Skip to content ↓ | Skip to navigation ↓

This post was updated on May 17, 2017, at 12:20 PM PDT.

Over the past few days, there has been a lot of buzz around the WannaCry ransomware campaign. For those in the trenches dealing with how to address wave after wave of attacks, it’s not as simple as the unhelpful motto of “patch your systems.”

Most medium and enterprise businesses cannot trust blindly installing a plethora of patches across every Windows devices, especially server-class operating systems with mission critical applications. A long history of compatibility issues with patches is part of the reason why there are so many systems vulnerable to WannaCry when the patches have been available since March.

So, what are your options if you want to prevent having to tell management that ransomware has ravaged your critical systems?

PATCH YOUR SYSTEMS

This is by far the best option when protecting against WannaCry. It’s also the least helpful. On a more specific note, you can narrow down which patches to install across the environment to those which specifically deal with closing the EternelBlue SMB vulnerability of which WannaCry takes advantage.

Below is a list of patches and their associated platforms you can search for in your environment. If the patch is installed, your system is safe for the time being.

KB Number
Platform
4012212
Windows 7 SP1
Windows Server 2008 R2 SP1
4012213
Windows 8.1
Windows Server 2012 R2
4012214
Windows Server 2012
4012215
Windows 7 SP1
Windows Server 2008 R2 SP1
4012216
Windows 8.1
Windows Server 2012 R2
4012217
Windows Server 2012
4012598
Windows XP
Windows Vista
Windows 8
Windows Server 2003 SP2
Windows Server 2008
4013429
Windows 10 Version 1607
Windows Server 2016
4015217
Windows 10 Version 1607
Windows Server 2016
4015438
Windows 10 Version 1607
Windows Server 2016
4015549
Windows 7 SP1
Windows Server 2008 R2 SP1
4015550
Windows 8.1
Windows Server 2012 R2
4015551
Windows Server 2012
4015552
Windows 7 SP1
Windows Server 2008 R2 SP1
4015553
Windows 8.1
Windows 2012 R2
4016635
Windows 10 Version 1607
Windows Server 2016
4019215
Windows 8.1
Windows Server 2012 R2
4019216
Windows Server 2012
4019264
Windows 7 SP1
Windows Server 2008 R2
4019472
Windows 10 Version 1607
Windows Server 2016

 

DISABLE SMBV1

The WannaCry ransomware exploits vulnerabilities in the way Windows handles SMB connections. By disabling SMBv1 entirely on systems that do not rely on it, you can protect systems without having to install a patch.

The easiest way to accomplish this on 2008 R2 and earlier systems is to set the following two registry keys to 0, which will disable the appropriate versions.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | SMB1

On more recent systems, the following two commands will disable SMBv1:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

For more information on enabling and disabling SMB, see this Microsoft Support Article.

BLOCK SMB FIREWALL PORTS

The last option to help protect against WannaCry infection is to block the ports on which SMB relies for communication. The ports used for SMB are TCP 139 and 445. While only port 445 is known to be targeted at this point, it’s possible that 139 could be a target in the future.

STAYING AHEAD OF THE THREAT

For Tripwire Enterprise customers, content is available on the Tripwire Customer Center to detect which systems are vulnerable to WannaCry-type exploits. Very quickly, you can scan your covered assets to isolate those that may be at greatest risk of being infected by WannaCry ransomware variants.

If you want to learn more about how Tripwire’s product suite can help your organization be prepared for similar attacks in the future, please watch this video:

Alternatively, you can find out more about the malware’s operation and how you can prevent a similar attack here.