What to do when you WannaCry – 9 Steps to Fight Ransomware Now
The WannaCry ransomware has swept the globe – affecting more than 200,000 computers in at least 150 countries. Nothing is certain, but it looks like it is the work of a rogue state trying to cause global instability and gather cash to prop up a doomed regime.
Whatever the source, you need to prepare!
The cyber-security professionals of {company} have carefully put together these 9 Steps to help your company weather this cyber-tsunami.
Step #1 – Ensure that you have a good backup, a respected antivirus, and up to date security patches in place.
If you don’t – you’re in trouble from the very beginning. If you need some help getting these foundational pieces in place, give the {company} team a call NOW at {phone}. We can’t stress the importance of these essential security pieces enough.
Okay. Assuming that you have backup, antivirus, and security patches in place, let’s move on to Step #2.
Step #2 – Remove SMB1/CIFS
In all systems except for XP and 2003, you likely don’t need SMB1. Why? SMB2 and SMB3 are enough to get the task accomplished.
To remove SMB1, you can use PowerShell commands as shown here:
Alternatively, you can go to your control panel, find “Turn Windows Features On or Off,” and uncheck SMB1/CIFS.
If you are dealing with a server this is done through this path: Server Manager > Add Roles and Features > Roles
Step #3 Patch your computers
Steps 1 and 2 deal with the critical risk, now you can patch your computers. This can take some time. That’s why we have suggested to deal with SMB1/CIFS and adding firewalls rules before tackling patch updates. See the following links for instructions:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
The instructions in that link seem too complicated? Check out the instructions here:
http://www.yourwindowsguide.com/2017/05/microsoft-patches-windows-8-and-windows.html
Don’t know what Operating System your computers are running? Run ManageEngine’s ADManager Plus
Step #4 – Antivirus custom modifications
Here you want to add rules for your antivirus to prevent the creation of .wnry file extensions. Do a search online for any possible file extensions and make sure all are blocked.
For example, see:
https://kc.mcafee.com/corporate/index?page=content&id=KB89335
Step #5 – Install this free Anti-Ransomware Tool
https://www.bitdefender.com/solutions/anti-ransomware-tool.html
Step #6 – Deal with SMB1 on your file sharing devices
Are you using NAS or other file sharing devices? Ensure they are on SMB 2.1 – assuming that you’re not still using Win XP, 2003, or older operating systems.
See this link:
https://www.qnap.com/en/how-to/tutorial/article/how-to-use-smb-3-0-in-qts-4-2
Step #7 – Whitelist these specific domains
NCSC [National Cyber Security Centre] has determined that you should whitelist the following domains:
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0
#8 – Block TCP port 139 and 445 from receiving inbound internet connections
Here’s the path: Windows Firewall with Advanced Security > Inbound > New Rule > Block > Public
If these ports are used internally, there is no need to check “Domain and Private.” If you are unsure, leave it unchecked.
Complete this for all of your computers. Use a Group Policy or utilize the main firewall. We suggest doing this on all laptops PLUS the main firewall.
This is likely helpful in stopping this version of ransomware, but it’s a good practice.
Step #9 – Tell everyone – Employees, Managers, Ownership
Send out a company-wide memo. Make sure it comes from someone who won’t/can’t be ignored. It should say something like…
Attention All:
This WannaCry ransomware is dangerous to your job and our company… (talk about ransomware’s impact).
It is imperative that you follow these guidelines on ALL work computers and ANY personal devices used for work.
- If you get emails with suspicious attachments; even if it is from people you know do not click on the attachment. No harm in opening the email for reading. Forward any suspicious emails to IT department.
- Be very cautious of what you click on while browsing. Do not click on random pop-ups!
- If you accidentally click on a suspicious email or web link, immediately unplug the computer from the network and turn off the WIFI – even before calling IT support.
Follow these 9 Steps immediately and contact the {company} cyber-security team to help your business weather this variant and the coming, next wave of WannaCry.
We’re here to help you through this – but you have to take the first step! Call {phone} now.