A ransomware is spreading through the interwebs on all machines that still have SMBv1 enabled using an old NSA-exploit leaked by “ShadowBrokers”. Here’s how to protect yourself from ransomware WanaCrypt0r 2.0 and disable it on Windows computers [plus verify it is disabled on your system].
Contents
- What Is WanaCrypt0r And Why Is It Such A Big Deal
- Click here to check whether your PC may be affected and SMB1 is enabled on your system
What Is WanaCrypt0r 2.0
This ransomware is spreading through an exploit that was actively used by the NSA to infiltrate Windows machines that only have to be online (meaning a simple internet connection is sufficient for the exploit to be successful) to get exploited. The exploit called EternalBlue allows an attacker to access your machine with full root privileges via the insecure SMB1 protocol, a protocol for sharing access to files, printers and other devices.
SMBv2 and SMBv3 seem to be unaffected.
SMB stands for Server Message Block – a subversion is known as Common Internet File System which should already give you a hint what it’s being used for. In essence, the protocol used for sharing access to files, printers and serial ports for communication on your local network is being exploited to be used from the outside [outside your network]
How Do I Remove WanaCrypt0r?
There is no easy way to remove it at this point.
How Do I Check Whether SMB1 Is Enabled On My Computer?
For that we use a program that is already installed on your computer: Powershell
1. Step Open Powershell, simply hit Windows key + R and enter powershell.exe:
2. Step Copy and paste the following command into the blue command line:
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
3. Step If it says EnableSMB1Protocol is false then it is already disabled. But if it says true, then you need to disable it.
4. Step In order to disable SMB1 copy and paste this command: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
Alternatively you can go into the registry editor and insert the keys manually (see below)
Disable SMB1 Via Powershell
1. Step Open Powershell, simply hit Windows key + R and enter powershell.exe:
2. Step Copy and paste Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
3. Step Restart
Disable SMB1 Via Registry [ADVANCED]
1. Step Hit Windows key + R on your keyboard and enter regedit.exe:
2. Step In HKEY_Local_Machine go to SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters and create a new DWORD key SMB1 with the value 0
According to the Microsoft documentation you should also verify this:
3. Step In HKEY_Local_Machine go to HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation and verify that DependOnService is set to Bowser”,”MRxSmb20″,”NSI
4. Step In HKEY_Local_Machine go to System\CurrentControlSet\services\mrxsmb1 and set the value of Start to 4
5. Step Restart your PC in order for this to go into effect
What Else Should I Know About Ransomware? What Are Email Headers?
Also do not open email attachments unless it specifically comes from whitelisted emails. Never open attachments before first verifying the email address headers. Here is a guide how to turn on email headers in Thunderbird
There are various tools by now that actively scan for ransomware and can protect you from becoming the next victim. Some of them are inexpensive solutions.
Malwarebytes provides an extensive suite that can protect your home office or small business.
