Can "wannacrypt" (wcrypt) spread via Linux server serving over SMB?
Solution 1:
In general any ransomware can encrypt anything the infected user has access to, like any other malware can write to anywhere using the permissions of the account running it. That doesn't equal it becoming active for other users, but it can affect all shares the user has access to.
Countermeasures:
Prevent with virus protection & firewall, as usual.
Force all clients to install updates regularly.
-
Backups is the most powerful way to handle all ransomware after infection. Eventually some of your users will have one that wasn't yet recognized by your virus protection. Have a backup that your users don't have write access to. Otherwise the backups are useless, because the ransomware has equal access to write over the backups, too.
An offline backup is the most safe way to achieve this, but might not be very practical as you need to do more manually, and remember to do it regularly.
I usually have an independent machine that uses separated credentials to access the locations to be backed up. There, I have incremental backup that can store any changes over weeks or months. It's good against both ransomware and user errors.
WannaCry is using a vulnerability in Windows implementation of SMB: the protocol itself isn't vulnerable. From a news article on MalwareLess:
The WannaCry attacks are initiated using an SMBv2 remote code execution in Microsoft Windows OS. The EternalBlue exploit has been made publically available through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14. However, many companies and public organizations have not yet installed the patch to their systems.
The patch mentioned is MS17-010, Security Update for Microsoft Windows SMB Server (4013389):
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Therefore, it doesn't affect Linux. Windows is also safe after installing the update. However, if there still is a client computer with a non-patched Windows, the data on a share might not be in safe.
Solution 2:
Found this, although no source was provided to back up the claim:
WannaCry exploits a set of flaws in Microsoft's implementation of the SMB1 protocol. Since these are implementation flaws rather than structural flaws in the protocol itself, Linux systems are immune. This is true regardless of if the systems are running Samba, Wine, or any other Windows-emulation layer.
https://security.stackexchange.com/a/159405