How to protect yourself from WannaCry ransomware?

by Lucia Danes - -

WannaCry ransomware is the new and widespread cyber pandemic that has taken hostage more than 230,000 computers already. With its current volume of dispersion, WannaCry is approaching the level of other infamous cyber threats such as Cerber or Locky.

Nevertheless, what distinguishes WCry from these two last year’s most dangerous parasites is the use of new distribution techniques which do not need victims to click on the infected links or take part in the ransomware acquisition in any other way.

Image of the WannaCrypt ransomware

The malware uses practices and tools used by the U.S. intelligence to break into computers and run the malicious script to render user’s data inaccessible. In particular, ransomware employs EternalBlue exploit to target Windows devices with an unpatched MS17-010 vulnerability. This security gap is open on Windows versions which are no longer supported and receive no security updates.

Luckily, in response, the latest events, Microsoft has released emergency patches for the Windows XP, Windows Server 2003, Windows 8 and a few other outdated operating systems. But even the software update may not be enough to prevent ransomware attack.

Below, we will provide instructions how to disable SMB (Server Message Block) functionality which is used to deploy the malicious WanaCrypt0r files on the computer. But before we head to the tutorial, we want to give a brief definition of the malware and how it behaves on the infected computer, to help you recognize it easier.

Wannacry uses different extensions to mark encrypted files

As you may have noticed, throughout previous paragraphs we have used different names to refer to the WannaCry virus. It’s because of the virus, indeed, travels around in a variety of different shapes and forms, most likely to be trickier to recognize and terminate.

The research has revealed that the virus now uses four different extensions .wncry, .wncrytt, .wcry or .wncryt to mark the encrypted files, but we can expect more variations as the ransomware picks up speed. To drop these extensions and recover files, the users must pay the extortionists up to 600 dollars in Bitcoin; otherwise, the encrypted data will be destroyed. @WanaDecryptor@.exe window opens a timer which counts down the time until data destruction. Unfortunately, no free decryption software currently exists that would help recover encrypted data for free.

So, once you’ve been infected, there is really nothing much you can do to roll back the consequences of the attack. So, it is much more important to take action and protect your device before any virus sets foot on your system. Here are some steps you should take to prevent WannaCry infiltration.

How to disable SMB and prevent WannaCry attack?

SMB (Server Message Block) function is the main vulnerability that allows the ransomware to infect computers. Since this feature is enabled on Windows by default, extortionists can easily use it to carry out the attack. Thus, we highly recommend disabling it if you are not using it. It is really simple and you can achieve in three basic steps:

  1. Click the Windows logo on the bottom-left corner of the screen and type in “Windows Features” into the search bar
  2. Open the feature window and go to settings and look for the SMB entry. Unmark it and click OK
  3. Restart the computer

You can also disable SMB via PowerShell. What you have to do is type in “Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol”. After the feature is disabled, we recommend rebooting the computer.

About the author

Lucia Danes
Lucia Danes - Security researcher

Lucia Danes is the news editor at UGetFix. She is always on the move because the eager for knowledge makes her travel around the globe and attend InfoSec events and conferences.

Contact Lucia Danes
About the company Esolutions

Read in other languages