WannaCry Virus

less than 1 minute read

Description:

Last week, a new worm was unleashed that was hitting many organizations that had certain ports exposed to the internet. This is a guide to avoid this attack:

To Resolve:

  1. The main fix: Block 139/445 at firewall, patch all servers

  2. More detailed:

    • Check if SMB1 is enabled (2012 and above):
    1
    
    Get-SmbServerConfiguration | Select EnableSMB1Protocol
    
    • 2008 R2 and below:
    1
    
    Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1
    
    • If you want to fix it on an individual machine (2012 and above):
    1
    
    Set-SmbServerConfiguration -enableSMB1Protocol $false -confirm:$false
    
    • Fixing an individual system on 2008 R2 and below:
    1
    
    Set-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force
    
  3. If you want to fix it network wide => GPO to disable it (works for all OSes):

    1
    2
    3
    4
    5
    6
    7
    
    Computer Configuration\Preferences\Windows Settings\Registry:
    Action: Update
    Hive: HKEY_LOCAL_MACHINE
    Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    Value name: SMB1
    Value Type: REG_DWORD
    Value Data: 0 (hexadecimal)
    
  4. Things this will break if you implement these fixes: Mainly scan-to-folder functions on Multifunctional printers/ check Reddit for others

References:

“WannaCry Megathread”

-----------------------------------------------------------
Spotted a mistake in this article? Why not suggest an edit!
Did you like the article? Donations are always welcome!
-----------------------------------------------------------

Comments