Published September 18th, 2023 by Avigdor Book
The massive “WannaCry” ransomware attack, a form of malware, wreaked havoc across the globe in May 2017, impacting at least 150 countries and targeting banks, hospitals, telecom providers, and government institutions. Hackers have exploited operating systems, and zero-day vulnerabilities to launch these cyber threats. While the infosec community has a plethora of security best practices to defend against ransomware attacks, including firewall best practices to block ransomware, antivirus tools, and ransomware protection strategies, let’s take a closer look at exactly what Tufin customers need to know, and the steps they can take to prevent this and other similar ransomware threats in the future.
First, some background on WannaCry
The vulnerability the attackers were exploiting is in the SMB component in Windows, part of Microsoft’s suite of operating systems. Server Message Block (SMB) is a network protocol that provides file and printer sharing services in Windows systems. SMB may be used inside the corporate network for sharing files and printers; however, it should never be allowed beyond the corporate network, especially via remote access over Wi-Fi.
This is so strongly recommended, in fact, that an advisory posted in January 2017 by the United States Computer Emergency Readiness Team (US-CERT) recommends blocking “all versions of Server Message Block (SMB) at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices,” following the best multi-factor authentication practices. This measure prevents the WannaCry attack and should be implemented on business and home firewalls, as part of the endpoint protection.
How-to prevent the WannaCry ransomware attack
Configure all your perimeter firewalls (or routers) to block all inbound access to port 445, as part of your network security strategy.
A few points to consider:
Configure this rule on your perimeter (also known as “boundary”) firewalls. This will prevent any SMB traffic, including malicious code and ransomware-as-service, from entering or leaving the corporate network.
Some firewalls will only offer a “port” field – in this case configure the “port” field as described in the “destination port” field above. Be sure to follow firewall best practices to block ransomware.
For zone-based firewalls and endpoint security measures (like Palo Alto Networks and Fortinet), and firewalls that attach their policy or ACL to a network interface (like Cisco ASA), you should configure “source” to the external or untrusted zone/interface and “destination” to the internal zones/interfaces.
The best approach is to explicitly block all inbound access to TCP 445 at the top of the rule base to avoid mistakenly opening it up by lower rules.
We also recommend blocking port 445 on internal firewalls to segment your network and prevent lateral movement – this will prevent internal spreading of the ransomware.
Note that blocking TCP 445 will prevent file and printer sharing, including over apps – if this is required for business, you may need to leave the port open on some internal firewalls or use encryption keys.
If file sharing is needed externally (for example, for home users), use a VPN or remote desktop protocol to provide access to it.
You may also want to block sensitive data with the host-based firewall like iptables, part of your advanced threat prevention system.
Protect against the Wannacry ransomware attack with Tufin
Tufin provides several tools that allow customers to get a bird’s-eye view of their firewall policies and prepare reports for management:
Tufin’s Rule Viewer allows customers to:
Quickly scan all firewalls for rules allowing TCP 445 explicitly (also through service groups).
Tufin’s Network Topology Map allows customers to:
Test whether traffic on port 445 can enter your networks, as part of the IT security assessment.
If your network is properly set up on-premises, use the Interactive Path Analysis capability to examine potential routes from the internet (use 22.214.171.124 as the source) to internal networks.
Tufin’s Unified Security Policy allows customers to:
Restrict access between the Internet and internal networks to prohibit TCP 445, as an anti-ransomware strategy.
See violations in the SecureTrack+ Dashboard and the Rule Viewer, as part of a ransomware prevention system.
Prevent future opening of SMB ports, following ransomware prevention and Sophos encryption methods.
For more details on how to define your Unified Security Policy, click here.
Additionally, customers can use Tufin’s Security Policy Builder to, build and deploy their corporate access network segmentation framework
Take action now to protect your network against ransomware attacks! Click here to access our demo and witness firsthand how Tufin’s advanced capabilities can scan, assess, and control network access, effectively safeguarding your systems from potential threats. Don’t wait – secure your network’s future today!
Don't miss out on more Tufin blogs
Subscribe to our weekly blog digest