Protect against WannaCry Ransomware: Microsoft issues Patch for Unsupported Windows (XP, Vista, 8,...)

You might have read my previous article about - What is WannaCry and How it works? And now, it is the time to provide solution to prevent yourself from the WannaCry ransomware.

In the wake of the largest ransomware attack in the history that had already infected lakhs of Windows systems worldwide since last few days, Microsoft just took an unusual step to protect its customers with out-of-date computers.

We know that the older Windows systems such as  Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions are no longer supported by Microsoft. Microsoft stopped supporting these systems with the release of newer windows versions. But still after this attack took place, Microsoft once thought about their users who were still using older windows versions and they found a patch for these older and unpatched(vulnerable) systems. This happens very rarely..

Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. So, if your organization, for some reason, is still running on Windows XP or Vista, you are strongly advised to download and APPLY PATCH NOW!

WannaCrypt, or also known as WannaCry, is a new ransomware that wreaked havoc across the world last night, which spreads like a worm by leveraging a Windows SMB vulnerability (MS17-010) that has been previously fixed by Microsoft in March.

A large number of successful infections of the WannaCry ransomware at an astonishing pace concludes that either significant number of users have not yet installed the security patch released in March (MS17-010) or they are still running an unsupported version of Windows for which Microsoft is no longer releasing any security update.

Fortunately, Windows 10 customers were not targeted in Friday’s attack. In March, Microsoft patched the vulnerability that the ransomware exploits—but only for newer Windows systems. That’s left older Windows machines, or those users who failed to patch newer machines, vulnerable to Friday’s attack. Hence if your are running on newer Windows version like Windows 10, then you are safe..!

"The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack," Microsoft says.

Now to see how to prevent from getting your PC affected with WannaCry, first we should know how it works. So let us see it first.

How WannaCry works?

Such ransomware infection typically leverages social engineering or spam emails as a primary attack vector, tricking users into downloading and executing a malicious attachment.

WannaCry is also leveraging one such social engineering trick, as FoxIT researchers uncovered one variant of the ransomware that is initially distributed via an email containing a link or a PDF file with payload, which if clicked, installs WannaCry on the targeted system.

Once executed, the self-spreading WannaCry ransomware does not infect the targeted computers immediately, as malware reverse engineers found that the dropper first tries to connect the following domain, which was initially unregistered:

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If the connection to the above-mentioned unregistered domain fails (which is obvious), the dropper proceeds to infect the system with the ransomware that would start encrypting files.

But if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module.

How to prevent getting affected by WannaCry Ransomware?

A security researcher, tweeting as MalwareTech, did the same and registered the domain mentioned above, accidentally triggering a "kill switch" that can prevent the spread of the WannaCry ransomware, at least for now.

Malware Tech registered this domain by spending just £10, which makes the connection logic successful.

"In other words, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files," Microsoft warned.

If infected, the malware scans the entire internal network and spread like a worm into all unpatched Windows computers with the help of SMB vulnerability.

The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.

Hence, one of the solutions to prevent yourself is this Kill Switch. But it is somewhat hard to be implemented. So, here are some more methods which can be helpful in this case.

Top 7 Steps that can protect you from WannaCry Ransomware

Currently, there is no WannaCry decryption tool or any other solution available, so users are strongly advised to follow prevention measures in order to protect themselves.

• Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.
• Using Unsupported Windows OS? If you are using unsupported versions of Windows, including Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft today.
• Enable Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
• Disable SMB: Follow steps described by Microsoft to disable Server Message Block (SMB). (Click here to get easy steps..)
• Keep your Antivirus software up-to-date: Virus definitions have already been updated to protect against this latest threat.
• Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
• Beware of Phishing: Always be suspicious of uninvited documents sent an email and never click on links inside those documents unless verifying the source.

Important Update: If you are thinking that activating the kill-switch has completely stopped the WannaCry Ransomware, then you are mistaken. WannaCry 2.0 version has just arrived without any 'kill-switch' function. Get prepared for the next massive wave of ransomware attacks.

I will post more on WannaCry v2.0 in my next article as I have to maintain length of each article. So stay connected with us to stay Updated...! Thank you.