How to find the presence of WannaCry Ransomware and SMB v1.0 Servers running on your Windows Network.
First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.
Click on this link to visit the SANS Institute InfoSec Reading Room, to D/L their helpful PDF about backup sets, titled “Backup Rotations – A Final Defense”.
Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.
Click on this link to view a map of the spread of the WannaCry Ransomware attack – so far over 230,000 computers have been hit.
As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.
For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.
For Windows Server Operating Systems: Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows Server.
Once your Windows Server-based Network is back up and running, start your Network Monitoring tool(s) and Packet Sniffing tool(s). Wireshark is well known. Microsoft Message Analyzer is the replacement for Microsoft’s Network Monitor. SmartSniff is another one. NAST (Network Analyzer Sniffer Tool) is popular. Capsa Free Network Analyzer allows you to monitor over 300 different protocols.
Click on this link to visit Microsoft’s Technet website to view their post titled: “Microsoft Message Analyzer Operating Guide”.
You should be looking out for the some of the following: Use of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.
Keep an eye out for instances of the file “@Please_Read_Me@.txt” on your file shares. Also check for any instances of files with these extensions: “.wnry“, “.wcry“, “.wncry” and “.wncryt“.
Video is courtesy of the DAHBOO77 YouTube channel
The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates at the following links:
Click on this link to download localized versions of the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Link to the important Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.
Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.
Posted by Vincent Banial
Disclaimer: The above post is subject to change without notice. There may be unintentional errors in the above post.