Last week, a Honda plant in Japan was forced to shut down for a day while managers cleared it of the WannaCry ransomware worm that had infected its unpatched Windows computers. A similar event took out some 50 traffic cameras in Australia. And they’re not alone as the WannaCry ransomware worm continues to attack and take down computers and control systems worldwide.
This probably delights North Korea’s crazed terrorist dictator Kim Jong Un, who was reportedly responsible for his government creating the worm in the first place, according to The Washington Post. Apparently the unsophisticated approach points at that rogue nation’s Reconnaissance General Bureau, which is what they call their spy agency.
Considering that Microsoft released a patch that fixed the vulnerability that WannaCry requires back in March, it must seem a mystery why this continues to happen. But it’s not a great mystery, says John Chirhart, federal technical director for Tenable Network Security. The reason, according to Chirhart, is fear.
“There’s always the fear of the unknown with the patch,” Chirhart said, while also pointing out that this is really just an excuse. “People are betting against the likelihood of a patch taking something down versus malware.”
That approach needs to be challenged, Chirhart said, and that includes changing the way companies protect themselves. “One way is air gaps,” he said, pointing out that is how Honda was protecting its manufacturing equipment. “Air gaps provide no security. There is no such thing as an air gap,” Chirhart claimed.
He pointed out that all it takes is a USB memory stick or an Ethernet jumper cable to bridge any air gap. If there was any doubt about the ineffectiveness of an air gap, which means to keep computers from being connected to the internet, it was demonstrated by the Stuxnet infection that took out the Iranian nuclear processing facilities a few years ago.
Because you can’t depend on the effectiveness of an air gap, you need to take other steps to eliminate or reduce the threat of a worm such as WannaCry, which depends on the existence of an unpatched Server Message Block (SMB) version 1 protocol in Windows. The SMBv1 attacks are part of a series of vulnerabilities released by ShadowBrokers last year. They’re based on a leaked National Security Agency (NSA) tool called EternalBlue.
Even though Microsoft has released a patch that eliminates the vulnerability, there are millions of computers that haven’t been fixed. According to Varun Badhwar, co-founder and CEO of Redlock, a cloud security company, the worm is still attacking the weakest links. “Some embedded devices seem to be targeted,” Badhwar said. “The biggest challenge is the lack of visibility.”
Badhwar said that in many cases control systems and other types of embedded computers are the most vulnerable because updating them is very difficult or impossible.
How to Protect Against WannaCry
Fortunately, there are steps that can be taken, the most obvious of which is to simply patch your computers and understand that the patch is certainly a lower threat than an attack by a worm.
But suppose you can’t patch a system, either because it’s running applications that depend on an old version of Windows without patches or because it’s an embedded system without the ability to apply a patch.
Then if the system is manageable at all, Microsoft has a detailed article on how to disable the SMBv1 protocol on a wide variety of systems, including legacy systems. The instructions include details on how to disable the protocol on enterprise systems using group policies, Server Manager, PowerShell, and even the Add or Remove Programs app in newer versions of Windows.
I was able to use the “Turn Windows Features On or Off” menu to uncheck the box for SMB 1.0/CIFS File Sharing Support, which removes the protocol from the computer completely. According to statements by Microsoft, this protocol is unnecessary and disabling it won’t negatively impact operations of a computer. It will, however, stop the worm from infecting it.
You can also make sure that you close the Windows SMB port on a device, which will keep the worm from getting into the computer and taking advantage of the vulnerability. The port you want to close is Port 445, and you can check to see its status using the free tool from You Get Signal.
Inaction Isn’t an Option
But the bottom line is that you must do something. Disconnecting your computers from the internet and hoping for the best might delay the worm’s attack—or it might not, as Honda found out. In this case, inaction is the same as irresponsibility.
Fortunately, there is some hope for the future. Microsoft has already released the next big revision of Windows 10 for testing. Notably, this new version disables SMBv1, which in turn eliminates that threat.
But just because SMBv1 is going away as a problem does not mean it’s gone away. If your systems aren’t getting Windows 10 updates, and if you’re not applying the patches that Microsoft is providing even for Windows XP, and you’re not doing anything else to prevent infection, all you’re really accomplishing is to ensure that you’re going to be taken down.
I don’t think I’d want to be in that position.