Concerts, Exotic Cars, News & Photos by Vincent Banial
How to find the presence of WannaCry Ransomware and SMB v1.0 Servers running on your Windows Network.
First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.
Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.
As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.
For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.
For Windows Server Operating Systems:Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows Server.
You should be looking out for the some of the following: Use of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.
Keep an eye out for instances of the file “@Please_Read_Me@.txt” on your file shares. Also check for any instances of files with these extensions: “.wnry“, “.wcry“, “.wncry” and “.wncryt“.