WannaCelebrate - How to Protect Against WannaCry Ransomware

This post was updated on May 17, 2017, at 12:20 PM PDT.

---

Over the past few days, there has been a lot of buzz around the WannaCry ransomware campaign. For those in the trenches dealing with how to address wave after wave of attacks, it's not as simple as the unhelpful motto of "patch your systems." Most medium and enterprise businesses cannot trust blindly installing a plethora of patches across every Windows devices, especially server-class operating systems with mission critical applications. A long history of compatibility issues with patches is part of the reason why there are so many systems vulnerable to WannaCry when the patches have been available since March. So, what are your options if you want to prevent having to tell management that ransomware has ravaged your critical systems?

PATCH YOUR SYSTEMS

This is by far the best option when protecting against WannaCry. It's also the least helpful. On a more specific note, you can narrow down which patches to install across the environment to those which specifically deal with closing the EternelBlue SMB vulnerability of which WannaCry takes advantage. Below is a list of patches and their associated platforms you can search for in your environment. If the patch is installed, your system is safe for the time being.

KB Number	Platform
4012212	Windows 7 SP1 Windows Server 2008 R2 SP1
4012213	Windows 8.1 Windows Server 2012 R2
4012214	Windows Server 2012
4012215	Windows 7 SP1 Windows Server 2008 R2 SP1
4012216	Windows 8.1 Windows Server 2012 R2
4012217	Windows Server 2012
4012598	Windows XP Windows Vista Windows 8 Windows Server 2003 SP2 Windows Server 2008
4013429	Windows 10 Version 1607 Windows Server 2016
4015217	Windows 10 Version 1607 Windows Server 2016
4015438	Windows 10 Version 1607 Windows Server 2016
4015549	Windows 7 SP1 Windows Server 2008 R2 SP1
4015550	Windows 8.1 Windows Server 2012 R2
4015551	Windows Server 2012
4015552	Windows 7 SP1 Windows Server 2008 R2 SP1
4015553	Windows 8.1 Windows 2012 R2
4016635	Windows 10 Version 1607 Windows Server 2016
4019215	Windows 8.1 Windows Server 2012 R2
4019216	Windows Server 2012
4019264	Windows 7 SP1 Windows Server 2008 R2
4019472	Windows 10 Version 1607 Windows Server 2016

 

DISABLE SMBV1

The WannaCry ransomware exploits vulnerabilities in the way Windows handles SMB connections. By disabling SMBv1 entirely on systems that do not rely on it, you can protect systems without having to install a patch. The easiest way to accomplish this on 2008 R2 and earlier systems is to set the following two registry keys to 0, which will disable the appropriate versions.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | SMB1

On more recent systems, the following two commands will disable SMBv1:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

For more information on enabling and disabling SMB, see this Microsoft Support Article.

BLOCK SMB FIREWALL PORTS

The last option to help protect against WannaCry infection is to block the ports on which SMB relies for communication. The ports used for SMB are TCP 139 and 445. While only port 445 is known to be targeted at this point, it’s possible that 139 could be a target in the future.

STAYING AHEAD OF THE THREAT

For Tripwire Enterprise customers, content is available on the Tripwire Customer Center to detect which systems are vulnerable to WannaCry-type exploits. Very quickly, you can scan your covered assets to isolate those that may be at greatest risk of being infected by WannaCry ransomware variants. If you want to learn more about how Tripwire's product suite can help your organization be prepared for similar attacks in the future, please watch this video: https://www.youtube.com/watch?v=plotp84p9o0 Alternatively, you can find out more about the malware's operation and how you can prevent a similar attack here.