May 15 2017 0comment

How to protect from wcrypt (Wanna Cry)?

 

Windows Update MS17-010

 

The virus uses ETERNALBLUE exploit, which is closed by Microsoft security update MS17-010 released in March. I recommend that you check update center for presence of such an update (by code) on your computer (for example, code for Windows 7 will be KB4012212 or KB4012215).

If updates are not installed, you can download them from official Microsoft website:

This is for All latest Windows OS like 7,8.x, 10, 2008, 2008 R2, 2012, 2012 R2…

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

For older systems (Windows XP, Windows Server 2003 R2), Microsoft released special patches:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

Close ports 135 and 445

 

According to the reports of antivirus companies, wcrypt penetrates computers through SMB (Server Message Block) ports. To prevent penetration, we block the ports 135 and 445 through which the virus penetrates (in most cases they are not used by ordinary users).

To do this, open the console with administrator rights (cmd.exe -> run as administrator). And we execute in turn 2 commands (after each command there should be status OK).

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name=”Block_TCP-135″

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name=”Block_TCP-445″

 

Disabling SMBv1 support

 

The vulnerability can also be closed by completely disabling SMBv1 support. Run this command in cmd (run as administrator).

dism /online /norestart /disable-feature /featurename:SMB1Protocol

 

 

Here are a few things for your reference:

 

  • If you are using Win Vista, 7, 8.1 & 10: In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Security Update enabled are protected against attacks on this vulnerability.
    For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
  • Activate Windows Defender: For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider whether they are protected.
  • If using older version of Windows: Customers running versions of Windows that no longer receive mainstream support may not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we have released a Security Update for platforms in custom support only. Windows XP, Windows 8 and Windows Server 2003 Security Updates are broadly available for download now (see links below).
  • Additional Steps to consider: This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect againstSMBv1 attacks, customers should consider blocking legacy protocols on their networks). Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources.

More information on the malware is available from the Microsoft Malware Protection Center though the Windows Security blog. We are working with our customers to provide additional assistance as the situation evolves, and will update this blog with details as appropriate.https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

You may also want to read though the blog posted by Brad Smith, President and Chief Legal Officer, Microsoft, looking at the broader implications of the malicious “WannaCrypt” software attack.

If you have any questions or concerns:

  • Webinar: You may want to join the Webinar on Wannacry Attack Q&A, 16th May, 10am. Join here.
  • Email: Please write to us atindiasms@microsoft.com. Our team will respond to you on priority.

hyntechadmin

Write a Reply or Comment