This is how to can stay safe from WannaCrypt, biggest ransomware attack ever!

Posted on Posted in Tech Feeds

When computers across the world were hit by a major ransomware attack over the weekend, pandemonium ensued. WannaCrypt, as it is called, is targeting both end users as well as corporate servers, locking them down and extorting an unlock fee from the victims. The worst part is how the malware used a vulnerability in Windows to spread the infection among unpatched systems. This news has been over the internet for the last couple of days. Let’s take a quick look at it before going for preventions because you cannot cure a disease unless you know about it.

What is WannaCrypt?

WannaCrypt is a ransomware module that is leaked by the hackers, who go by the name Shadow Brokers, in April this year as part of a set of tools used by the US National Security Agency (NSA) to spy on targets. Ransomware is a type of malware that infects a device and then encrypts the data. It then displays a message demanding the user to pay a fee (or ransom) to an individual or group via online before they can use the computer or even access their data again. Transactions are typically requested in Bitcoin, to remain untraceable, which in this case is $300.

How does it work?

Experts believe the initial infection might have been either been carried out by an advanced phishing attack, using emails loaded with the ransomware. Once WannaCry worms its way into a system, it encrypts the data, and then exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol to spread that infection. While ransomware is usually considered a rudimentary attack tool, this particular version was supercharged by its creators using secrets leaked from the NSA’s spy book. This is why it was so effective, shutting down hundreds of thousands of computers across the US, Europe, and even India, apart from others.

India is among the most vulnerable because a large number of organizations and individuals still rely on older, outdated versions of the Windows operating system. The country also has the highest number of pirated software users.

How to stay protected?

Today around 1 PM, we received mail from Microsoft stating the list of measure to be taken to prevent your system from any such ransomware attack. We are penning down everything so that if someone hasn’t received it yet, they will get to know about it from our website.

PS: If you are using Windows 10, then lucky you are, like us. Well, as of now.


Dear Customer,

Many organizations around the world were victims of malicious “WannaCrypt” software last week. Seeing businesses and individuals affected by cyber attacks such as this is painful. Our teams have worked relentlessly over the last few days to take all possible actions to protect our customers.

Here are a few things for your reference:

·         If you are using Windows Vista, 7, 8.1 & 10: In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Security Update enabled are protected against attacks on this vulnerability.
For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.

·         Activate Windows Defender: For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider whether they are protected.

·         If using an older version of Windows: Customers running versions of Windows that no longer receive mainstream support may not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we have released a Security Update for platforms in custom support only. Windows XP, Windows 8 and Windows Server 2003 Security Updates are broadly available for download now (see links below).

·         Additional Steps to consider: This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks). Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources.

More information on the malware is available from the Microsoft Malware Protection Center through the Windows Security blog. We are working with our customers to provide additional assistance as the situation evolves, and will update this blog with details as appropriate.

You may also want to read through the blog posted by Brad Smith, President and Chief Legal Officer, Microsoft, looking at the broader implications of the malicious “WannaCrypt” software attack.

If you have any questions or concerns:

·     Webinar: You may want to join the Webinar on Wannacrypt Attack Q&A, 22nd May, 11 am. Join here.

·     Email: Please write to us at Our team will respond to you on priority.

Thanks and regards,

Microsoft India Team


Further resources: 

Download English language security updates: Windows Server 2003 SP2 x64,Windows Server 2003 SP2 x86,Windows XP SP2 x64,Windows XP SP3 x86,Windows XP Embedded SP3 x86,Windows 8 x86,Windows 8 x64
Download localized versions for the security update for Windows XP, Windows 8 or Windows Server:
Read general information on ransomware:
Download MS17-010 Security Update:


Where can I find the official guidance from Microsoft?


Is the update available for Windows 2003 & Windows XP as well?

Yes. The link for download of the update is available at the end of this article


Will the update run on unlicensed Windows?

It is recommended that the update is run on a licensed version.


What about Windows 2003 R2?

The Windows 2003 update should get applied on Windows 2003 R2 as well.


Will the installation of the patch, prevent the occurrence of ransomware?

No. Applying MS17-010  is just preventing the malware from spreading, not giving protection against the infection itself. Based on reports, this malware is using Social Engineering to target companies.Please warn your users to not open, click or enable macros on email reception.

·         The priority is that your anti-virus can detect the malware.

·         Verify that you have up-to-date signatures, along with patching the Windows systems

·         Make sure that users have the level of knowledge required to never click on suspicious attachments even if they are displayed with a familiar icon (office or PDF document). Where an attachment opening offers the execution of an application, users must under no circumstances accept the execution and in doubt, users should you consult and/or consult the administrator.

·         Implementation of strong filtering in O365:

·         Exchange Online Protection





Security tips to Protect against Ransomware


Is the ransomware effective only if the user has administrative rights on the client machine?

No. This piece of ransomware, like most of the others, once executed, encrypts all files it can reach in the context of a user if the user is an admin on the box the outcome is more devastating. In addition, this ransomware also tries to disable shadow copies and make some registry changes in HKLM hive which require administrative privileges.

When it tries to spread it uses a vulnerability, which once exploited gives the malware SYSTEM level access on the target system. All this means that this attack may be very successful and destructive even if the users don’t have admin privileges on their unpatched workstations/servers.


Is only disabling SMB v1 Server (LanmanServer) on all our machines helps us to protect from this vulnerability?

Patch installation would be the first option. To answer the question, Yes. SMBV1 should be removed but in a planned way. Please refer the below link


Do we need to disable SMB v1 client (Lanmanworkstation) as well on all our machines?

No. It is only the SMBv1 server component (which means Lanmanserver), on the client machine and not Lanmanworkstation on the client machine.


What is the impact of removing SMBv1?

·         You’re still running XP or WS2003 under a custom support agreement

·         Windows XP will not be able to access shares on a Windows 2003 Server or any other Operating System

·         Windows Vista and above Operating System will not be able to access shares on a Windows 2003 Member Server or Domain Controller (if you still have them in the environment)

·         You have some decrepit management software that demands admins browse via the ‘network neighborhood’ master browser list

·         You run old multi-function printers with antique firmware in order to “scan to share”


Please refer the below article for more details


If we have to disable smb v1 Server service, what are the registry values to disable it?

When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Please refer to the below link for more details


How do we know SMB v1 is active in our environment.  Can we proactively check it?

Yes. Please test this, before using in the production environment.


Windows 2016 and Windows 10 provides a way to audit usage of SMBv1, which can be found here


Is Windows 10 affected as of now?
The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack as of now.
Customers running Windows 10 were not targeted by the attack today.


That being said, Windows 10 systems also need to be patched, because the variants can be developed. In addition to this, it would be recommended to remove SMBv1 from the clients and Windows servers, after doing a complete review of the below-mentioned article.

Leave a Reply

Your email address will not be published. Required fields are marked *