WannaCrypt and Friends: Identify and Mitigate Vulnerabilities

4/26/2018 4018 Contributors

Upon hearing the news of WannaCrypt and its destruction, you need to check for and patch any vulnerable systems.

Microsoft recommends patching all machines to the latest available update release. PDQ Deploy can be used to perform these updates. We also have a handy (and short) video reference located Here.

Discovery of Vulnerable Computers:
For those with PDQ Inventory, there are two methods to discover whether a machine or group of machines is vulnerable to the WannaCrypt worm and variants.

The first method is to use the Collection Library collections. We have pre-built collections that show the status of your computers based on OS/version and whether they have the latest updates or not. If they have the latest updates, they are likely not vulnerable:
We have also built a specific collection for the WannaCrypt issue to give you an immediate view of what machines are or are not vulnerable. That collection is also in the Collection Library under Windows Updates and is called, WannaCrypt Patch (MS17-010).
NOTE: If you don’t see the collection, click on the Collection Library tree item and press F5 to refresh the collections.

The second method is to create your own Dynamic Collection that will list all machines lacking the applicable update. Below is an example of the filter you will want to use:
That massive regular expression is below for your copy-pasting pleasure:


Patching Vulnerable Computers:
For supported versions of Windows:
Applying the latest Cumulative Update (Windows 10, Server 2016) or Security Only / Monthly Rollup (Windows 7, 8.1, Server 2008 R2, 2012 R2) will apply the appropriate patch for the SMBv1 vulnerability utilized by WannaCrypt and friends.

Windows 10 (1703) was released after the patch for SMBv1 and is therefore not vulnerable.

For all supported versions of Windows, PDQ Deploy contains pre-built, Enterprise packages available in the Package Library. (If you need a fully-functional Enterprise trial, you can get that Here. During your trial, you can download 3 packages).

Because we do not publish Windows Update packages that contain Conditions to deploy to server operating systems, you may need to modify the default package or create a duplicate package for deploying to servers. To change

1. Check the KB number against the Windows Update Catalog (usually a search for the KB number) for the supported OS and architecture.

2. Once you have determined the update file and KB are applicable to your server, click on the Conditions tab in the package’s Install step(s).

3. Modify the Conditions to include the applicable server. For example:
4. Modify the Step Title to reflect the changes and then save.

5. Test thoroughly to ensure the package will work on the server(s) as expected.

The following packages from the Package Library will all update your machines so they are not vulnerable, with the exception of the 1703 update since it is not necessary:


For versions of Windows that are no longer supported (XP, Server 2003/R2, Vista, 8):
Microsoft released This Article. For these legacy operating systems, KB4012598 was released to patch the SMBv1 vulnerability.

A Package Has Been Published in the Package Library for out-of-support operating systems. The package will install KB4012598. The WannaCrypt Out of Band Patches (Old OS) package is available for anyone with a Pro or Enterprise license of PDQ Deploy (a trial can be obtained Here). 

This package is provided as-is and has not been thoroughly tested. Use it at your own risk
. Please use caution and properly test the package before deploying to any mission critical or other production systems.

In PDQ Deploy free mode, you can create a package with relative ease to deploy to legacy vulnerable systems. Download KB4012598 for your legacy version of Windows. You can install it by building a package with the following silent install parameters /quiet /norestart /overwriteoem:

In order to ensure the update applies correctly, we recommend using your favorite method to stop the Windows Update service before deploying any of the updates (taskkill, net stop wuauserv, PowerShell, etc.).

Vista, 8, and Server 2008 don’t use .exe files to apply updates and will be a little easier:

See Also:
Video: WannaCrypt Ransomware Attack Patch / Update
Customer Guidance for the WannaCrypt Attacks
Microsoft Security Bulletin MS17-010 - Critical
Blog: WannaCrypt Ransomware Attack Patch

The following are the most current update releases for the listed OSs:
Windows 7, Server 2008 R2
Security Only: KB4019263
Monthly Rollup: KB4019264 

Windows 8.1
Security Only: KB4019213
Monthly Rollup: KB4019215 

Windows Server 2012
Security Only: KB4019214
Monthly Rollup: KB4019216 

Windows 10 (Initial Release)
Cumulative Update: KB4019474 

Windows 10 (1511)
Cumulative Update: KB4019473

Windows 10 (1607), Server 2016
Cumulative Update: KB4019472