How to Prevent #WannaCry Ransomware by Blocking These Ports!

If you’re already been infected by WannaCry infection maybe you should block these ports to avoid any damage to your computer.  Let’s start by blocking some ports.

Ports to block. info about these ports here: read

  • 445 “This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.”
  • 137
  • 138
  • 139

Step 1: How to block these ports to prevent WannaCry?

You can do it by making some changes to your registry.

 

  • Click “Start”, “Run”, type “regedit” to open the registry.

  • Locate the registry key “HKEY_LOCAL_MACHINE\System\Controlset\Services\NetBT\Parameters”

  • Select “Parameters” New Right “DWORD Value.”
  • Rename the DWORD value as “SMBDeviceEnabled”
  • Right-click “SMBDeviceEnabled” select “Edit” in the “numerical data”, “0”
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\NetBT\Parameters
Name: SMBDeviceEnabled
Type: REG_DWORD
Value: 0

After completing step 1 you have to restart your computer and when your boot up completly now you have to make sure if that port us closed or not you can simply do it through CMD.

netstat -an | findstr 445

 

As you can see in the above screenshot mine is listening.. because i haven’t closed it for this article. And im not infected with WannaCry.. If you are infected with that you must have an established connection with there servers.

Step 2: Configure Firewall to Prevent WannaCry?

What dose Firewall do  to prevent this infected ports?

Basically it will prevent you to established connection with that infected servers which WannaCry is using And prevent you to connect to 445 port. So you need to add some inbound rules to block access for these ports.

Firewall Advanced Settings – Inbound rules – Right-click New Rule – Select UDP, the port number in the dialog box to write 445.

Step 3: Shut down the server service

Once your done with the firewall you have to stop those services which is using that port. In order to do that, Open up CMD with Administrator Permission.

Type:

net stop server

After that you need to restart your computer again.

Disable SMBv1


WannaCryToolkit scanner and removal toolkit

Trustlook has released a scanner and removal toolkit to help system administrators protect Windows computers that are either vulnerable to or have been infected with the dangerous strain of ransomware known as WannaCry.

Installation:

git clone https://github.com/apkjet/TrustlookWannaCryToolkit.git
cd TrustlookWannaCryToolkit/scanner/
pip install -r requirements.txt

Usage:

Usage: wannacry_tlscan.py host/network
Example:
wannacry_tlscan.py 192.168.0.100
wannacry_tlscan.py 192.168.0.0/24
Single host scan
wannacry_tlscan.py 192.168.0.100
Single a network
wannacry_tlscan.py 192.168.0.0/24

1. Run

tl_wannacry_console.exe and tl_wannacry_no_console.exe prevent WannaCry Ransomeware to encrypt user’s files.

The two tools works pretty much the same, except tl_wannacry_console.exe comes with a console to show some progress information. tl_wannacry_no_console.exe runs in background.

Users may want to add tl__wannacry_no_console.exe to Windows startup script, so everytime user start his computer, Trustlook WannaCry Vaccine Tool will start prevent your system from being affected.

2. Add to Windows startup script

add tl_wannacry_no_console.exe value to following register script

Add to windows startup script:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

Back to top button
Close