Ransomware Targeting SQL Servers and Exchange

Issue:

My nightmare came true; a ransomware that is self-propogating once inside your network and targets SQL Servers and Exchange Servers.

Wana Decryptor is quickly spreading via the SMB 1.0 security flaw that has been present in Windows operating systems for over 10 years (Microsoft should have plugged this expoit years ago).  Microsoft recently came out with updates to patch the flaw near the beginning of this year.  New variants are probably in the works so patch all of your servers and desktops now! (Stop what you are doing and start patching. https://technet.microsoft.com/en-us/library/hh852344(v=ws.11).aspx)

The ransomware force stops both Exchange and SQL Server services and then encrypts the database files normally locked because of being in use.  This ransomware targets the regular office file extensions as well.

Quick Prevention for Windows Servers and Desktops:

#PowerShell Code
#This powershell code below will stop the Lanmanserver "server" service from serving SMB 1.0 
#Make sure your external firewall at least blocks TCP and UDP ports 137,138,139,445,3389 from the outside

#Disabling SMB 1.0 is usually safe to do if all of your servers are version Windows Server 2008 or higher on your network
#(Reboot Required, Run this command from within PowerShell Windows Server 2012/Windows 8/Windows 10 ):
Set-SmbServerConfiguration -EnableSMB1Protocol $False -Confirm:$False

#(Reboot required, Run this command from PowerShell for Windows 7/Windows Server 2008/Window Server 2008 R2)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

#(Reboot required, Run this command from within PowerShell, Windows Server 2012 or newer only):
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

How to disable SMB 1.0 Connections to other file servers with SMB 1.0 shares run the commands below on Servers and Desktops (reboot required, Windows 7 or newer, and Windows Server 2008 or newer):

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

Disable SMBv1 via Group Policy from sysadmin

Windows Security Patch Downloads:

SMB Vulnerability Patch Windows Updates:

SMB Vulnerability Patch for End of Life Operating Systems:

 

 

Resources:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://support.microsoft.com/en-us/help/4013389/title

https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/

How to Prevent Ransomware Infections

https://www.rootusers.com/disable-smb-version-1-0-windows-10/

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

http://windowsitpro.com/systems-management/q-how-can-i-disable-smb-20-windows-client

 

The Deprecation of SMB1 – You should be planning to get rid of this old SMB dialect

https://social.technet.microsoft.com/wiki/contents/articles/4197.how-to-list-all-of-the-windows-and-software-updates-applied-to-a-computer.aspx

Leave a Reply

%d bloggers like this: