If you’ve already been infected by WannaCry infection maybe you should block these ports to avoid any damage to your computer. Let’s start by blocking some ports.
Ports to block. info about these ports here: read
- 445 “This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.”
Step 1: How to block these ports to prevent WannaCry?
You can do it by making some changes to your registry.
- Click “Start”, “Run”, type “regedit” to open the registry.
- Locate the registry key “HKEY_LOCAL_MACHINE\System\Controlset\Services\NetBT\Parameters”
- Select “Parameters” New Right “DWORD Value.”
- Rename the DWORD value as “SMBDeviceEnabled”
- Right-click “SMBDeviceEnabled” and select “Edit” in the “numerical data”, “0”
Hive: HKEY_LOCAL_MACHINE Key: System\CurrentControlSet\Services\NetBT\Parameters Name: SMBDeviceEnabled Type: REG_DWORD Value: 0
After completing step 1 you have to restart your computer and when your boot up completely now you have to make sure if that port is closed or not you can simply do it through CMD.
netstat -an | findstr 445
As you can see in the above screenshot mine is listening.. because I haven’t closed it for this article. And I’m not infected with WannaCry. If you are infected with that you must have an established connection with their servers.
Step 2: Configure Firewall to Prevent WannaCry?
What does Firewall do to prevent these infected ports?
Basically, it will prevent you to establish a connection with the infected servers which WannaCry is using And prevent you to connect to the 445 port. So you need to add some inbound rules to block access for these ports.
Firewall Advanced Settings – Inbound rules – Right-click New Rule – Select UDP, the port number in the dialog box to write 445.
Step 3: Shut down the server service
Once you’re done with the firewall you have to stop those services which are using that port. In order to do that, Open up CMD with Administrator Permission.
net stop server
After that, you need to restart your computer again.
WannaCryToolkit scanner and removal toolkit
Trustlook has released a scanner and removal toolkit to help system administrators protect Windows computers that are either vulnerable to or have been infected with the dangerous strain of ransomware known as WannaCry.
git clone https://github.com/apkjet/TrustlookWannaCryToolkit.git cd TrustlookWannaCryToolkit/scanner/ pip install -r requirements.txt
Usage: wannacry_tlscan.py host/network Example: wannacry_tlscan.py 192.168.0.100 wannacry_tlscan.py 192.168.0.0/24 Single host scan wannacry_tlscan.py 192.168.0.100 Single a network wannacry_tlscan.py 192.168.0.0/24
tl_wannacry_console.exe and tl_wannacry_no_console.exe prevent WannaCry Ransomeware to encrypt users’ files.
The two tools work pretty much the same, except tl_wannacry_console.exe comes with a console to show some progress information. tl_wannacry_no_console.exe runs in the background.
Users may want to add tl__wannacry_no_console.exe to the Windows startup script, so every time the user starts his computer, Trustlook WannaCry Vaccine Tool will start to prevent your system from being affected.
2. Add to Windows startup script
Add tl_wannacry_no_console.exe value to the following register script
Add to the windows startup script:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce