« Posts tagged smb exploit

WannaCrypt Ransomware: Prevention and Cure

WannCry Ransomware

As they say, prevention is better than cure, so its better safe than sorry!

In this case, there is currently “no cure” so we are only left with prevention.

WannaCrypt/WannaCry/Wcry is a new ransomware which exploits the latest SMB vulnerability (MS17-010) found in Windows machines.

More details about this exploit and how it spreads are available everywhere so lets jump to the prevention part.

Since this code spreads via SMB which uses port 445, we have to close port 445 on our Windows systems.

Below are steps to close down port 445 and prevent WannaCrypt ransomware infection:

Disable NetBIOS
First of all you need to disable NetBIOS (port 137,138 and 139).

  • Got to Start menu > Control Panel and open System.
  • In Hardware tab, click the Device Manager button.
  • Click Show Hidden Devices from the View menu.
  • Expand Non-Plug And Play Drivers.
  • Right-click NetBios Over Tcpip and select Disable.
  • Close all dialogs and restart the system.
  • Uninstall SMB
    SMB uses port 139 and sometimes 445 so we need to uninstall this service.

  • Go to Start menu > Control Panel and open Network Connections.
  • One by one select your network interfaces (i.e., Local Area Network) and select Properties.
  • Select Client For Microsoft Networks and click the Uninstall button.
  • Once the uninstall finishes, select File And Printer Sharing For Microsoft Networks and click the Uninstall button.
  • Repeat these steps for all network interfaces.
  • Close all dialogs and restart the system.
  • These steps are only meant to prevent WannaCrypt to infect your system. If the system is already infected, isolate the system from network so it doesn’t infect other machines on your network and wait until the *cure* arrives.

    Best of luck 🙂