9 Tips To Stop Wanna Cry Ransomware

What to do when you WannaCry – 9 Steps to Fight Ransomware Now

The WannaCry ransomware has swept the globe – affecting more than 200,000 computers in at least 150 countries. Nothing is certain, but it looks like it is the work of a rogue state trying to cause global instability and gather cash to prop up a doomed regime.

Whatever the source, you need to prepare!

The cyber-security professionals of Centerpoint IT have carefully put together these 9 Steps to help your company weather this cyber-tsunami.

Step #1 – Ensure that you have a good backup, a respected antivirus, and up to date security patches in place.

If you don’t – you’re in trouble from the very beginning. If you need some help getting these foundational pieces in place, give the Centerpoint IT team a call NOW at (404) 781-0200. We can’t stress the importance of these essential security pieces enough.

Okay. Assuming that you have backup, antivirus, and security patches in place, let’s move on to Step #2.

Step #2 – Remove SMB1/CIFS

In all systems except for XP and 2003, you likely don’t need SMB1. Why? SMB2 and SMB3 are enough to get the task accomplished.

To remove SMB1, you can use PowerShell commands as shown here:

Disable SMB Version 1.0 in Windows Server 2016

Alternatively, you can go to your control panel, find “Turn Windows Features On or Off,” and uncheck SMB1/CIFS.

If you are dealing with a server this is done through this path: Server Manager > Add Roles and Features > Roles

Step #3 Patch your computers

Steps 1 and 2 deal with the critical risk, now you can patch your computers. This can take some time. That’s why we have suggested to deal with SMB1/CIFS and adding firewalls rules before tackling patch updates. See the following links for instructions:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

The instructions in that link seem too complicated? Check out the instructions here:

http://www.yourwindowsguide.com/2017/05/microsoft-patches-windows-8-and-windows.html

Don’t know what Operating System your computers are running? Run ManageEngine’s ADManager Plus

Step #4 – Antivirus custom modifications

Here you want to add rules for your antivirus to prevent the creation of .wnry file extensions. Do a search online for any possible file extensions and make sure all are blocked.

For example, see:

https://kc.mcafee.com/corporate/index?page=content&id=KB89335

Step #5 – Install this free Anti-Ransomware Tool

https://www.bitdefender.com/solutions/anti-ransomware-tool.html

Step #6 – Deal with SMB1 on your file sharing devices

Are you using NAS or other file sharing devices? Ensure they are on SMB 2.1 – assuming that you’re not still using  Win XP, 2003, or older operating systems.

See this link:

https://www.qnap.com/en/how-to/tutorial/article/how-to-use-smb-3-0-in-qts-4-2

Step #7 – Whitelist these specific domains

NCSC [National Cyber Security Centre] has determined that you should whitelist the following domains:

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0

#8 – Block TCP port 139 and 445 from receiving inbound internet connections

Here’s the path: Windows Firewall with Advanced Security > Inbound > New Rule > Block > Public

If these ports are used internally, there is no need to check “Domain and Private.” If you are unsure, leave it unchecked.

Complete this for all of your computers. Use a Group Policy or utilize the main firewall. We suggest doing this on all laptops PLUS the main firewall.

This is likely helpful in stopping this version of ransomware, but it’s a good practice.

Step #9 – Tell everyone – Employees, Managers, Ownership

Send out a company-wide memo. Make sure it comes from someone who won’t/can’t be ignored. It should say something like…

Attention All:

This WannaCry ransomware is dangerous to your job and our company… (talk about ransomware’s impact).

It is imperative that you follow these guidelines on ALL work computers and ANY personal devices used for work.

• If you get emails with suspicious attachments; even if it is from people you know do not click on the attachment. No harm in opening the email for reading. Forward any suspicious emails to IT department.
• Be very cautious of what you click on while browsing. Do not click on random pop-ups!
• If you accidentally click on a suspicious email or web link, immediately unplug the computer from the network and turn off the WIFI – even before calling IT support.

Follow these 9 Steps immediately and contact the Centerpoint IT cyber-security team to help your business weather this variant and the coming, next wave of WannaCry.

We’re here to help you through this – but you have to take the first step! Call (404) 781-0200 now.