A lazy approach to defend wannacry

Well, the digital world is on fire now! Entire planet is talking about wannacry ransomware, NSA leaks, Shadowbrokers etc

Even the people who hasn’t used an exploit in their lifetime, all of a sudden became experts in ransomware and wannacry! Televison, news papers, facebook, WhatsApp; these guys are everywhere.
Cannot tolerate anymore! Good bye cruel world! 🙂 😀

Apart from the jokes, This is still an issue which is way too critical. In the beginning red teams took advantage of NSA-WikiLeakes-Vault7-WeepingEyes-Fuzzbunch and the Shadowbrokers exploit dump. They used to send documents to the targets using MS17-0199, and then pivot the internal hosts using MS17-010
It was crystal clear that someone will use these exploits for Malware or Ransomware.
Anyway lets come to our topic; As the name denotes, its a very Lazy approach to fight against wannacry and stop in from spreading in your Home or small network.

Corporate users and professionals are using Genuine versions of Windows operating system compared to Home/Personal users. Users with Genuine Windows operating systems, they are more likely to receive Critical updates/Patches from Microsoft and it solves most of the issues.
But the home users or people with pirated Windows operating systems, they are more vulnerable to Wannacry ransomware since they will not receive patches from Microsoft to block EternalBlue aka MS17-010 vulnerability. Once its infected the worm will spread to all windows machines in your Home or personal network.

The wannacry has two parts. The Worm module helps to spread the ransomware to other computers using EternalBlue vulnerability and DoublePulsar exploits; and the Ransomware encrypts the user files.

Well, i’m not going to talk about that here; Since we have tremendous sources here to understand about the working of Ransomware.
Here i’m going to comment some damn lazy steps for lazy users who are not willing to;
Move to Linux OS;
Use a Genuine Windows OS;
Do regular Patching/Updates;
and use a paid Antivirus software!

I do not encourage the use of pirated Windows products; Its always better to use Genuine windows operating system; Else move to Linux distributions which is free!

1. Block SMB ports on your windows firewall
Since wannacry is leveraging SMB service, we could block the SMB ports in windows advanced firewall.  Default SMB port is 445; But we may filter other netbios or UDP ports as well. (TCP ports 139, 445 and UDP ports 137, 138) We can make sure that our machine wont get infected from other infected PCs within the same network.

Img-1: Scanning a windows 8 machine for EternalBlue/MS17-010 vulnerability on port 445
1

The scan went through successfully and the target Windows 8 machine seems to be vulnerable to EternalBlue and Wannacry worm/ransomware.

Blocking the SMB ports in the target Windows 8 machine’s firewall using “Windows firewall with Advanced Security” console.
Img-2:
fw_1

 

Img-3: Adding new inbound rule to block SMB TCP ports. Repeat the same for UDP ports 137 and 138.
fw_05
We need to be careful with the firewall profile here. Three profiles are there. The users or machine from the same Domain, private network or Internet will not be able to access SMB ports and services.
Even Windows shares may not work properly. We are assuming that we are doing this on a home/personal computer which does not have windows updates.

Img-4: Our inbound rule is there finally!
fw_5

Img-5: Performing the scan again
afterscan

It worked! We cannot detect the vulnerability this time, since the firewall blocks it. If MS17-010 is not working; wnnacry cant spread to your system.

2. Install an Anti-virus software

Again, i’m not suggesting to get a commercial Anti-virus/malware solution.  A good anti-virus program can detect and eradicate malware binaries coming into th system via mail attachments or downloads.
Since we are lazy to buy proactive commercial solutions, lets rely on free anti-virus products. Better to download and install Avast free anti-virus
https://www.avast.com/free-antivirus-download
It can be extended up to one year free of cost.

3. Use Disk encryption for personal data

Always backup your personal data; whether its your porn collection or movie files.
Its better to use disk encryption tools, such as BitLocker, DiskCryptor etc
BitLocker comes with windows and DiskCryptor is an open source tool which can be downloaded from https://diskcryptor.net/wiki/Main_Page

Encrypt your disk partitions using any of these tools and keep your data safe.
Even if the machine is infected by a ransomware, it cannot access or encrypt files in an encrypted and un-mounted disk partition. Please make sure to un-mount and Lock down your encrypted volumes when not in use.

4. Use a pop-up blocker

Always use a pop-up/script blocker while browsing. It will detect and block execution of malicious java scripts and java drive-by attacks, and spreading process of ransomware via internet. A good option is “NoScript” extention for firefox.
noscript

5. Make sure what you are downloading

Never ever download software and other executable from any non-trusted sources. Do not download unwanted programs. The internet will trick you to download malicious files which will lead to ransomware infection.

6. Be damn lazy and wait for the next Malware attacks/Zero day/Exploits OR even Cyber apocalypse!  🙂