Thursday, May 18, 2017

WannaCry ransomware Prevent it

This is my compile of the WannaCry ransomware prevention  from the net so far

Ref:

  • https://www.tenable.com/blog/wannacry-three-actions-you-can-take-right-now-to-prevent-ransomware
  • https://mustsharenews.com/wannacry-worm-singapore/
  • https://unwire.hk/2017/05/13/wannacry-wcry/tech-secure/



Disable SMB port (port 445)

disable in REGISTRY

Run regedit and go to the following path *If you doesn't see it, it mean its enable by default, you need to disable it!

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ NetBT \ Parameters
SMBDeviceEnabled  = 0 (DWORD) disable


HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ ParametersRegistry
SMB1 = 0 (DWORD) disable
SMB2 = 0 (DWORD) disable

When you disable SMBv2 in Win8/Win Server 2012, SMBv3 is also disabled (share the same stack)


disable SERVICES

for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
To disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
To enable (not adviseable) SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto
To disable SMBv2 and SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi 
sc.exe config mrxsmb20 start= disabled
To enable (not advisable) SMBv2 and SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto


UPDATE files
Install/Update M'soft Security Bulletin MS17-010

  • http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598



firewall BLOCK ports

Control Panel > System and Security > Windows Firewall > Advanced Setting

  1. right click Inbound Rules > New Rule 
  2. select Port
  3. TCP, Specific local ports : 137, 138, 139, 445, 3389
    repeat steps for UDP, Specific local ports : 137, 138
  4. Block all the connection
  5. Apply to all user
  6. create a name for the filter "Block ransomeware"

disable Macro in Office (Words/Excel)

中國四川安全公司”效率源科技”成功開發能夠恢復文件的破解程式,遺憾的是目前破解程式僅能夠恢復 Office 的文檔(需要大於 1.5MB)。

破解工具下載(WannaCryOfficeRecovery):Google Drive


MISC

No comments: