My nightmare came true; a ransomware that is self-propogating once inside your network and targets SQL Servers and Exchange Servers.
Wana Decryptor is quickly spreading via the SMB 1.0 security flaw that has been present in Windows operating systems for over 10 years (Microsoft should have plugged this expoit years ago). Microsoft recently came out with updates to patch the flaw near the beginning of this year. New variants are probably in the works so patch all of your servers and desktops now! (Stop what you are doing and start patching. https://technet.microsoft.com/en-us/library/hh852344(v=ws.11).aspx)
The ransomware force stops both Exchange and SQL Server services and then encrypts the database files normally locked because of being in use. This ransomware targets the regular office file extensions as well.
Quick Prevention for Windows Servers and Desktops:
#PowerShell Code #This powershell code below will stop the Lanmanserver "server" service from serving SMB 1.0 #Make sure your external firewall at least blocks TCP and UDP ports 137,138,139,445,3389 from the outside #Disabling SMB 1.0 is usually safe to do if all of your servers are version Windows Server 2008 or higher on your network #(Reboot Required, Run this command from within PowerShell Windows Server 2012/Windows 8/Windows 10 ): Set-SmbServerConfiguration -EnableSMB1Protocol $False -Confirm:$False #(Reboot required, Run this command from PowerShell for Windows 7/Windows Server 2008/Window Server 2008 R2) Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force #(Reboot required, Run this command from within PowerShell, Windows Server 2012 or newer only): Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol
How to disable SMB 1.0 Connections to other file servers with SMB 1.0 shares run the commands below on Servers and Desktops (reboot required, Windows 7 or newer, and Windows Server 2008 or newer):
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi sc.exe config mrxsmb10 start= disabled
Windows Security Patch Downloads:
SMB Vulnerability Patch Windows Updates:
- Currently Supported Operating Systems: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
SMB Vulnerability Patch for End of Life Operating Systems:
- Windows Server 2003 x86 KB4012598 https://www.microsoft.com/en-us/download/details.aspx?id=55248
- Windows Server 2003 x64 KB4012598 https://www.microsoft.com/en-us/download/details.aspx?id=55244
- Windows XP SP3 KB4012598 https://www.microsoft.com/en-us/download/details.aspx?id=55245