Protection Against WannaCry Ransomware

Tuesday, May 16, 2017 @ 12:44 pm

Ransomware infections encrypt your files and you must pay hundreds of dollars (in Bitcoin currency) in order to decrypt them. If you don’t pay by a certain date, the ransom amount is either jacked up and/or it will delete all your files.

In this blog post I’ve included 3 preventative measures against the latest “WannaCry” ransomware (I want to give a quick shout-out to the NSA for discovering the Windows vulnerability and not tell Microsoft; you made this all possible).

If you were to do only one preventative measure, please complete section A – which is installing the patch released by Microsoft. However, I recommend you do all 3 (A, B, and C) for protection against this particular ransomware strain and future ones.

IMPORTANT: after going through this blog post, make sure you restart your machine in order to make all changes effective.

A) Windows Update

The recommended method of protecting yourself is running Windows Update, click “Check for Updates” and install all available “Important Updates”. Once everything has been updated, restart your machine(s).

<Mini Rant>

Personally, Microsoft has tarnished Windows Update for me via the whole Windows 10 upgrade debacle by aggressively pushing users to knowingly/unknowingly upgrade to Windows 10 through “security updates” (pictured below). In some cases, clicking on the top-right X icon actually started the upgrade process. Here’s my favourite Windows 10 horror story where an anti-poaching organization in the Central African bush – who pay for slow satellite internet (per megabyte) – had one of their computers secretly download 6 gigabytes for Windows 10.

When WannaCry was first announced, I admit I had Windows Update disabled.

</Mini Rant>

Anyways, I digress. Long story short, I understand if you also have Windows Update disabled.

Manually Download Patches

If you’d prefer, instead of doing an automatic Windows Update you can download the patch for your operating system by clicking on one of the links below.

Ensure you download the correct variation to match your system (32-bit or 64-bit):

If you’re on Windows XP / Vista / 8 (not 8.1), download the relevant patch here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

To find out what version of Windows is running:

  1. Click the Start button, enter Computer in the search box, right-click Computer, and then click Properties
    1. Version: under Windows edition you’ll find the Windows version (e.g. Windows 7, 8, 8.1, 10, etc.)
    2. 32-bit or 64-bit: find System Type under the System section. The machine will either be 32-bit or 64-bit.

By completing this section, you should be protected against the WannaCry ransomware. Continue on if you want to further protect your computer.

B) Manually Disabling SMBv1

SMBv1 is the service that the WannaCry ransomware exploits in order to infect and spread. Using the official Microsoft page on disabling SMBv1, below are the key commands that are relevant to us (I included the official link so you can verify I didn’t tamper with the commands):

Windows Vista / 7

  1. Start Menu => Search for Command Prompt, right-click on it and click on “Run as administrator“.
  2. Paste in the following two commands and run them:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= disabled
  3. Start Menu => Search for “powershell“, right-click on it and click on “Run as administrator“.
  4. Run the following command:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

Windows 8(.1) / Windows 10

  1. Start Menu => Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.

OR (same as above but simpler):

  1. Start Menu => Search for “powershell“, right-click on it and click on “Run as administrator“.
  2. Run the following command:
    Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

C) Hardening Your System

CryptoPrevent

For all Windows operating systems, I recommend you install CryptoPrevent: https://www.foolishit.com/cryptoprevent-malware-prevention/ (free version, I know the domain is questionable but it’s a well-recommended program in the security community)

When prompted select “No”, “No”, and “OK”, set it on “Default Mode”, click yes when asked “Would you like to whitelist any items currently in blocked locations?”. When prompted to restart your computer, you can click on No: just remember to restart your computer after you’re done reading this blog post.

Firewall

Additionally, you can block incoming ports using Windows Firewall, or your third-party firewall (if any). This will help protect your computer from being infected by an infected machine on your network.

  1. Go to the Start Menu and type in firewall
  2. Click on Windows Firewall with Advanced Security
  3. In the new window, click on Inbound Rules in the left pane
  4. Click on New Rule, located to the top right side of the window
  5. Select Port and click on Next
  6. In the next screen, you’ll be asked for the protocol and port number, please refer to the two bullet points below for the ports to block
  7. Click Next then select Block the Connection and follow the on-screen instructions
  8. Repeat until all ports below are blocked

The incoming ports to block are:

  • TCP ports: 137, 139, 445, 3389
  • UDP ports: 137, 138

Troubleshooting

If you experience issues with file sharing or your printer after completing the above steps and restarting, you may want to undo the changes you made in section B and/or section C (disabling CryptoPrevent and/or disabling the firewall rules we added).

To re-enable SMBv1:

Windows Vista / 7

  1. Start Menu => Search for Command Prompt, right-click on it and click on “Run as administrator“.
  2. Paste in the following two commands and run them:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    sc.exe config mrxsmb10 start= auto
  3. Start Menu => Search for “powershell“, right-click on it and click on “Run as administrator“.
  4. Run the following command:
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

Windows 8(.1) / Windows 10

  1. Start Menu => Control Panel, click Programs, and then click Turn Windows features on or off.
  2. In the Windows Features window, check the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.

OR (same as above but simpler):

  1. Start Menu => Search for “powershell“, right-click on it and click on “Run as administrator“.
  2. Run the following command:
    Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Best Practices

  • Backups: the single-best recommendation I can provide is for you to make regular backups of your important data, on USB drives and/or the cloud. A step further is to disconnect your backup media from your device afterwards because ransomware is known to spread to all connected devices (physically and virtually). The above steps in this post do help protect you against ransomware, but ransomware is constantly evolving. With a backup, you are able to restore your important files even if your computer is infected and encrypted by ransomware.
  • Email Safety: most users get infected by opening an email with malicious links/attachments. If you receive an email asking you to download and open a file – even from a trusted contact (**cough**) – be skeptical. If you’re unsure, it’s best to call the person/organization directly using an official phone number. Do not reply to the suspicious email.
  • 100% Clean Network: because of the way WannaCry spreads laterally (e.g. to other devices on the same network), ensure that all devices on your network are clean and protected.
  • Disable Autorun: to prevent malware from spreading via infected USB drives, you can use my Autorun Protector tool.
  • Antivirus: keep your antivirus up-to-date. If you are looking for a free antivirus, I recommend Bitdefender as a no-nonsense, nag-free solution. I previously recommended Avast, but as of late it has become a bloated mess. Bitdefender also scores quite well against other antivirus solutions.
  • Enable Windows Update: as much as I hate Windows Update for the whole Windows 10 forced-upgrade episode, having Windows Update and automatic updates enabled is a great way to protect your machine against vulnerabilities.
  • Operating System Upgrade: if you’re still on Windows XP, I recommend looking into upgrading. I’m physically allergic to Windows 10; I consider Windows 7 as the best Windows version. If you upgrade from Windows to Linux instead, even better. I recommend Linux Mint – Cinnamon for beginners.

Further Reading

Troy Hunt has published an excellent write-up on the WannaCry ransomware: https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

A technical nose-dive: https://www.bleepingcomputer.com/news/security/wannacry-wana-decryptor-wanacrypt0r-info-and-technical-nose-dive/