Wannacry Ransomware Prevention techniques for End Users & System & Security Administrators.
Name of the Virus/Worm/Ransomware: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Infected windows versions: xp, vista, windows 2000, windows 2007, windows 8
What it is:
Wannacry Ransomware is systems appear to be a worm that contains and runs the Ransomware, spreading itself using the SMB vulnerability (MS17 – 010). This Ransomware encrypts the computer’s hard disk drive and then spreads laterally between computers on the same LAN. The Ransomware also spreads through malicious attachments to emails.
Steps to Prevention from WannaCrypt Ransomware for End Users:
Step 1: Install the patches which is released from the Microsoft and update your system frequently for next few days .
Step 2: Block SMB ports on your system [UDP 137, 138 and TCP 139, 445] or Disable SMB
Follow the below steps to disable the SMB service
- Go to Windows’ Control Panel and open ‘Programs.’
- Open ‘Features’ under Programs and click ‘Turn Windows Features on and off.’
- Now, scroll down to find ‘SMB 1.0/CIFS File Sharing Support’ and uncheck it & restart the computer.
Below screen shot shows the SMB features which needs to be disabled.
Step 3: Take backup to external drives.
Step 4: Customers should not open documents from untrusted or unknown sources with any of this malicious files extensions
Step 5: Update your System with the Latest Antivirus definitions.
For Security & System Administrators:
Step 1: Push the latest patches from a patch management system to all the windows systems in the network.
Step 2: Disable SMB services in all the Systems. This can be achieved by applying a group policy on your Active Directory and push the updates to all the systems in the network.
Step 3: Update the latest signatures on your IDS And IPS devices.
Step 4: Implement Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths Ransom ware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations
Step 5: Implement security to filter the malicious content/extensions through the browser.
Step 6: Block connections to TOR nodes and TOR traffic on network. Enabling this to be blacklisted will prevent outbound communications of Wannacry to TOR network.