must say that working with Buckhill has been a pleasure. The C2MS system has really helped us get our wholesale division up and running and the features within the system are very comprehensive. It allows us to trade with our brokers the way our brokers want to trade with various trading options available. I especially like the way Buckhill respond to you new idea’s and do look to implement them in days rather than months."

Hassan Soyer, Director
Nova Insurance, UK

"Buckhill were very helpful scoping up a vastly improved and flexible server environment - from the very first phone call we were able to define the problem and agree on a route towards solution. The project was completed with the minimum of fuss, on time and on budget. Real time technical support was available throughout the process and we now have a vastly improved operational environment that is future proofed for our strategic objectives. We are very happy with the results and have quickly realised the ROI."

Iain Wilcox, Marketing Director
Digitonic, UK

"We are delighted with our choice of service provider, and have nothing but good things to say about Buckhill. Stuart and his team have acted with a high level of professionalism and competence in all respects. We cannot recommend them highly enough ..."

Matthew Dickinson, Director
Linex Systems, UK

"Buckhill was able to bring a solution in a complex interoperability problem (ADFS/SAML with SOAP between Linux/Windows platform). I was often impressed by the level of their expertise and deep knowledge. When problems arose they were able to find creative solutions with an emphasis on reliability and security. I can say that during the whole project Buckhill was never the bottleneck, our success with this project is definitely due to Buckhill's talented team."

David Wulliamoz, Head of IT Services
Compassion Suisse, Switzerland

Our Partners

VMware Partner
Learn more about Reseller and Partnership opportunities

Join the Partner Program

Our offices are open 8.30am - 7pm GMT, Monday to Friday - but you can always contact us via email. When we receive your email during opening hours, we aim to respond within 30 minutes or less. Should your email reach us out of hours, we will contact you when the office re-opens.

You can contact us using live chat

Contact Information

Speak to an expert on +44(0)1903 250250, email us at contact@buckhill.co.uk, or start a live chat, located in the bottom right

Alternatively, complete the form below

We're happy to talk

Our offices are open 8.30am - 7pm GMT, Monday to Friday - but you can always contact us via email. When we receive your email during opening hours, we aim to respond within 30 minutes or less. Should your email reach us out of hours, we will contact you when the office re-opens.

You can contact us using live chat

Buckhill