How to Stop WannaCry Ransomware – Non-Technical Version

In this post, I attempt to consolidate the most salient pieces of information related to the global cyber-attack known as the “WannaCry Ransomware” in a way that is non-technical. I am just putting up links for non-computer savvy users to find the information fast because I’m noticing that there’s a lot of information being thrown at the public which I do not think they understand as evidenced by the fact that my private messages across many different outlets are filled with people asking what they should do to stop this on their own computers.

I hope this little bit I’m writing here helps the collective effort to stop this thing for good.

If I can help in any other way, my keyboard is at your disposal, my hacker brethren.

————————————
Foreword
————————————

Twenty-one years ago when I accepted my first M.I.S. position (they called I.T. that in those days), I took a silent vow that I would assist end-users to interact with their computers in a meaningful and productive way that would both demystify them and educate using whatever knowledge I had at my disposal; promising constantly to keep my skills current so I could help them not be so fearful of a machine that was created to automate tasks and make their lives easier.

Now, as a whitehat hacker, I uphold this vow and take it one step further in swearing to do all I can to keep these machines from harming the very people who use them and destroying their lives.

My God, this sounds like I’m rewriting the script to The Terminator but in those days computer viruses were easier to remove, they didn’t take down entire hospital networks and didn’t kill people.

It’s not my place to pass judgment but I just want to say to the hacker(s) who authored WannaCry, there is a line in the movie Jurassic Park which is so apropos here and I think you should learn the meaning behind:

Jeff Goldblum’s character, speaking about the dangerous science of cloning dinosaur DNA and bringing them back to life, says, “Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.

————————————
What the heck is WannaCry?
————————————

It’s a self-replicating Ransomware infection which has piggy-backed code inside of it borrowed from the NSA which allows it to penetrate a system via the SMB port 445, execute on its own, fully encrypt a drive, delete all backups and then move onto the next in computer worm fashion.  All without needing a password or user intervention. Meaning, it infects you without your knowledge or consent and your password is useless in this particular scenario.

————————————
How to stop it from getting on my computer?
————————————

1. You will need to immediately update (what we call patch) your computer with the latest updates from Microsoft. It only affects Windows systems. The link to do this is below under the MS17-010 section.

2. You will need to fully update your anti-virus software’s definitions and make sure its Real-Time functionality is on and working.

3. Disable what is called SMB version 1.0. There is a vulnerability in the software which runs this protocol which gives hackers and this particular virus the ability to penetrate your system without your knowledge or consent. They do not need your password. They bypass passwords altogether.

4. You should block port incoming traffic on port 445 on your firewall. You will need to look up instructions on how to do that as there are many out there and no one person can give you instructions for your particular one without knowing what it is. Port 445 is the port which SMB uses to communicate. I tell you how to do it in Windows Firewall below but you could be using other firewall software.

————————————
How to Disable SMB version 1.0
————————————

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

This article describe multiple ways to achieve this. Scroll down to “Windows Client: Add or Remove Programs method”

————————————
How to Patch Your OS
————————————

MS17-010 These are the links to the patches for your respective operating system. Scroll down and look for your system on the left-hand side of the table. If you try to run an executable that is not for your system, Windows will not allow you to do so and will give you an error.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

If for whatever reason this fails, run Windows Update and update through there.

————————————
How to Block Port 445 in your Windows Firewall

————————————

http://www.thewindowsclub.com/block-open-port-windows-8-firewall

———————————–
Backup
————————————

You should immediately do a full backup of whatever important data you would not wish to lose and disconnect the device you are backing up to from your computer so as to avoid any infection getting into your backup device and encrypting it as well, thus making the backup data useless.

————————————
What do I do if I’ve been infected?
————————————

Do NOT pay the ransom. All this does is give the author of this virus and other bad hackers the idea that people will pay to get their data back. It encourages them. Many times they take the money and don’t decrypt the data. This is a bad idea.

I don’t know what other computer experts would tell you to do but my advice?

Fully wipe your computer and restore from backup.

An infection this dangerous, I wouldn’t take the chance that all traces of it were removed by an anti-virus suite. If you have a clean system and can restore your data which hasn’t been encrypted, you’re good.

If you start to dismantle it piece by piece and leave one of its remnants behind, you could be exposing your computer to damage in the future. I wouldn’t chance it.

————————————
How do I prevent infections like this in the future?
————————————

I can’t predict what’s going to happen with the next virus any more than any other hacker or computer expert can but I can tell you this, to date, I’ve never had any system of mine been infected and I study malware code. I have live viral samples in a controlled environment.

The reason for this is prior to executing any file, be it from email, the web, etc, I virus check it TWICE both with my AV software on my computer and an off-site checker like Virus Total.

I do not follow links I’m unsure of and I will paste the URLs into Virus Total to get a sense of whether or not they are bad before I visit them.

I don’t like email so most of it I delete without reading. Even legitimate emails I receive. I’m lazy 🙂

Keep your system up to date with security updates and patches. Keep your anti-virus software up to date as well. Virus check all files.

But nothing is 100%. You can start by educating yourself on how to keep your computer clean from viruses by researching it.

————————————
Technical Info on WannaCry
————————————

Malwaretech is the AMAZING hacker who stopped the virus from spreading further by registering the domain hidden in its code!  He deserves an award, something, to thank him for his quick-thinking which saved lives!!!!

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

https://www.bleepingcomputer.com/news/security/honeypot-server-gets-infected-with-wannacry-ransomware-6-times-in-90-minutes/

https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

————————————
Conclusion
————————————

The moral of the story is there are just as many good hackers out there working to protect the masses than there are bad. The speed in which friends, colleagues of mine and other hackers I deeply admire and respect came together to stop this on a global scale is truly awe-inspiring.

When you see a hacker in the world, make sure you thank them. Even the bad guys too. Because without them none of us would be able to demonstrate OUR skill and illustrate how hard we work to keep the rest of you safe.

Any questions, comments? Find me on Twitter. Because, I delete emails, remember? 😉

 

One thought on “How to Stop WannaCry Ransomware – Non-Technical Version

Comments are closed.