Ref:
- https://www.tenable.com/blog/wannacry-three-actions-you-can-take-right-now-to-prevent-ransomware
- https://mustsharenews.com/wannacry-worm-singapore/
- https://unwire.hk/2017/05/13/wannacry-wcry/tech-secure/
Disable SMB port (port 445)
disable in REGISTRY
Run regedit and go to the following path *If you doesn't see it, it mean its enable by default, you need to disable it!HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ NetBT \ Parameters
SMBDeviceEnabled = 0 (DWORD) disable
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ ParametersRegistry
SMB1 = 0 (DWORD) disable
SMB2 = 0 (DWORD) disable
When you disable SMBv2 in Win8/Win Server 2012, SMBv3 is also disabled (share the same stack)
disable SERVICES
for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
To disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
To disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
To enable (not adviseable) SMBv1 on the SMB client, run the following commands:To disable SMBv2 and SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
To enable (not advisable) SMBv2 and SMBv3 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
UPDATE files
Install/Update M'soft Security Bulletin MS17-010- http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
firewall BLOCK ports
Control Panel > System and Security > Windows Firewall > Advanced Setting- right click Inbound Rules > New Rule
- select Port
- TCP, Specific local ports : 137, 138, 139, 445, 3389
repeat steps for UDP, Specific local ports : 137, 138 - Block all the connection
- Apply to all user
- create a name for the filter "Block ransomeware"
disable Macro in Office (Words/Excel)
中國四川安全公司”效率源科技”成功開發能夠恢復文件的破解程式,遺憾的是目前破解程式僅能夠恢復 Office 的文檔(需要大於 1.5MB)。
破解工具下載(WannaCryOfficeRecovery):Google Drive
MISC
No comments:
Post a Comment