Tagged: The Hackers News Facebook page

How to disable SMB to stop WannaCry Ransomware. Also links to Microsoft Patches for Windows to stop WannaCry Ransomware

UPDATE May 14 at 3:00pm – added more ways to disable SMB

Some Cyber Weapons which were apparently developed by a National Spy Service to break into enemy computers, were supposedly stolen. Then some of the code for the Cyber Weapons was released to the public, on 14 April, through a dump by a group called Shadow Brokers.

On May 12 2017, a new Ransomware was released on the Internet. It utilized some of the code found in the Cyber Weapons and also a Malware called WannaCry. Hundreds of thousands of computers around the globe got hit. Then a kill switch was set off which dramatically slowed and possibly will stop the Ransomware from spreading further.

Stop the presses. A new version 2 of the WannaCry Malware is now out, which no longer has the Kill Switch code. That will make it difficult to stop.

The Hacker News facebook page posted a solution. Essentially their posts stated to disable the SMB service within Windows. It is not needed and is enabled for backwards compatibility.

Ok, but how do you disable SMB in Windows?

In Windows go to Control Panel. In Control Panel go to the icon labeled “Programs”. Click on it. Then under Programs and Features click on Turn Windows Features on and off. Once there, just scroll down till you find SMB 1.0/CIFS File Sharing Support. Make sure the checkbox to the left of SMB 1.0 is “NOT” checked off. Then click OK and then close control Panel. Reboot the computer.

In my Windows 10 it was already off (unchecked).

Video is courtesy of the Andr.oid Eric YouTube channel

Video is courtesy of the HatimTech YouTube channel

Another way to disable SMB is by using the Registry Editor. The following Video shows how to do it in Windows 7.

Video is courtesy of the Brxtt Tech YouTube channel

Another way to do it is to key in a Powershell command. That is like a super DOS Prompt. Open a Powershell Window and key in the following (but not the Quotes):

Disable-WindowsOptionalFeature -Online -FeatureName SMB1protocol

Press Enter and you should be good to go after you reboot the computer. I would double check in ControlPanel. Better safe than sorry.

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

  • To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
  • To disable SMBv1 on the SMB server, run the following cmdlet:
          Set-SmbServerConfiguration -EnableSMB1Protocol $false
  • You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet. But I would restart the computer.

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.
Windows PowerShell 2.0 or a later version of PowerShell

  • To disable SMBv1 on the SMB server, run the following cmdlet:

    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
  • Note you must restart the computer after you make these changes.

REGISTRY. To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1

REG_DWORD: 0 = Disabled

REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Restart the computer after making the changes to the Registry.

How to enable or disable SMB protocols on the SMB client
Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
To disable SMBv1 on the SMB client, run the following commands:

     sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

     sc.exe config mrxsmb10 start= disabled
     Restart the computer after executing the above.

If that is the hole inside all Windows Versions that existed prior to the Mar 2017 Microsoft Patch, then it has been around for ages.

Click on this link to visit The Hackers News Facebook page.

Click on this link to visit The Hackers News website.

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

One final note which is bugging me. People are saying that this Ransomware is a “VIRUS“. WannaCry Ransomware is “NOT” a Virus. The WannaCry Ransomware is a vastly more complex computer “WORM“, hence it’s ability to find Windows computers connected to a network.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.


Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. The WannaCry Malware has already been changed (minus the Kill Switch). Disabling SMB may not prevent future versions from affecting your computer. Best Practice is to always create daily backups