Originally published in https://abhijith.live/a-lazy-approach-to-defend-wannacry/ on 15 May 2017.
The digital world is on fire now! The entire planet is talking about wannacry ransomware! Even the people who haven’t used an exploit in their lifetime, suddenly became experts in ransomware and wannacry! Televison, newspapers, social media; these people are everywhere. Cannot tolerate it anymore! Goodbye cruel world! :) :D
Now, this is my turn to act as a wannacry ransomware expert and throw some knowledge to the big table!! Apart from the jokes, this is still an issue which is way too critical. In the beginning red teams OR threat actors took advantage of NSA-WikiLeakes-Vault7-WeepingEyes-Fuzzbunch and the Shadowbrokers exploit dump. They used to send crafted documents to the targets using MS17-0199, and then pivot the internal hosts using MS17-010.
It was obvious that someone would use these exploits for spreading malware or Ransomware. Let’s have a look at a tweet made by Kevin Beaumont the on 19 April 2017.
We have joked about this screenshot in our internal chat groups and a few folks commented it could be coming from illuminati. Anyway, his prediction turned out to be 200% true.
Let’s come back to our topic; As the title denotes, it is a very Lazy approach to fight against wannacry ransomware stain and stop it from spreading in your Home or personal network. Corporate users and professionals are using enterprise security systems as compared to Home/Personal users. Home users with Genuine Windows operating systems more likely to receive Critical updates/Patches from Microsoft and it solves most of the issues (?). Still, it doesn’t offer protection from Zerodays. But the home users with pirated/inactivated/EOL Windows operating systems, they are more vulnerable to Wannacry ransomware since they will not receive patches from Microsoft to patch EternalBlue aka MS17-010 vulnerability. Once it gets infected the worm will spread to all windows machines in your Home or personal network. The wannacry ransomware has two parts. The Worm module helps to spread the ransomware to other computers using EternalBlue vulnerability and DoublePulsar exploits; and the Ransomware encrypts the files. Well, I’m not going to write about that here, since we have tremendous sources out there to understand about the working of Ransomware.
I’m going to list a few damn-lazy steps for home users: Move to Linux OS; Just kidding! Use a Genuine Windows OS; Do regular Patching/Updates; and use a paid Antivirus software. [This could help]
I do not encourage the use of pirated Operating systems OR products; Its always better to use Genuine windows operating system; Else move to Linux distributions which are open and free!
Using a genuine Windows operating system and performing regular patching is very important. Windows updates not only come with enhancements and features, but also with security patches. Regular patching/updates ensures that your system is equipped with the latest security enhancements, closing potential security issues that threat actors may exploit before they can be widely identified and patched. Having an an up-to-date and legitimate operating system, helps users to significantly reduce the risk of falling victim to emerging threats and improving overall security of their systems.
I'm not suggesting to get a particular commercial Anti-virus/Anti-malware solution. A good anti-virus program can detect and eradicate malware binaries coming into the system via mail attachments, downloads, or network share. If you are too lazy to buy proactive commercial solutions, rely on free anti-virus products. In the past, I have used free versions of Avast Anti-Virus and MalwareBytes Anti-Malware, mostly for testing. It can be extended up to one year free of cost. Keep in mind that free products don’t come with most of the security features. Again, it is always good to have a commercial antivirus product. Nowadays, it doesn’t cost that much money. Another option is using Windows Defender as the first line of defense and an Anti-Malware product as the second line of defense. It has been proven effective in various scenarios.
[This is the most important thing you can perform to defend against ransomware] Always backup your personal data, whether it is your work files, porn collection, photos, music or movie files. At least keep 2 backup options such as external hard disks, Cloud etc. A backup copy can be restored in case of a ransomware attack, lowering the impact and potential loss.
Make it a habit to use disk encryption tools, such as BitLocker, DiskCryptor etc BitLocker comes with windows and DiskCryptor is an open source tool which can be downloaded from https://diskcryptor.net/ Encrypt your internal/external disk partitions using any of these tools and keep your data safe. Even if the machine is infected by ransomware, it cannot access or encrypt files in an encrypted and un-mounted disk partition. Please make sure to un-mount and lock down your encrypted volumes when not in use.
Always use a pop-up/script blocker while browsing. It will detect and block execution of malicious javascript and java drive-by attacks, and spreading process of ransomware via internet. A good option is "NoScript" extension for firefox.
Never ever download software and other executable from any non-trusted sources. Do not download unwanted programs. The internet will trick you to download malicious files which will lead to ransomware execution.
Since wannacry is leveraging SMB service, we could block the SMB ports in windows advanced firewall. Default SMB port is 445; But we may filter netbios or UDP ports as well. (TCP ports 139, 445 and UDP ports 137, 138) We can make sure that your machine will not get infected from other infected PCs within the same network. Let me quickly show you how it would look from an attacker's perspective. Img-1: Scanning a windows 8 machine for EternalBlue/MS17-010 vulnerability on port 445
The scan went through successfully and the target Windows 8 machine seems to be vulnerable to EternalBlue and Wannacry worm-ransomware. Blocking the SMB ports in the target Windows 8 machine's firewall using "Windows firewall with Advanced Security" console. Img-2:
Img-3: Adding new inbound rule to block SMB TCP ports. Repeat the same for UDP ports 137 and 138.
We need to be careful with the firewall profile here. Three profiles are there. The users or machine from the same Domain, private network or Internet will not be able to access SMB ports and services. Even Windows shares may not work properly. We are assuming that we are doing this on a home/personal computer which does not have windows updates or Anti-Virus software. Img-5: Performing the scan again after placing our inbound rule
It worked! We cannot detect the vulnerability this time since the firewall blocks it. If MS17-010 is not open wannacry cant spread to your system. [This will limit the file sharing capabilities of your system. Revert the settings once your operating system has been patched.]
Last updated on 13 November 2023
Go back to Blog and Random Thoughts