WannaCry Resource Center @ deretti.net
Created on: Friday, May 12th 2017 1145 EDT (GMT-04:00)
Last Update: Tuesday, May 16th 2017 1512 EDT (GMT-04:00)
This page is maintained by a computer network security research professional and its solely purpose is to inform and assist preventing the Malware WannaCrypt proliferation. All the information and software developed by https://tiago.deretti.net and provided on this resource center is may be used under MIT License (Massachusetts Institute of Technology License) and is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. in no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.
WannaCrypt Ransomware, also known by the names WannaCry, WanaCrypt0r or Wcrypt is a ransomware which targets Windows operating systems. Discovered on 12th May 2017, WannaCrypt was used in a large Cyber-attack and has since infected more than 230,000 Windows PCs in 150 countries. WannaCrypt initial hits include UK’s National Health Service, the Spanish telecommunications firm Telefónica, and the logistics firm FedEx. Such was the scale of the ransomware campaign that it caused chaos across hospitals in the United Kingdom. Many of them had to be shut down triggering operations closure on short notice, while the staff were forced to use pen and paper for their work with systems being locked by Ransomware.
As evident from its worldwide attacks, WannaCrypt first gains access to the computer system via an email attachment and thereafter can spread rapidly through LAN. The ransomware can encrypt your systems hard disk and attempts to exploit the SMB vulnerability to spread to random computers on the Internet via TCP port and between computers on the same network.
If you are not sure if your computer is vulnerable, I programmed the "WannaChecker Vulnerability ID" tool that will assist you on identify if you need a Microsoft Patch or not and you can download the free tool here.
Most important Microsoft KB regarding WannaCry and SMBv1 is Microsoft Security Bulletin MS17-010 and can be found here here.
I am still validating and KBs below and their relevance.
Windows Vista & 2003 - KB4012598
Windows Windows 7 - KB4012212 | KB4012215 | KB4015549 | KB4019264
Windows Windows 8.1 - KB4012216 | KB4015550 | KB4019215
Windows 10 - KB4013198 | KB4015219 | KB4012606 | KB4019474 | KB4019473 | KB4013429 | KB4019472
Windows Server 2008 - KB4012598 | KB4018466
Windows Server 2008 R2 - KB4012212 | KB4012215 | KB4015549 | KB4019264
Windows Server 2012 - KB4012214 | KB4012217 | KB4015551 | KB4019216
Windows Server 2012 R2 - KB4012213 | KB4012216 | KB4015550 | KB4019215
Windows Server 2016 - KB4013429 | KB4019472 | KB4015217 | KB4015438 | KB4016635
Other Systems - KB4014511 | KB4019112 | KB4014504
I developed the following PowerShell instructions that will assist you scan one computer or several computers in a network to check if the system is vulnerable and need a Windows Hot Fix or if its safe.
# Define a function to check MS17-010 patch for a single computer
function Check-MS17-010 {
param(
[string]$computer
)
Write-Host "Checking if $computer has MS17-010 patch installed..."
# List of KB numbers related to MS17-010 for various versions of Windows
$ms17_010_patches = @(
"KB4012212", # Windows 7 SP1, Windows Server 2008 R2 SP1
"KB4012215", # Windows 8.1, Windows Server 2012 R2
"KB4012216", # Windows Server 2012
"KB4012213", # Windows 10 1507
"KB4012214", # Windows 10 1511
"KB4012606", # Windows 10 1607, Windows Server 2016
"KB4013429" # Windows 10 1703
)
try {
# Retrieve installed hotfixes (KB patches) from the remote computer
$installed_patches = Get-HotFix -ComputerName $computer
# Check if any of the relevant patches are missing
$missing_patches = @()
foreach ($patch in $ms17_010_patches) {
if (-not ($installed_patches | Where-Object { $_.HotFixID -eq $patch })) {
$missing_patches += $patch
}
}
if ($missing_patches.Count -eq 0) {
Write-Host "$computer: MS17-010 patches are installed. System is not vulnerable."
} else {
Write-Host "$computer: Warning - Missing MS17-010 patches: $($missing_patches -join ', ')"
}
}
catch {
Write-Host "$computer: Unable to check patches. Error: $_"
}
}
# Define a function to check SMBv1 status for a single computer
function Check-SMBv1 {
param(
[string]$computer
)
Write-Host "Checking if SMBv1 is enabled on $computer..."
try {
$smb1_key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
$smb1_enabled = Invoke-Command -ComputerName $computer -ScriptBlock {
Get-ItemProperty -Path $using:smb1_key -Name SMB1 -ErrorAction SilentlyContinue
}
if ($smb1_enabled.SMB1 -eq 1) {
Write-Host "$computer: Warning - SMBv1 is enabled! Disable it to protect against ETERNALBLUE."
} else {
Write-Host "$computer: SMBv1 is disabled. The system is not vulnerable to ETERNALBLUE."
}
}
catch {
Write-Host "$computer: Unable to check SMBv1 status. Error: $_"
}
}
# Main script logic to read the computer list and perform checks
$computerListFile = "ComputerList.txt"
if (Test-Path $computerListFile) {
$computers = Get-Content $computerListFile
foreach ($computer in $computers) {
# Perform MS17-010 patch check and SMBv1 check
Check-MS17-010 -computer $computer
Check-SMBv1 -computer $computer
Write-Host "--------------------------------------------------"
}
} else {
Write-Host "Error: $computerListFile not found."
}
Microsoft products like Windows 7, Windows 8.1, and earlier versions of Windows Server (2008 R2 and 2012) are no longer supported, meaning they do not receive regular security updates or patches. These systems are vulnerable to exploits like WannaCry and ETERNALBLUE unless manually patched or upgraded.
Even though some products are out of support, Microsoft made an exception and released the MS17-010 patch for WannaCry and ETERNALBLUE vulnerabilities on unsupported systems, including:
You can find these patches on the Microsoft Update Catalog.
Some versions of Windows, such as Windows 7 and Windows Server 2008 R2, are eligible for Extended Security Updates (ESU). This program allows organizations to receive critical and important security updates for a few additional years. ESU is available for:
For more details on ESU, visit the Microsoft Lifecycle FAQ.
If your system is unsupported and you do not have ESU, you can still manually download and install available updates for out-of-support systems from the Microsoft Update Catalog:
To maintain full security and support, Microsoft recommends upgrading to newer, supported versions of Windows:
For more details, refer to the Windows Lifecycle FAQ on the Microsoft Docs site.
Copyright (c) 2017 Tiago Deretti Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.