How to fight back and protect your Windows servers/computers from NSA-derived WannaCry ransom-ware?

What Is NSA-driven ransomware?

As every IT geek knows NSA-driven ransomware ‘wannacry’  and its varient is playing havoc around the globe since its 1st release back in Mid-April 2017. It was Mid-April when an arsenal of extremely power, lethal grade software tools designed by NSA to inject and Control Windows computers was leaked by a hacking group called “Shadow Brokers”. Merely a month later, the hypothetical threat that these tools would be used against general public has become real, and tens of thousands of computers worldwide are now crippled by the unknown party demanding ransom.

NSA ransomware wannacry attack

NSA ransomware wannacry attack

How widespread is the problem?

At the time of this writing, it has reportedly reached UK’s National Health Service (NHS) shutting down hospitals operation throughout the country as the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems. A major Spanish telecom, FedEx, and the Russian Interior Ministry are reportedly infected with the worm. In total, researchers have detected WannaCry infections in over 57,000 computers across over 70 countries (and counting — these things move extremely quickly).

Experts who are tracking and analysing the worm and its spread said, this could be one of the worst-ever cyber attacks of its kind in history. We’ve never seen anything like this with ransomware, a MalwareTech has twitted.

The malware, known as Wanncry, Wanna, Wcry, has reportedly infected at least 95,000 computers, according to Avast. Kaspersky Lab said Organisations in at least 74 countries have been affected, with Russia being worst affected, followed by India, Ukraine, and Taiwan. Infections are also <a https://intel.malwaretech.com/botnet/wcrypt>spreading through the United States.

Watch it spread at https://intel.malwaretech.com/botnet/wcrypt

wannacry ranomware attack distribution

wannacry ransomware attack distribution

Can I 100% protect my server/computers from NSA-driven ransomware “Wannacry”?

Not really. However, you can, and do, work hard to protect your infrastructure. Set up firewalls, install anti-virus programs, apply file filters, run intrusion detection and regularly update Windows to keep malware and hackers out.

What I can do to protect my servers from NSA-driven ransomware “Wannacry”?

Our network was attacked on April 18, 2017, and the first server was ransomware encrypted. That lead us to reimage the server and recover data from backups. Soon after we made and applied a SOP which has thus far worked well for us since we have not experienced any further attack ever since.

For the public benefit, we will list the measures taken to protect from this NSA-derived worm attack:

  1. Microsoft has released fixes for vulnerabilities and related tools disclosed by TheShadowBrokers. Run Microsoft Windows updates and fully patch the system
  2. Both RDP and SMB are attack vectors, block following ports in your firewall:
    1. Incoming (TCP): 445, 22, 23
    2. Outgoing (TCP): 139, 445, 22, 23
    3. Outgoing (UDP): 137, 138
  3. Disable SMBv1 – open PowerShell and run this command
    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
  4. RDP is another vector it uses so might be best to start closing ports on the firewall too
    1. On the firewall restrict RDP port access by IP address
  5. Microsoft has released various security hotfixes to address this issue, we have compiled all patches in single zip file
    1. that you can download from here http://www.hostbreak.com/downloads/win_updates_NSA.rar
    2. When downloaded, extract zip and run each security patch one by one.
  6. Update all virus definitions
  7. If you do any kind of process whitelisting, keep watching VirusTotal and blogs, and blacklist the SHA256 hashes.
  8. Check your backups.
  9. Snapshot critical systems.