This post was updated on May 17, 2017, at 12:20 PM PDT.
Over the past few days, there has been a lot of buzz around the WannaCry ransomware campaign. For those in the trenches dealing with how to address wave after wave of attacks, it's not as simple as the unhelpful motto of "patch your systems." Most medium and enterprise businesses cannot trust blindly installing a plethora of patches across every Windows devices, especially server-class operating systems with mission critical applications. A long history of compatibility issues with patches is part of the reason why there are so many systems vulnerable to WannaCry when the patches have been available since March. So, what are your options if you want to prevent having to tell management that ransomware has ravaged your critical systems?
PATCH YOUR SYSTEMS
This is by far the best option when protecting against WannaCry. It's also the least helpful. On a more specific note, you can narrow down which patches to install across the environment to those which specifically deal with closing the EternelBlue SMB vulnerability of which WannaCry takes advantage. Below is a list of patches and their associated platforms you can search for in your environment. If the patch is installed, your system is safe for the time being.
KB Number |
Platform |
4012212 |
Windows 7 SP1Windows Server 2008 R2 SP1 |
4012213 |
Windows 8.1Windows Server 2012 R2 |
4012214 |
Windows Server 2012 |
4012215 |
Windows 7 SP1Windows Server 2008 R2 SP1 |
4012216 |
Windows 8.1Windows Server 2012 R2 |
4012217 |
Windows Server 2012 |
4012598 |
Windows XPWindows VistaWindows 8Windows Server 2003 SP2Windows Server 2008 |
4013429 |
Windows 10 Version 1607Windows Server 2016 |
4015217 |
Windows 10 Version 1607Windows Server 2016 |
4015438 |
Windows 10 Version 1607Windows Server 2016 |
4015549 |
Windows 7 SP1Windows Server 2008 R2 SP1 |
4015550 |
Windows 8.1Windows Server 2012 R2 |
4015551 |
Windows Server 2012 |
4015552 |
Windows 7 SP1Windows Server 2008 R2 SP1 |
4015553 |
Windows 8.1Windows 2012 R2 |
4016635 |
Windows 10 Version 1607Windows Server 2016 |
4019215 |
Windows 8.1Windows Server 2012 R2 |
4019216 |
Windows Server 2012 |
4019264 |
Windows 7 SP1Windows Server 2008 R2 |
4019472 |
Windows 10 Version 1607Windows Server 2016 |
DISABLE SMBV1
The WannaCry ransomware exploits vulnerabilities in the way Windows handles SMB connections. By disabling SMBv1 entirely on systems that do not rely on it, you can protect systems without having to install a patch. The easiest way to accomplish this on 2008 R2 and earlier systems is to set the following two registry keys to 0, which will disable the appropriate versions.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | SMB1
On more recent systems, the following two commands will disable SMBv1:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
For more information on enabling and disabling SMB, see this Microsoft Support Article.
BLOCK SMB FIREWALL PORTS
The last option to help protect against WannaCry infection is to block the ports on which SMB relies for communication. The ports used for SMB are TCP 139 and 445. While only port 445 is known to be targeted at this point, it’s possible that 139 could be a target in the future.
STAYING AHEAD OF THE THREAT
For Tripwire Enterprise customers, content is available on the Tripwire Customer Center to detect which systems are vulnerable to WannaCry-type exploits. Very quickly, you can scan your covered assets to isolate those that may be at greatest risk of being infected by WannaCry ransomware variants. If you want to learn more about how Tripwire's product suite can help your organization be prepared for similar attacks in the future, please watch this video: https://www.youtube.com/watch?v=plotp84p9o0 Alternatively, you can find out more about the malware's operation and how you can prevent a similar attack here.
