wannacry cyber security SMB attack resellerclub blog

Patching Windows on ResellerClub Dedicated Servers to protect against the ‘WannaCry’ SMB Attack

What is “WannaCry’?

WannaCry is a ransomware attack that has (in)famously brought much of the world’s computers and servers to a complete standstill including critical systems such as UK’s healthcare network, Russia’s government systems and those of the Indian state, Andhra Pradesh. It makes use of an SMB (Server Message Block) vulnerability on Windows systems and spread rapidly across networks.

How does it work and where did it originate?

Many experts suspect that WannaCry aka WannaCrypt was based on some exploits leaked from the US Government’s NSA toolkit for cyber-attacks and works by encrypting all files in a server/device and threatening to delete all files unless a ransom of $300 is paid in the form of BitCoins. The attack is allegedly being orchestrated by a group that calls itself ShadowBrokers.

How do I know which systems are affected?

Most servers and personal computers that operate Windows 8 or older versions and do not have the latest security patches/updates from Microsoft are likely to be vulnerable. In this post, we address the steps you should take to protect your Windows Dedicated Server purchased from ResellerClub.

What do you need to do to protect your ResellerClub Windows Dedicated Server from a WannaCry?

Below are the steps you need to take to update/patch your Windows OS. Besides following the below steps, we strongly suggest that you install all latest patches released by Microsoft as there are newer, more resistant versions of the ransomware being reported in some countries.

You can update Windows using GUI and CUI. Although both the methods help you in doing some recommend that you should use GUI as there are very little chances of an error and it is easy to troubleshoot in case of issues.

Using GUI

Below are the steps you need to take in order to update/patch your windows using graphical user interface.

Step 1: Open the Windows update control panel. To open the same go, to Start > Type “windows update” > Enter or Start > Run > Type “wuapp.exe” in the run window and press enter.

using GUI RUN exe resellerclub blog

Step 2:

A. Click on “Check online for updates from Windows Update”. or

B. “Check for updates” whichever is available from A and B

C. If the automatic updating is not enabled in windows update setting then it will give an error, if it is the case then click on “Turn on automatic updates”

A

turn on automatic updates resellerclub blog

B

turn on automatic updates B resellerclub blog

C

turn on automatic updates C

Step 3: Select all important updates and click on “Install Updates”.

turn on automatic updates resellerclub blog

Step 4: As soon as the installation is finished, click on “Restart now” to reboot the server.

reboot server resellerclub blog

Step 5: After the reboot, start over with step 1 to ensure that there are no pending updates.

Using CUI

Below are the steps you need to take in order to update/patch your windows using Command line interface.

Method 1: Using Native Commands

Step 1: Start a command prompt window as an administrator. To do the same, go to Start > Type”Command Prompt” > Right Click on Command Prompt >
run as admin using CUI

Step 2: To check and update Windows, type the below command and press enter.

Command: 

  1. reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v AUOptions /t REG_DWORD /d 1 /f
  2. wuauclt.exe /detectnow /updatenow

Note: This will not work if you have set “Never check for updates” in Windows Update settings. In this case go for GUI option given above.

RUN command resellerclub blog

Step 3: After running the same when you open the Windows update control panel, you will be able to see the status of the installation.

Note: You will be able to see the status after at least 5-10 minutes of running the command as it will detect the updates first then it will start preparing to install the updates. If the status is not being shown then it is better to go for GUI option. Although you can check the status in the following log if you want to troubleshoot: C:\Windows\WindowsUpdate.log

preparing to install resellerclub blog

 

Step 4: Once the installation is finished, reboot the server by clicking on “Restart now”

restart now resellerclub blog

Step 5: After the reboot, start over with the step 1 to ensure that there are no pending updates.

Method 2: Using VB Script

To update Windows using a VB script provided by Microsoft in the below link, you have to follow the instructions provided in the link itself.

Note: We have tested the same on our test server and the script works seamlessly. You might have to enable automatic updating using below command before running the script

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update” /v AUOptions /t REG_DWORD /d 1 /f

https://msdn.microsoft.com/en-us/library/aa387102(v=vs.85).aspx

Verification Steps For SMB Attack Vulnerability After The Update

Verify on Windows 2008 R2

There are two patches released by Microsoft for Windows 2008 R2 as per the following document.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  1. KB4012215
  2. KB4012212

Open Powershell window as Administrator and run below command:

if(get-hotfix | select-string “kb4012215”){Write-host “kb4012215 Installed successfully”}else{Write-warning “kb4012215 missing”}
if(get-hotfix | select-string “kb4012212”){Write-host “kb4012212 Installed successfully”}else{Write-warning “kb4012212 missing”}

The output will tell you if the server is patched properly, or if the update is missing.

windows powershell resellerclub blog

Verify on Windows 2012 R2

There are two patches released by Microsoft for Windows 2012 R2 as per the following doc.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  1. KB4012213
  2. KB4012216

Open Powershell window as Administrator and run below command:

if(get-hotfix | select-string “kb4012213”){Write-host “kb4012213 Installed successfully”}else{Write-warning “kb4012213 missing”}
if(get-hotfix | select-string “kb4012216”){Write-host “kb4012216 Installed successfully”}else{Write-warning “kb4012216 missing”}

The output will tell you if the server is patched properly or the update is missing.

Follow these simple steps to install Microsoft’s security patch to tackle the situation. It’s best that you have this done as soon as possible to protect yourself.

 

References

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://msdn.microsoft.com/en-us/library/aa387102(v=vs.85).aspx

About Siddanth Pillai

Siddanth PillaiSiddanth can eat 7 hotdogs in one sitting. Apart from Content Marketing, he enjoys singing and is a professional Karate instructor

Siddanth Pillai

Siddanth Pillai

Siddanth can eat 7 hotdogs in one sitting. Apart from Content Marketing, he enjoys singing and is a professional Karate instructor