Link: https://www.onmsft.com/news/petya-r...-off-smbv1-in-windows-to-make-sure-youre-safe
Windows 7 instructions on how to disable SMBv1, thanks to Dr.Acula.
Last month it was the ”WannaCry" virus wreaking havoc over the internet, and now this week another ransomware exploit is rapidly expanding. The new variant, dubbed ”Petya," uses the same SMBv1 exploit that WannaCry uses to rapidly replicate throughout network systems, but holds infected computers hostage in a significantly different way.
According to a post in Hacker News, the Petya ransomware, also known as ”Petwrap," is spreading rapidly, ”shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding demands $300 in bitcoins," and has affected over 300,000 computers in only 72 hours.
Petya does not encrypt files one by one in its attempt to elicit those Bitcoin payments, but uses an even more nefarious method:
Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Microsoft recommends removing the unused but vulnerable SMBv1 file sharing protocol from your systems.
It's pretty easy to do, and well worth it for the peace of mind it could bring as yet another ransomware exploit powered by leaked NSA hacking tools runs amuck.
Open the Control Panel (search for it from the Start Menu)
Click Programs and Features, and then on the left hand column
Click Turn Windows Features on or off
Scroll down to SMB 1.0/CIFS File Sharing support,
Uncheck it, and reboot
This works for Windows 10 and Windows 8.1. There's simply no reason for you to be running SMBv1, and Microsoft is planning to remove it entirely in the Windows 10 Fall Creators Update.
For now, governments and industries are grappling to fight the ransomware and perhaps looking at their penchant for running older unpatched systems, as the dirty tricks of the NSA continue to come back to haunt us.
Windows 7 instructions on how to disable SMBv1, thanks to Dr.Acula.
MS Article Here: https://support.microsoft.com/en-us...-smbv1-smbv2-and-smbv3-in-windows-and-windows
A more readable set of instructions for admins here: http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windows-7-via-group-policy/
Instructions:
Press Windows key, in the RUN prompt type:
cmd.exe
Right-click on cmd.exe and select
Run as administrator
Copy and paste the following commands (right-click to paste as the ctrl-v command may not work):
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
Hit enter.
sc.exe config mrxsmb10 start= disabled
Hit enter.
Restart.
After restarting, go back to the RUN prompt and type:
regedit.exe
Run it (it will prompt the UAC, allow it to make changes by hitting "yes").
In regedit expand the following folders:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters