Security Instructions to avoid Ransomware Attacks

WannaCry, also known as Wanna Decryptor ransomware has been detected in BBNW NOC Computers and
is observed that the malware is trying to spread to all the connected systems. Important files and documents
can be encrypted, once the trigger is given, the computer will be locked for a Ransomed value of virtual
Bitcoin currency. By now, no effective decrypt methods found. It is requested to follow the following
instructions to prevent infection and secure the BBNW NOC Systems.

It is observed that the WannaCry virus infect hard drive via TCP port 445 which opened by system during
installing, so does to Petya variant virus. Following details how to block port 445 in Windows 7, 10, and XP
in easy and simple ways. But before that, you may want to know what TCP port 445 is used for, so is the port
139.

Port 445 and Port 139

Port 445 and port 139 are Windows ports. Port 139 is used for Network Basic Input Output System (NetBIOS)
name resolution and port 445 is used for Server Message Blocks (SMB). They all serve Windows File and
Printer Sharing. In Windows 2000, Microsoft has created a new transport for SMB over TCP and UDP on
port 445, which replaces the older implementation that was over ports 137, 138, 139. Keep port 445 and port
139 opened will leave the hard disks exposed on this port, i.e. you share your hard drives with any one that
can access to this port, including deleting, formating, and implant virus and so on.

You may understand port 445 in this way. If you close port 445, you will not be able to copy any file system
data to or from the path where port 445 is closed. In terms of domain host, this will definitely break group
policy. You will lose browsing capabilities to networks past the intranet network as well.

Know if Your Port 445 is Enabled or Not

Although the port 445 is opened by system on Windows in most cases, it is necessary to check it on your
host. Press Windows + R key combo to start Run box. Input “cmd” to start Command Prompt. Then type:
“netstat –na” and press Enter. “netstat –na” command means scan all connected port and showing in
numbers.

In one or two seconds, the picture will show up. Roll your mouse to the top and you’ll see the IP address of
445. In the last column, the status shows it is “LISTENING”. This means the TCP port 445 is opened.
How to Close Port 445 in Windows 10/7/XP?

Since it is one of the most dangerous ports on the Internet and made way for WannaCry attack, close it
becomes urgent. There are three methods to disable port 445 in Windows 10, 7 and XP in total. All are simple
and easy to follow. Let’s get to know them one by one.

How to Block Port 445 in Windows Firewall?

The first method is the easiest one and it is suitable for almost every Windows user.

1. Go Start > Control Panel > Windows Firewall and find Advanced settings on the left side.

2. Click Inbound Rules > New rule. Then in the pop-up window, choose Port > Next >TCP > Specific local
ports and type 445 and go Next.

3. Choose Block the connection > Next. Tick the three checkboxes and click Next. Specify the name and
description at your will and click Finish.
4. Check if you have created the rule by Properties > Protocols and Ports > Local Port.

Actually, there is another method to stop port 445 with the help of Windows Firewall. It is just in another
manner. For those who are getting used to command line operations, method 2 would be their favorite.

Close TCP Port 445 Opened by System on Windows 7 via CMD

Command line operations take effect immediately and once executed, you cannot go back. Therefore,
general users who are not familiar with this operate manner, please take with caution.

1. Type “cmd” in the search box, right click the cmd from the list and Run as administrator.

2. Input: netsh advfirewall set allprofile state on and press Enter.

3. Input: netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445
name="Block_TCP-445" and press Enter.
Some users report that these methods do not work on their computers. When go back to Command Prompt
to check, the port 445 is still in “LISTENING”. In that case, we can try the third method, which is also simple.

How to Block TCP Port 445 via RegEdit?

Modifying registry of the system can also help you protect yourself from WannaCry ransomware. However,
you cannot be more careful during the process of modifying registry. It is a database for Windows system
programs and installed applications. These programs might not be able to run well if you delete any important
file by accident. Please backup registry first just in case.

1. Open Run box in the same way. Type “regedit” and press Enter.

2. Navigate to the path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters

3. Right click the blank area and select New. Select DWORD (32-bit) Value or QWORD (64-bit) Value based
on your system type (32 bit or 64 bit).
4. Rename the new value to SMBDeviceEnabled. Next, right click it and select Modify. In the pop-up window,
change Value data from 1 to 0. Click OK to confirm.

This method is effective and almost applies to every computer user. If you just follow the steps strictly, no
mistakes will be made. Please note that you need to disable Windows Server service to strengthen the
protection for WannaCry cyber attack.

1. Type “services.msc” in Run box to open Windows Services.

2. Find Server and double click it. It is at the middle of the service events normally.
3. In the pop-up window, select Disabled from the drop-down list and click OK.

Tips:

*Above methods apply to how to block port 139, port 135, port 137 as well as port 138. Just replace port 445
with these ports in the steps. It is suggested to close all of them for temporary.

*If you want to enable or open port 445 in Windows 7 in the future, just delete the new created rule in Windows
Firewall, or change the value data from 0 to 1, or just delete the value in Registry Editor or switch Disabled
to Automatic in Server Properties.

Other Tips for Surviving WannaCry and Petya Worm Hack

Disabling TCP port 445 or other dangerous ports is one of the most important steps in against ransomware.
Nevertheless, we can do more in other aspects. Below are tips listed by security experts.
1. Disconnect network access first and then boot your computer if you don’t know whether your computer are
hacked.

2. Install MS17-010 patch for Windows 7 and install anti-virus software.

3. Do not click suspicious links in emails or on websites.

4. Backup on a regular basis.

In the End

WannaCry ransomware is a global cyber attack behavior that attracts everybody’s attention. What we need
to do is arm ourselves and fight against the malicious hackers. Develop the habit of making regular backup
for your crucial data, and you won’t go mad next time facing similar issues.

Please follow the following security best practices to remain secure.

1.Lock your computer when no in use or away from the PC.

2.Shutdown you PCs after working hours.
3.Don't install pirated software's and from unknown sources.
4.Install antivirus/antimalware and maintain daily scan & up to date.
5.Enable host based firewall.
6.Stop file and printer sharing.
7.Be cautious while opening attachment.
8.Delete temporary files regularly.
9.Dont run remote access software's like teamviewer,ammyadmin etc.
10.Use only genuine and license software's and maintain upto date.
11.Install addblocker on brower(UBlock Origin,Noscript,Add Block Plus).
12.Keep back up of important files.
13.Practice password protection for files while sharing.
14.Don't upload official documents on any online or cloud sources ex:google,dropbox,gmail etc.
15.Use only BSNL mail ID for official communication.
16.Use https while browsing the websites.
17.Disable flash.
18.Use strong passwords and change at regular intervals.
19.Use disk ecryption ,if available. (Option available in all Windows 10 PCs)
20.Don't click on suspicious link received on emails or while browsing websites.
21.Clear private data from web browser.
22.Avoid using USB Memory devices.
23.Don't leave any device unattended.
24.Use less privileged user for daily work and limit administrative user for installing software's.
25. Never provide passwords or other sensitive information (bsnlmail id,username,bank
account,credit card) in response to an email or enter them on an untrusted site.
26.Disable international credit limit for credit card holders.
27.Don't use wireless or any other source of internet access on NOC Desktops.
28. Please see that all unauthorized hotspots are disabled in NOC.
29. Please see that the Vendors sitting in NOC are following all security measures.
30.Report bbnw.isc@bsnl.co.in for any incident observed.

Information Security Cell,

BBNW NOC