Its Monday: Don’t get hit by WannaCry, WannaCrypt! from the weekend

An unprecedented ‘‘ransomware’’ cyberattack that has already hit tens of thousands of victims in 150 countries over the weekend could wreak greater havoc as more malicious variations appear and people return to their desks Monday and power up computers at the start of the workweek.

LIVE Map of WannaCrypt infection

WannaCrypt can leave your computer hostage

If you’re running Windows XP, 8 or Server 2003, or  you aren’t sure if you got March and April patches installed, here’s what you need to do.

IMPORTANT details about WannaCrypt:

  • It clobbered lots of sites and many computers, but it’s no longer a threat. The folks at Malwaretech.com enabled a sinkhole that’s blocking WannaCrypt. No more infections.
  • Rather than specifically rooting out WannaCrypt, you need to focus immediately on plugging the hole(s) that made WannaCrypt possible. The WannaCrypt code’s out in the wild, and a simple change would make it work again. More than that, other pieces of the Shadow Brokers trove can be used to make new, innovative malware. Get patched now.
  • As of this writing, nobody has any idea who made WannaCrypt, why they released a weapons-grade exploit to beg for chump change ($300 per infection), and how the first infection(s) appeared.
  • Microsoft released patches for Windows 10, 8.1 and 7 back in March (that’s MS17-010). Yesterday, they released patches for Windows XP, Win 8, and Server 2003 SP2.

Here’s how to see if you need patching, and how to get patched if need be.

Windows XP, Windows 8

You don’t have the patch, unless you downloaded and installed it already. Follow the links at the bottom of the Technet page to download and run the installer.

Vista

See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Look for one marked “Security Update for Windows Vista (KB4012598).” If you don’t have it, download it from the Microsoft Update Catalog, and install it.

Windows 7

See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

Here are quick way to check if you have the above updates:

If you have any of those patches, you’re fine. Don’t be confused. There’s no reason to download or install anything, unless you have absolutely none of those patches. No, I’m not recommending that you install something. Just look at the list and see if you have any of the patches.

If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 7 (KB4012212) for 32-bit or 64-bit.

Windows 8.1

See if the patch is already installed. Click Start > Control Panel > System and Security. Under Windows Update click the View installed updates link. Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see if you have ANY of these patches:

2017-05 Security Monthly Quality Rollup for Windows 8.1 (KB4019215)
April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 (KB4015553)
April, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4015550)
March, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4012216)
March, 2017 Security Only Quality Update for Windows 7 (KB4012213)

If you have any of those patches, you’re fine. Again, I’m not suggesting that you install anything unless all of those patches are missing.

If you have none of those patches, download and install the March, 2017 Security Only Quality Update for Windows 8.1 (KB4012213) for 32-bit or 64-bit.

See note above about Security-only patches. Again, this list is complete, I believe, and accurate.

Windows 10

Creators Update (version 1703) is OK.

Anniversary Update (version 1607) – Check your build number. If you have Build 14393.953 or later, you’re fine. If you don’t, use Windows Update to install the latest build 14393.1198. Yes, I know that violates the current MS-DEFCON 2 setting, but you need to get up to or beyond 14393.953.

Fall (er, November) Update (version 1511) – use the steps above to check your build number. You have to be at build 10586.839 or later.

RTM (“version 1507”) – same procedure, make sure you’re up to or beyond build 10240.17319.

What to do if your system cannot be patched?

Per the technet article, disabling SMB1.0/CIFS is the suggested workaround if you aren’t able to patch, but this will break file sharing on your network.

 

Easiest fixes without installing a hotfix:

In Command Prompt

For Win 7 / WS2008/r2:

For Win 8+ / WS 2012/r2+

Impact of workaround. The SMBv1 protocol will be disabled on the target system.

Warning: I do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Backups??

One of the most fundamental defenses against ransomware is the ability to reliably restore from backup. If all your things get crypto’d and you can just say “oh well, it’s not fun and I need to rebuild my machine but at least I’ve only lost time” then you’re in a fundamentally better position than having lost your files (short of paying the ransom, that is).

Many (probably most) individuals and organisations alike don’t have a satisfactory backup strategy. Typically, problems include:

  1. They’re not taking backups at all
  2. They’re backing up over existing backups and writing corrupted files over good ones
  3. They’re not backing up frequently enough (it must be fully automated)
  4. They’re only backing up to connected devices accessible by malicious software

Ideally, you want a 3-2-1 backup strategy which means at least 3 total copies of your data, 2 of which are local but on different mediums (such as external storage devices) and 1 which is offsite. There are professional cloud backup services available which will keep versioned copies of all your things and allow you to rollback to any point in time (no, Dropbox alone won’t do that). There are cheap external devices with large capacities you can physically rotate and store with a trusted relative. It’s another topic altogether, but just consider your ability to recover from these scenarios:

  1. All your files become corrupted (or encrypted) and replicated to your backup devices
  2. Everything that can communicate with your machine gets hosed
  3. A thief steals all your devices or your house burns down

Resilience against all of these isn’t hard, but it takes planning. Also, “backup” is important but what’s really important is “restore” so do test that as well.

Look at Microsoft’s site for the latest updates:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

How To Remove WannaCry

As with all tutorials, please read each step individually, and only act upon it when understood.

  1. The first thing you need to do is enter Safe Mode. Here is how to do that for Windows XP/7, 8/8.1, and 10.

Windows XP and 7: Before Windows starts Hit The F8 Key. Once the Boot Menu appears look for and select Safe Mode with Networking, followed by tapping Enter</strong.

Windows 8 and 8.1: Go to the Start Menu >> Control Panel, followed by Administrative Tools >> System Configuration. Next find and tick Safe Boot and then select Networking followed by Restart. Your computer should now boot into Safe Mode.

Windows 10: Go to Start Menu >> Settings >> Update and Security >> Recovery Next under Advanced Startup click on Restart Now and allow your computer to restart.

When the Choose Option Screen is available, go to Troubleshoot >> Advanced Options >> StartupSettings. And then Enable Safe Mode with Networking Option followed by selecting Enter to boot into Safe Mode.

Note: Depending on your computer, there’s always the chance that some key other than F8 is the Boot Key, If that is so, look for advice from the manufacturer’s literature or online.

 

Removing Processes

2. This next requires that you look for processes which may relate to the WannaCry ransomware. To start doing so, press Ctrl + Shift + Esc, this will open Task Manager. After which you should look through the Processes Tab carefully for unfamiliar entries.

Usually, a malicious process will consume large amounts of resources, such as CPU and RAM. If you discover something which looks out of the ordinary, Right Click and Open The File. Next Delete everything. Only do this if you are sure that the process is WannaCry related.

StartupPrograms

3. Now, we’re going to look in Startup Programs, to do so, type System Configuration into the Windows Search Bar. Followed by selecting the First Result, and then going to the Startup Tab and taking a look at the list of programs.

If you are a Windows 10 user, it’s Startup Programs can be seen in Task Manager. However, on all versions of Windows, if you feel that any have an unknown developer or just look wrong uncheck them and Click OK.

The Registry

4. Next we’re going to take a look at the registry, to do that you need to open the Run Window, or press WinKey + R. Followed by typing regedit and hitting enter.

When the registry editor launches, press Ctrl +-F</em and type the name of the Virus Ransom.CryptXXX or WannaCry. Now, slect Find Next and remove whatever is returned that relates to that name. This should be completed for all the search results.

Virus Files

5. Finally, you need to delete other potential Virus Files, this can be done by going to the Start Menu. And then individually typing the following: %AppData%, %LocalAppData%, %ProgramData%, %WinDir%, %Temp%.

When each opens sort their content folders By Date and Delete The Most Recent folders and files. Furthermore, when you access the Temp folder remove everything from it.

There have been reports that the SpyHunter software does indeed manage the threat effectively.Although it will require you to purchase it, the free version will only inform you if you are infected. I am not promoting or recommending the product as I have not tested it.