Tag: WannaCry

Stop using the insecure SMBv1/SMB1 protocol

The recent WannaCry ransomware outbreak spread because of a vulnerability in one of the internet’s most ancient networking protocols, Server Message Block version 1 (aka SMBv1 / SMB 1).

Barry Feigenbaum originally designed SMB at IBM. Microsoft has made considerable modifications to the most commonly used version. Microsoft merged the SMB protocol with the LAN Manager product.

The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for the world that no longer exists. The world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed through modern eyes.

The Server Message Block, or SMB, protocol is a file sharing protocol that allows operating systems and applications to read and write data to a system. It also allows a system to request services from a server.

This is the protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network.

In computer networkingServer Message Block (SMB), one version of which was also known as Common Internet File System (CIFS) operates as an application-layer network protocol.

There have been numerous vulnerabilities tied to the use of Windows SMB v1, including remote code execution and denial-of-service exploits. These two vulnerabilities can leave a system crippled, or allow attackers to compromise a system using this vulnerable protocol.

Protocol Version Windows OS
SMB 1 Windows 2000, Windows 2003, Windows XP
SMB 2 Windows Server 2008 and Windows Vista SP1
SMB 2.1 Windows Server 2008 R2 and Windows 7
SMB 3.0 Windows Server 2012 and Windows 8
SMB 3.0.2 Windows Server 2012 R2 and Windows 8.1
SMB 3.1.1 Windows Server 2016 and Windows 10

SMB 1 protocol permits man-in-the-middle exploits and it “isn’t safe” to use. An attacker can use SMB 2 to pull information from the insecure SMB 1 protocol if it exists in a network.

The nasty bit is that no matter how you secure all these things if 
your clients use SMB1, then a man-in-the-middle can tell your client
to ignore all the above. All they need to do is block SMB2+ on 
themselves and answer to your server's name or IP.Your client will 
happily derp away on SMB1 and share all its darkest secrets unless
you required encryption on that share to prevent SMB1 in the first 
place. This is not theoretical-- we've seen it.

                 ~ Ned Pyle, a Principal Program Manager, Microsoft


How to remove SMB V1 /SMB 1 in Windows OS?

Windows 8.1 and Windows 10:

Method-1: Open Control Panel (just start typing Control in the search box to find its shortcut quickly). Click Programs, and then click Turn Windows features on or off (under the Programs heading). Or

Start –> Run –> Type appwiz.cpl –> press enter –> Click Turn Windows features on or off

Clear the check box for SMB 1.0/CIFS File Sharing Support, as shown here. That’s it; you’re protected.


Method-2:  open a Windows PowerShell prompt with administrative privileges. In the Windows 10 Creators Update, version 1703, right-click the Start button and choose Windows PowerShell (Admin) from the Quick Link menu.) If you’re running an earlier Windows 10 version, enter Windows PowerShell in the search box, then right-click the Windows PowerShell shortcut and click Run as administrator. From that elevated PowerShell prompt, type the following command:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Press Enter and you’re done.

Note You must restart the computer after you make these changes.

Windows 2012 R2, and Windows Server 2016:

Method-1: Launch Server Manager from Command Line.

Press the Windows key + R to open the Run box, or open the Command Prompt. Type ServerManager and press Enter.


Or Launch Server Manager from Taskbar

Task bar

On Server, the Server Manager approach:


Method-2: On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):

Remove-WindowsFeature Name FS-SMB1


On legacy operating systems:

When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it.

Windows 8 and Windows Server 2012:

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component. (A cmdlet is a lightweight command that is used in the Windows PowerShell environment.)

  • To disable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration -EnableSMB1Protocol $false

  •  To enable SMBv1 on the SMB server, run the following cmdlet:

Set-SmbServerConfiguration -EnableSMB1Protocol $true

 Windows Server 2008 R2 and Windows Server 2008:

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.

Windows PowerShell 2.0 or a later version of PowerShell

  • To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

  • To enable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 1 -Force

 Note You must restart the computer after you make these changes.

Registry Editor:


This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to backup, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:  322756 How to backup and restore the registry in Windows

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Windows Vista, Windows 7, and Windows 8:

  • To disable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

  • To enable SMBv1 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto

Source: Microsoftzdnettechnet.microsoftredmondmagtop-password, techtargetwindowsitpro

WannaCry Ransomware

A massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date.
The Ransomware in question has been identified as a variant of ransomware known as WannaCry (also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’).


What is WannaCry?

Generally, WannaCry comes in two parts. First, it’s an exploit whose purposes are infection and propagation. The second part is an encryptor that is downloaded to a computer after it has been infected.

The first part is the main difference between WannaCry and the majority of encryptors. To infect a computer with a common encryptor, a user has to make a mistake, for example by clicking a suspicious link, allowing Word to run a malicious macro, or downloading a suspicious attachment from an e-mail message. A system can be infected with WannaCry without the user doing anything.

WannaCry-infection-flow02The vulnerability used in this attack (code named EternalBlue) was among those leaked by the Shadow Brokers group. The vulnerability was exploited to drop a file on the vulnerable system, which would then be executed as a service. This would then drop the actual ransomware file onto the affected system, encrypting files with the .WNCRY extension. (A separate component file for displaying the ransom note would also be dropped.) Files with a total of 176 extensions, including those commonly used by Microsoft Office, databases, file archives, multimedia files, and various programming languages.

PropagationIf WannaCry/Wcry entered an organization’s network, it could spread within it very rapidly. Any machine or network that has exposed port 445 to the internet is at risk as well. EternalBlue exploit works over the Internet without requiring any user interaction.

How widespread is the damage?

The attack has been found in 150 countries, affecting 200,000 computers, according to Europol, the European law enforcement agency. FedEx, Nissan, and the United Kingdom’s National Health Service were among the victims.

What is the killswitch?

The worm-spreading part of the WannaCry – which is designed to infect other computers — has a special check at the beginning. It tries to connect to a hardcoded website on the Internet and if the connection FAILS, it continues with the attack. If the connection WORKS, it exits. Thus, by registering this domain and pointing it to a sinkhole server, a researcher from the U.K. successfully slowed the spread of the worm.

British IT expert Marcus Hutchins who has been branded a hero for slowing down the WannaCry global cyber-attack sits in front of his workstation during an interview in Ilfracombe, England, Monday, May 15, 2017. ( Image source: AP)

On the one hand, it does stop further spread of the infection. However, only if the worm is able to connect to the Internet. Many corporate networks have firewalls blocking internet connections unless a proxy is used. For these, the worm will continue to spread in the local network. On the other hand, there is nothing stopping the attackers from releasing a new variant that does not implement a killswitch.

Killswitch Domain

The second domain was sinkholed by Matt Suiche of Comae Technologies, who reported stopping about 10,000 infections from spreading further:

We should thank below given people for saving millions of computers from getting hacked:

  • MalwareTech— very skilled 22-years-old malware hunter (Marcus Hutchins) who first discovered that here’s a kill-switch, which if used could stop ongoing ransomware attack.
  • Matthieu Suiche— security researcher who discovered the second kill-switch domain in a WannaCry variant and prevent nearly 10,000 computers from getting hacked.
  • Costin Raiu— security researcher from Kaspersky Lab, who first found out that there are more WannaCry variants in the wild, created by different hacking groups, with no kill-switch ability.

Not only this, Benjamin DelpyMohamed Saherx0rzMalwarebytesMalwareUnicorn, and many others.

Multiple security researchers have claimed that there are more samples of WannaCry out there, with different ‘kill-switch’ domains and without any kill-switch function, continuing to infect unpatched computers worldwide.

How to Protect Yourself from WannaCry Ransomware?

Here are some simple tips you should always follow because most computer viruses make their ways into your systems due to lack of simple security practices:

1. Always Install Security Updates

If you are using any version of Windows, except Windows 10, with SMB protocol enabled, make sure your computer should always receive updates automatically from the Microsoft, and it’s up-to-date always.

2. Patch SMB (Server Message Block) Vulnerability

Since WannaCry has been exploiting a critical SMB remote code execution vulnerability (CVE-2017-0148) for which Microsoft has already released a patch (MS17-010) in the month of March, you are advised to ensure your system has installed those patches.

Moreover, Microsoft has been very generous to its users in this difficult time that the company has even released the SMB patches (download from here) for its unsupported versions of Windows as well, including Windows XP, Vista, 8, Server 2003 and 2008.

Note: If you are using Windows 10, you are not vulnerable to SMB vulnerability.

3. Disable SMB

Even if you have installed the patches, you are advised to disable Server Message Block version 1 (SMBv1) protocol, which is enabled by default on Windows, to prevent against WannaCry ransomware attacks.

Here’s the list of simple steps you can follow to disable SMBv1:

  1. Go to Windows’ Control Panel and open ‘Programs.’
  2. Open ‘Features’ under Programs and click ‘Turn Windows Features on and off.’
  3. Now, scroll down to find ‘SMB 1.0/CIFS File Sharing Support’ and uncheck it.
  4. Then click OK, close the control Panel, and restart the computer.

4. Enable Firewall & Block SMB Ports

Always keep your firewall enabled, and if you need to keep SMBv1 enabled, then just modify your firewall configurations to block access to SMB ports over the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.

5. Use an Antivirus Program

An evergreen solution to prevent against most threats is to use a good antivirus software from a reputable vendor and always keep it up-to-date.

Almost all antivirus vendors have already added detection capability to block WannaCry, as well as to prevent the secret installations from malicious applications in the background.

6. Be Suspicious of Emails, Websites, and Apps

Unlike WannaCry, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.

So, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source to safeguard against such ransomware infection.

Also, never download any app from third-party sources, and read reviews even before installing apps from official stores.

7. Regular Backup your Files:

To always have a tight grip on all your important documents and files, keep a good backup routine in place that makes their copies to an external storage device which is not always connected to your computer.

That way, if any ransomware infects you, it cannot encrypt your backups.

8. Keep Your Knowledge Up-to-Date

There’s not a single day that goes without any report on cyber-attacks and vulnerabilities in popular software and services, such as Android, iOS, Windows, Linux and Mac Computers as well.

So, it’s high time for users of any domain to follow day-to-day happening of the cyber world, which would not only help them to keep their knowledge up-to-date but also prevent against even sophisticated cyber-attacks.

What to do if WannaCry infects you?

Well, nothing.

If WannaCry ransomware has infected you, you can’t decrypt your files until you pay a ransom money to the hackers and get a secret key to unlock your file.

Never Pay the Ransom:

It’s up to the affected organizations and individuals to decide whether or not to pay the ransom, depending upon the importance of their files locked by the ransomware.

But before making any final decision, just keep in mind: there’s no guarantee that even after paying the ransom, you would regain control of your files.

Moreover, paying ransom also encourages cyber criminals to come up with similar threats and extort money from the larger audience.

So, sure shot advice to all users is — Don’t Pay the Ransom.

“Given the high profile of the original attack, it’s going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and – for goodness sake – ensure that you have secure backups.” Cyber security expert Graham Cluley told The Hacker News.

Source: thehackernews, indianexpresskaspersky,  securelisttrendmicro, Microsoft