Ransomware is no longer just a nuisance. Now it's quite literally a matter of life and death. A massive ransomware attack being labeled as "WannaCry" has been reported around the world and is responsible for shutting down hospitals in the United Kingdom and encrypting files at Spanish telecom firm Telefonica.
The WannaCry attack is not a zero-day flaw, but rather is based on an exploit that Microsoft patched with its MS17-010 advisory on March 14 in the SMB Server. However, Microsoft did not highlight the SMB flaw until April 14, when a hacker group known as the Shadow Brokers
released a set of exploits, allegedly stolen from the U.S. National Security Agency.
SMB, or Server Message Block, is a critical protocol used by Windows to enable file and folder sharing. It's also the protocol that today's WannaCry attack is exploiting to rapidly spread from one host to the next around the world, literally at the speed of light. The attack is what is known as a worm, "slithering" from one host to the next on connected networks.
Among the first large organizations to be impacted by WannaCry is The National Health Service in the UK, which has publicly confirmed that it was attacked by the Wanna Decryptor.
"This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors," the NHS stated. "At this stage we do not have any evidence that patient data has been accessed."
Security firm Kaspersky Lab reported that by 2:30 p.m. ET May 12 it had already seen more than 45,000 WannaCry attacks in 74 countries. While the ransomware attack is making use of the SMB vulnerability to spread, the encryption of files is done by the Wanna Decryptor attack that seeks out all files on a victim's network. Once the ransomware has completed encrypting files, victims are presented with a screen demanding a ransom. Initially, the ransom requested was reported to be $300 worth of Bitcoin, according to Kaspersky Lab.
"Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted," the ransom note states. "Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service."
It's not clear who the original source of the global WannaCry attacks is at this point, or even if it's a single threat actor or multiple actors. What is clear is that despite the fact that a software patch has been available since March for the SMB flaws, WannaCry is using tens of thousands of organizations that didn't patch.
Aside from patching and keeping systems up to date, having backups is always an essential element of good computer hygiene, which can help minimize the risk of ransomware as well.
Ransomware has been a growing problem over the course of the last year, according to multiple industry reports. The 2017 Verizon Data Breach Investigation
Report (DBIR) found a 50 percent increase in ransomware over the 2016 report, while Symantec reported in its Internet Security Threat
Report (ISTR) that the average ransomware payout increased from $294 in 2015 up to $1,077 in 2016.
Who is impacted?
A number of organizations globally have been affected, the majority of which are in Europe.
Is this a targeted attack?
No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.
Why is it causing so many problems for organizations?
WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers which do not have the latest Windows security updates applied are at risk of infection.
Can I recover the encrypted files?
Decryption is not available at this time but Symantec is investigating. Symantec does not recommend paying the ransom. Encrypted files should be restored from back-ups where possible.
What are best practices for protecting against ransomware?
- New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
- Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
- Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
- Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
- Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.
source :
How to disable CIFS/SMB port 445 on Windows 7 64 bit
So, I had a requirement of disabling the port 445 on a Win 7 64 bit machine. The first thing which we do is to 'google' to find out a solution and I did the same. I found some results and they looked convincing. I tried the first method which was something like:
- Open registry editor
- Go to 'HKLM\System\CurrentControlSet\ Services\NetBT\Parameters' key
- Go to option called TransportBindName (on the right hand side)
- Empty the value so that Data (value) of 'TransportBindName' is empty. Close Registry Editor.
- Reboot the PC
- And you are done
it was so simple I thought and followed the procedure. To my irritation, this didn't work. no problem,
there was another method on some other website:
- As again, this requires opening the registry editor
- Go to 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' key
- Create a 'REG_DWORD' Entry with the name SMBDeviceEnabled and give it's value 0
- Close Registry Editor
- Reboot the PC
it
also seemed simple. I followed the procedures and waited till the PC rebooted. And again to my greater irritation, it didn't work.
I went on googling and almost experimented all the things I found - none of them worked for me. It took almost one full day :(
Then I started experimenting on my own, and luckily to my great satisfaction, I found it. Here is what worked for me:
- Open Services by typing services.msc in Run dialog box.
- Locate the service named 'Server'. The description field for this should be saying something like 'Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. '
- Double click on that service
- Click on the button 'Stop' to stop it.
- In the Startup Type combo choose 'Disabled' so that on the next boot, this service will not start running. Apply your changes by clicking on Ok.
- Now locate another service named 'TCP/IP NetBIOS Helper'. The description should read something like 'Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.'.
- Do the same with this service - stop it and disable it.
- Restart the computer
There can be slight variation in names/description as while writing this blog post, I was on a XP machine.
Disclaimer: By reading the descriptions of the services you disabled, you should have a hint that your file sharing and other things will not work on the next reboot.
You can always go to Services again and set the services as 'Automatic' to enable them on the next reboot.
if it also works for you, kindly come back and leave a note of appreciation.