Over a million developers have joined DZone.

Detecting and Remediating WannaCry

DZone's Guide to

Detecting and Remediating WannaCry

While you've hopefully been able to put the WannaCry ransomware outbreak behind you, here are some tips on how to handle similar ransomware attacks.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

You’re probably aware of WannaCry, the ransomware infecting vulnerable Windows systems around the globe (if you’re not, this article is a good starting place).

As IT organizations scramble to learn what they can about WannaCry, many are finding it difficult to know if and where they’re vulnerable, let alone how to remediate vulnerable systems. This post should help you deal with WannaCry quickly.

Detecting WannaCry

Detecting whether or not you’re vulnerable to WannaCry is fairly straightforward. You simply need to know which patch level you’re at now. However, getting the patch level for every Windows system isn’t all that simple.

Luckily, you have Puppet. Puppet includes Facter, a tool for collecting metadata on hosts. We have written a Puppet module called puppetlabs/detect_wannacry that includes an external fact which detects whether a host is vulnerable to WannaCry. Puppet will distribute that external fact to every node on your infrastructure. From there, we can use the Puppet Query Language to query which systems are vulnerable.

Add the following line of code to your Puppetfile in order to include the puppetlabs/detect_wannacry module in your Puppet code base.

mod 'puppetlabs-detect_wannacry'

The detect_wannacry module includes a fact called wannacry_vulnerable that will have a value of either true or false.

Use the following Puppet Enterprise Orchestrator command to push the fact to every Windows node and collect the fact values:

puppet job run --query 'inventory[certname] { facts.os.name = "windows" and nodes { deactivated is null } }' --concurrency 40

(You can learn more about Orchestrator here.)

Now collect a list of the vulnerable systems with the following PQL query:

puppet query 'inventory[certname] { facts.wannacry_vulnerable = "true" }'

Remediating With Puppet

The quickest way to remediate is simply to disable SMBv1. SMBv1 is an old SMB protocol, and it's likely it can safely be disabled. Please first verify that this is the case for your infrastructure. It’s also important to note that fully disabling the SMBv1 protocol on Windows requires a reboot.

Add the following profile to manifests/wannacry.pp in your profile module:

class profile::wannacry {
  #Tested on Windows 2012 R2

  exec { 'Disable SMBv1 Protocol':
    command   => "Set-SmbServerConfiguration -EnableSMB1Protocol $false -force",
    provider  => powershell,
    unless    => "if (Get-SmbServerConfiguration | Select EnableSMB1Protocol) { exit 0 } else { exit 1 }",

  exec { 'Remove SMBv1 Feature':
    command   => "Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol",
    provider  => powershell,
    unless    => "if (Get-WindowsOptionalFeature -Online -FeatureName smb1protocol) { exit 0 } else { exit 1 }",

Commit the code and deploy it to the Puppet Enterprise master with the puppet code command (for more information about the 'puppet code' command, go here).

Finally, create a node group in the Puppet Enterprise web UI called “WannaCry” and make a rule that matches any nodes with the wannacry_vulnerable fact value of true, and assign the class profile::wannacry to it.

WannaCry Image 1

WannaCry Image 2

A Note on Patching

The best way to remediate WannaCry is to properly patch your vulnerable systems. However, not everyone has mature patch management practices in place, and sometimes verifying and orchestrating the patch can take valuable time. As soon as you can, the following patches should be applied to fully remediate WannaCry:

Windows Server 2008

  • KB4012212

Windows Server 2012

  • KB4012217
  • KB4015551
  • KB4019216

Windows Server 2012 R2

  • KB4012216
  • KB4015550
  • KB4019215

Windows Server 2016

  • KB4013429
  • KB4019472
  • KB4015217
  • KB4015438
  • KB4016635

Last Words on WannaCry

WannaCry is an example of why being prepared for a major vulnerability at any moment is critical to your ongoing IT operations. WannaCry isn’t the first global threat to come down the pike, and it certainly will not be the last. Having a reliable, easy-to-use configuration management system in place gives you a massive advantage when threats like WannaCry occur.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

wannacry ,security ,ransomware

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}