-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Petya ransomware running rampant: how to turn off SMBv1 in Windows.
- Thread starter KSweeley
- Start date
MS Article Here: https://support.microsoft.com/en-us...-smbv1-smbv2-and-smbv3-in-windows-and-windows
A more readable set of instructions for admins here: http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windows-7-via-group-policy/
Instructions:
Press Windows key, in the RUN prompt type:
Right-click on cmd.exe and select
Copy and paste the following commands (right-click to paste as the ctrl-v command may not work):
Hit enter.
Hit enter.
Restart.
After restarting, go back to the RUN prompt and type:
Run it (it will prompt the UAC, allow it to make changes by hitting "yes").
In regedit expand the following folders:
Right-click in the right window pane and select "New" and select "DWORD (32-bit) Value"
Right-click to rename the value "SMB1"
Right-click to modify the value and assign it "0"
Restart.
--
Those are the Win7 instructions as far as I can understand them.
A more readable set of instructions for admins here: http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windows-7-via-group-policy/
Instructions:
Press Windows key, in the RUN prompt type:
cmd.exe
Right-click on cmd.exe and select
Run as administrator
Copy and paste the following commands (right-click to paste as the ctrl-v command may not work):
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
Hit enter.
sc.exe config mrxsmb10 start= disabled
Hit enter.
Restart.
After restarting, go back to the RUN prompt and type:
regedit.exe
Run it (it will prompt the UAC, allow it to make changes by hitting "yes").
In regedit expand the following folders:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Right-click in the right window pane and select "New" and select "DWORD (32-bit) Value"
Right-click to rename the value "SMB1"
Right-click to modify the value and assign it "0"
Restart.
--
Those are the Win7 instructions as far as I can understand them.
As I understand it, absolutely nothing. It's a legacy communications protocol that hasn't been used by anyone in years.
Mine was hanging for a little bit but eventually it went through.
This will make my Sonos not work on my PC. They still haven't updated to a newer SMB.
https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/
https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/
Cheers for that.
Might be worth adding these files to your windir. Seems to prevent infection. We have deployed it across our enterprise as a preventative measure.
https://www.bleepingcomputer.com/ne...found-for-petya-notpetya-ransomware-outbreak/
Just create a blank file called "perfc" (no extension) in %windir%
https://www.bleepingcomputer.com/ne...found-for-petya-notpetya-ransomware-outbreak/
Just create a blank file called "perfc" (no extension) in %windir%
Angelus Errare
Banned
Bob and Martha in accounting opening that damn all expenses paid giveaway email that was sent to their work email from some prince in fucking Nigeria!
DAMN YOU NIGERIAN PRINCE!! DAMN YOUUUUUU!
Heh yup, some researchers were saying that it needed dat as an extension so I made that file as well.
Oh, didn't think to make them read only though, oops.
It's worth putting all three files in there just in case, but with the research done with our EDR vendor, it appeared to only look for that one file.
So many variants can be forked so quickly this could easily be removed as a killswitch, so please do not rely on this to save your ass everyone.
Offsite backups and a strong EDR tool with anti-ransomware capabilities is generally the best option.
FloatingDivider
Member
Wait so has this been patched y/n? Like does it affect a fully up to date W10 install? Because I don't feel like turning off a bunch of shit or adding a bunch of files to things if I don't need to.
Edit: Nevermind, yes, it was patched in March. That being said I need to go fix my moms win7 pc now.
Edit: Nevermind, yes, it was patched in March. That being said I need to go fix my moms win7 pc now.
Petya also utilizes PSEXEC and WMIC to spread if it fails to exploit SMB.
RoslindaleOne
Member
Thanks for the heads up. I just disabled it. I've never had problems with viruses and etc for years, but hat still won't stop me from going the extra step to protect my pc.
Funny that this is what they decided to have turned on and have something like .Net 3.0/3.5 disabled by default, which is something that would have far more usefulness and practicality than this useless feature that serves only to allow havoc.
.net is a client-only role that can easily be enabled, even by the application installer that uses it. Try using something that uses SMBv1 and it will just fail with no real help.
It's disabled in the next major release of Win 10, however.
Hoya Destroyer
Member
Thanks OP. Better safe than sorry.
Marky Mark
Member
You're not. It's confirmed that turning it off frees up resources.
jasminlovesyoux
Banned
I turned it off because I trust gaf, so thanks for the heads up.
But what exactly does this thing we can toggle on and off do?
But what exactly does this thing we can toggle on and off do?
Our IT sec department shut it down via a combination of firewall rules and endpoint security before MS even patched it.
At least most Win 10 home users don't know how to set their connection to metered and got pushed the update months ago. I'm assuming.
disappeared
Banned
Glad I caught this on the main page otherwise I'd have probably missed it.
Thanks op
Thanks op
So apparently NoPetya ain't a ransomware . . . . . its a wiper. Forget about getting your data back.
Always remember to backup your files.
Always remember to backup your files.
Additionally, the email that you are supposed to communicate with has already been disabled. NPR segment yesterday had it tracked back to an Android phone in Russia.
what are you talking about, updating windows is literally as easy as pie. A lot easier for the average user than disabling windows services.
again what are you talking about?
I manage windows updates for over 500 servers. Its more or less automatic. We just run reports to verify and then manually re mediate the 1 to 2% of problem children.
Isn't it their job to set the correct group policy for the desired security though? If they don't know SMBv1 should be turned off by now, what hope does your company have?
If an update fails and has to be rolled back, it usually spits out a hex-like error code, which you can then Google to hopefully find a solution. I've had issues in the past where Windows Update will consistently fail and then roll back. I eventually fixed it by looking up the error code and trying what other people suggest solved the problem for them.
Dude, you need to log in to your NAS and update it, then see if you can enable a newer version of SMB (and then disable SMBv1 on your NAS). If it only supports SMBv1, get a new NAS, LOL.
Nikodemos
Member
They were forced by the NSA to keep it in. Reportedly.
Until the cryptolocker malware shit built on stolen NSA tools blew up in their faces, anyway.
andythinkpad
Member
Thanks for the heads up.
Shao Kahn Brewing a Stew
Banned
Satya must have Petya.
I got an email saying that my work account had been logged on in Ukraine and to reset my password by clicking on a link. This was like a week ago. I didn't think anything of it. Looking back, would this have been related? Turns out many other coworkers got it too, but from different locations. The email domain is from my work, but I doubt the actual email was. Good thing I didn't click it...
spawnsniper
Member
My DO just got this email with a screenshot as an attachment. he deleted it without opening and sent a "possible spam" mass email to my division. I replied telling everyone not to open the file.
damn. lol
damn. lol
Was about to start a thread, but figured I'd just ask in here. Given that the world is so full of this crap lately, just how much do you keep your data backed up externally?
I had already done this for years, but I refreshed my backups recently (previous iteration had been last September) just in case. I keep a full copy of everything I consider important enough to save on a secondary internal hard drive, which I know would be utterly useless against ransomware, but exists primarily in case my primary drive gets junked for some reason. I also have two portable externals with the same data kept elsewhere. If only I didn't have crap bandwidth, I'd consider cloud backups, but then again, one never knows when that can get screwed up too.
I only thought of this as I was recently going through a bunch of old CD/DVD-R backups and basically just destroying and throwing them all out as they were pretty much pointless and just taking up far too much space. I suppose they might have been useful if the nation got massively EMP'd, a la Homefront, which I assume would kill all my drives, but I imagine that at that point, I wouldn't be much caring about any of that.
I had already done this for years, but I refreshed my backups recently (previous iteration had been last September) just in case. I keep a full copy of everything I consider important enough to save on a secondary internal hard drive, which I know would be utterly useless against ransomware, but exists primarily in case my primary drive gets junked for some reason. I also have two portable externals with the same data kept elsewhere. If only I didn't have crap bandwidth, I'd consider cloud backups, but then again, one never knows when that can get screwed up too.
I only thought of this as I was recently going through a bunch of old CD/DVD-R backups and basically just destroying and throwing them all out as they were pretty much pointless and just taking up far too much space. I suppose they might have been useful if the nation got massively EMP'd, a la Homefront, which I assume would kill all my drives, but I imagine that at that point, I wouldn't be much caring about any of that.
Smokey_Run
Member
What's the primary method of delivery for this stuff? Links in emails that download it? I just want to know what I should be cautious of outside of the obvious.
In this case it was a forged update for government-mandated tax software that was somehow uploaded to its update server.
In other words, there was nothing anyone could have done, aside from disable automatic updates on otherwise trusted software.
Backwards compatability.
SMBv1 is used in printers usually for scanning to a network folder so file servers had to have it on.
Old computers/servers that cant run the newer versions of SMB perhaps.
Lots of reasons.
Windows is more than your gaming PC
I checked in a computer to our repair shop today with a missing/corrupted MBR. Not sure if it's related to this exploit, but at least I know I can turn off the service after I re-install Windows on the unit. These NSA tools are out of control. Always keep an external backup or two or three...
PlayALLtheGames
Banned
I'm pushing a GPO to our office to do this for Windows clients. Anyone who wants to do the same should refer to https://support.microsoft.com/en-us...-smbv1-smbv2-and-smbv3-in-windows-and-windows
I mean those go out by the millions every day; there's no way of knowing if it was this or just an attempt to get your email credentials like a lot of those "reset your password" messages.
Legacy systems still make use of it in some cases.
My data sits on externals by default, is backed up to other externals, and the latter are backed up to Carbonite.
Recently had an external Seagate shit on me for no fucking reason and it cost me $1300 to recover and that was after a 15% discount. Never again.
I mean those go out by the millions every day; there's no way of knowing if it was this or just an attempt to get your email credentials like a lot of those "reset your password" messages.
Legacy systems still make use of it in some cases.
My data sits on externals by default, is backed up to other externals, and the latter are backed up to Carbonite.
Recently had an external Seagate shit on me for no fucking reason and it cost me $1300 to recover and that was after a 15% discount. Never again.
Is there anyway to make sure this does not also spread to your personal external backups? I am not talking about just this one malware but in general how do you make sure that malware that infects your computer does not also go onto the external hard drive that is connected to your computer?
StopMakingSense
Member
Unplug them when not in active use.
andythinkpad
Member
Well I turned off SMB 1.0, now Kodi can't access my movie server. Is there anyway around it?