WantToCry

Sd23 · June 29, 2025, 3:49am

The share on my router has recently been infected with WantToCry it seems like it might be in relation to SMB version one.

bruce · June 30, 2025, 9:06am

Hello,

Unless the samba client uploads/writes files infected with WannaCry, this will not appear on your USB disk.

You should remove this USB disk and reformat it completely to ensure WannaCry is completely cleared.
Reset the firmware or re-install the firmware in uboot of router, to ensure the router system is restored cleanly and securely.

Samba4 server in firmware is used only as mount USB disk and broadcasts the shared folder by SMB protocol.

Moreover, according to the protocol version of the samba client, the server will first negotiate the highest version, such as SMB3, or SMB4

SMB3 and newer protocol provide very secure samba connections and be unlikely to be attacked.
And please use the samba in LAN, do not "Allow Access Samba from WAN" if you did not require in outside.

xize11 · June 30, 2025, 9:29am

Disable samba mount completely.
Clear all devices from wannacry
reinsert the usb stick in a Linux pc or router and remove the infectious file, or format fully.

Disable all auto runs on the pcs.

Otherwise you keep into a situation your devices get infected, because it is a network spreading ransomware.

Therefor it is important to have samba not listen over wan, in the default configuration that is not possible, but wannacry can attach on network drives locally from a other infected device.

Also @bruce explains this very well.

There are some mighty tricks you could do on windows, if you use windows pro, you can use secpol.msc then navigate to software restriction policies make a new policy and type %temp%\*.exe and one folder back in software restrictions you have also the option to force admin, so that aslong the file is not elevated it cannot run on %temp%, but I can't help with the steps (I'm on vacation typing on a phone😋).

Then switch your windows account to a account with no admin rights.

For me this blocked alot of bad things including ransomwares like petya and cryptowall, because it blocks the payload/drop method before a virus scan finds it, which is often already a warning because that should be last line of defense.