Vin Ransomware Blog02

In light to the recent cyber attack of ransomware which goes by the name “WannaCry” has affected more over 99 countries. This attack is believed to use the exploit tool called “ETERNALBLUE” which was leaked from the NSA, by the hacker group called ShadowBrokers. This tool exploits the vulnerability in the SMB service of the machine to spread and propagate. This document will provide you with the steps that a reader can take to disable the SMB service. By disabling the service the propagation of the virus will stop from spreading. 

Please note: Before proceeding further it is strongly advised to take a backup of the machine because you will in some case might require to change the Windows Registry. If the steps are not carefully followed it might even crash the machine.

For Windows 10/8/7

Windows 10 users can disable the SMB feature by following these simple steps:

1. Click on the Search option and search for “Windows Features” and you will see the result as “Turn Windows Feature on and off.”
2. Upon clicking the option, the following screen will be prompted


SMB featurer in "on" state

3.Now untick the box and click on “Ok”.


SMB Features in "OFF" state

This is the simplest way that you can disable the SMB 1.0 Service.

Using PowerShell:

1. Go to Start Menu, search for PowerShell.
2. The very first result you will see is for PowerShell.


Windows Powershell

 

3. Right-click on the selection and select “Run as Administrator”
4. Once the PowerShell opens (with Administrator privileges)
5. Type the following command:

  • This is to disable SMB v1.

Set - ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Value 0 –Force


PowerShell command to disable SMB1                                                              Image: PowerShell command to disable SMB1

  • The Command to disable SMB v2

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Value 0 –Force

PowerShell command to disable SMB2                                                           Image: PowerShell command to disable SMB2


Disabling using Registry Key:

  • Steps to enable and disable the SMBv1 on the SMB server using the registry:

    Registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Para meters 
    Registry entry: SMB1
    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled
    Default: 1 = Enabled
  • Steps to enable and disable SMBv2 on the SMB server using the registry:

    Registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Para meters 
    Registry entry: SMB2
    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled
    Default: 1 = Enabled
  • Steps to Enable and Disable SMB protocols on the SMB client

The below steps applies to Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012.

  • Disables the SMBv1 on the SMB client by running the below commands:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi 
    sc.exe config mrxsmb10 start= disabled 
  • Disables the SMBv2 and SMBv3 on the SMB client by running the below commands:
    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi 
    sc.exe config mrxsmb20 start= disabled 
  • The Drawbacks of Disabling SMB2

    Request compounding – it enable users to send multiple SMB 2 requests as a single network request
    • Larger reads and writes – better use of faster networks
    • Caching of folder and file properties – clients keep local copies of folders and files
    • Durable handles – when a temporary disconnection is there, it enables for connection to transparently rejoin to the server
    • Improved message signing – HMAC SHA-256 replaces MD5 as hashing algorithm
    • Improved scalability for file sharing – increases the no. of users, shares, and open files per server
    • Support for symbolic links
    • Client oplock leasing model – it automatically limits the volume of data transferred in between the client and server, resulting in the improved performance on high-latency networks and increasing the scalability of SMB server
    • Large MTU support – for full use of 10-gigabyte (GB) Ethernet
    • Enhanced energy efficiency – clients that have open files to a server can sleep

Popular posts like this: