Sunday, May 14, 2017

Wanna CryRansomware : How to protect personal and enterprises systems


What is ransomware?

Ransomware is a kind of cyber-attack that involves hackers taking control of a computer system and blocking access to it until a ransom is paid. For cyber criminals to gain access to the system they need to download a type of malicious software onto a device within the network. This is often done by getting a victim to click on a link or download it by mistake.

Once the software is on a victim's computer the hackers can launch an attack that locks all files it can find within a network. This tends to be a gradual process with files being encrypted one after another. 


Large companies with sophisticated security systems are able to spot this occurring and can isolate documents to minimize damage. Individuals might not be so lucky and could end up losing access to all of their information. 
Cyber criminals often demand payment in return for unlocking the files. This is normally in the form of bitcoin, the online cryptocurrency. 







Quick action to prevent Wanna CryRansomware 

  • Install Windows Update

  • Disable SMB 1.0

  • Tighten security using AV policy ( if your using Enterprises AV security , contact vendor and have set of new policy to prevent ransomware )

  • Make sure that you don't open unknowns mails and click on links. 



  • Install latest windows update 



  • Disable SMB 1.0 on all servers and workstations 


In case you have not got the message yet SMB 1 protocol Bad and that according to Microsoft you should “Stop using SMB1”. Not that I should have to explain, but in case you need a refresher it is old (30 years old); it is slow (especially over high-latency links); and its was superseded over a decade ago with the release of Windows Vista, that’s right… VISTA!!!! So, by now you should be convinced that SMB 1 is really bad and that you need to vanish the protocol from your network.




to disable SMB run following command with elevated command prompt 

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

Also , you can a have script and deploy it through group policy

As always to begin you need to create a Group Policy object to the computer that you want to apply the settings. Then you need to edit the policy and navigate to Computer Configuration > Windows Settings > Scripts. Then double click on “Startup” and then click the “Show Files…” button.
Windows Explorer will now open up to the Scripts folder in the GPO you have created and here you can just right click and create a New “Text Document”.


Here just create a text file with the two command line as per above and save the file as disablesmb1.cmd (or something like that).


The policy will now run a logon script then next time the computer reboots. It will disable the SMB 1 protocol the next reboot after that and you will will very quickly have disabled it on all you Windows 7 computers.
Note: This will work on Windows 8.1 or later as well but in that case it would be far better to just run the one line Powershell command that just simple removes the feature from the OS.
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
Note: This will work on Windows 8.1 or later as well but in that case it would be far better to just run the one line Powershell command that just simple removes the feature from the OS.



No comments:

Post a Comment

US-CERT : Indicators Associated With WannaCry Ransomware

National Cyber Awareness System: TA17-132A: Indicators Associated With WannaCry Ransomware 05/12/2017 09:36 PM EDT Ori...