• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Petya ransomware running rampant: how to turn off SMBv1 in Windows.

KSweeley

Member
Link: https://www.onmsft.com/news/petya-r...-off-smbv1-in-windows-to-make-sure-youre-safe

Last month it was the ”WannaCry" virus wreaking havoc over the internet, and now this week another ransomware exploit is rapidly expanding. The new variant, dubbed ”Petya," uses the same SMBv1 exploit that WannaCry uses to rapidly replicate throughout network systems, but holds infected computers hostage in a significantly different way.

According to a post in Hacker News, the Petya ransomware, also known as ”Petwrap," is spreading rapidly, ”shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding demands $300 in bitcoins," and has affected over 300,000 computers in only 72 hours.

Petya does not encrypt files one by one in its attempt to elicit those Bitcoin payments, but uses an even more nefarious method:

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk. Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot
.

Microsoft recommends removing the unused but vulnerable SMBv1 file sharing protocol from your systems.

It's pretty easy to do, and well worth it for the peace of mind it could bring as yet another ransomware exploit powered by leaked NSA hacking tools runs amuck.

Open the Control Panel (search for it from the Start Menu)
Click Programs and Features, and then on the left hand column
Click Turn Windows Features on or off
Scroll down to SMB 1.0/CIFS File Sharing support,
Uncheck it, and reboot

This works for Windows 10 and Windows 8.1
. There's simply no reason for you to be running SMBv1, and Microsoft is planning to remove it entirely in the Windows 10 Fall Creators Update.

For now, governments and industries are grappling to fight the ransomware and perhaps looking at their penchant for running older unpatched systems, as the dirty tricks of the NSA continue to come back to haunt us.

Windows 7 instructions on how to disable SMBv1, thanks to Dr.Acula.

MS Article Here: https://support.microsoft.com/en-us...-smbv1-smbv2-and-smbv3-in-windows-and-windows

A more readable set of instructions for admins here: http://www.grouppolicy.biz/2017/03/how-to-disable-smb-1-on-windows-7-via-group-policy/

Instructions:

Press Windows key, in the RUN prompt type:

cmd.exe

Right-click on cmd.exe and select

Run as administrator

Copy and paste the following commands (right-click to paste as the ctrl-v command may not work):

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

Hit enter.

sc.exe config mrxsmb10 start= disabled

Hit enter.

Restart.

After restarting, go back to the RUN prompt and type:

regedit.exe

Run it (it will prompt the UAC, allow it to make changes by hitting "yes").

In regedit expand the following folders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters​
 
Did no one look at the NSA hacking tools at MS? Really?

This has been patched. MS got a heads up ahead of time by the NSA. This is more for companies that have been unable to patch for whatever reason. Also the SMB vulnerability is not the only method of propagation this version of Petya has.
 

Haly

One day I realized that sadness is just another word for not enough coffee.
I don't see it in 7. Is this an 8/10 thing?
 
D

Deleted member 1235

Unconfirmed Member
crazy, turned that shit off. Anyone know how they infect PCs, like is it an image they email or is it a program you have to run?
You know all those had threads where people get all offended about microsofts heavy handed windows updates and all the sweet methods they have to disable it? Those dumbshit guys are how they infect PCs.

Smb-1 off and update MS17-010 are very important, and if your machine has smb1 on and you let that face the internet you are going to die and deserve it.

Another good practice is not having local admin rights
 

Koren

Member
crazy, turned that shit off. Anyone know how they infect PCs, like is it an image they email or is it a program you have to run?
In this case, it's a problem in a service, so it infect your PC without you doing anything wrong (except not having applied the patch)

Did no one look at the NSA hacking tools at MS? Really?
As far as I know, it's patched, but it's easier to stop the service than to ensure the patch is properly applied...
 

Koren

Member
You know all those had threads where people get all offended about microsofts heavy handed windows updates and all the sweet methods they have to disable it? Those dumbshit guys are how they infect PCs.
Well, when it's not disabled and it's not working, it's harder...

And honestly, even when it's working, it's creating a lot of issues. I wish I could do an update/upgrade/dist-upgrade on Windows...
 
crazy, turned that shit off. Anyone know how they infect PCs, like is it an image they email or is it a program you have to run?

It operates more like a worm, scanning for IPs and trying to penetrate using the SMB (file sharing) exploit. Only seems to hit local networks, not internet wide. I'm not sure how the initial infection happens, but it's likely targeted.
 

Linkura

Member
https://support.microsoft.com/en-us...-smbv1-smbv2-and-smbv3-in-windows-and-windows

How to enable or disable SMB protocols on the SMB client
Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012

Note When you enable or disable SMBv2 in Windows 8 or in Windows Server 2012, SMBv3 is also enabled or disabled. This behavior occurs because these protocols share the same stack.

To disable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

To enable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto

I just tried this on cmd.exe and it said access denied when entering the first command. Am I doing it wrong?
 

NOLA_Gaffer

Banned
Here's hoping my parents' PC doesn't hit. They're still on Windows 7 and security updates via Windows Update keep spitting out error messages that I can't seem to find a solution to.

Anything I need to do on a Mac?
 

Dr.Acula

Banned
I just tried this on cmd.exe and it said access denied when entering the first command. Am I doing it wrong?

Yeah. You can follow the link others and I posted. This articles gives instructions for different environments and I totally quoted the wrong one. I'm on the subway so I'll figure out the method for PC client users when I get home if no one else gives instructions.
 

Apt101

Member
I turned off SMB v1 during the initial configuration of my system. There have been exploits targeting that shit since I was in college and it has always taken MS a long time to address them.
 
You know all those had threads where people get all offended about microsofts heavy handed windows updates and all the sweet methods they have to disable it? Those dumbshit guys are how they infect PCs.

It's a negative feedback loop of Microsoft's own creation, though.
 

midramble

Pizza, Bourbon, and Thanos
This has been patched. MS got a heads up ahead of time by the NSA. This is more for companies that have been unable to patch for whatever reason. Also the SMB vulnerability is not the only method of propagation this version of Petya has.

This. Been patched since March. Keep your systems up to date people. This is why.

In this case, it's a problem in a service, so it infect your PC without you doing anything wrong (except not having applied the patch)


As far as I know, it's patched, but it's easier to stop the service than to ensure the patch is properly applied...

Closing SMBv1 solves this particular vector, but keeping up with patching will make sure that as microsoft gets zero day vulnerabilities and remediation (which they pay a lot to get as soon as possible) you will get the same remediation. Manually shutting down SMBv1 is a great added safety but people should really keep up patching.
 

Koren

Member
What if turning off this thing is what the hackers want you to do?

What if this warning is a trap?!
Not a chance. SMBv1 is useless, it has been replaced by SMBv2/3. It's just there for compatibility. There's really no reason to leave it.

Edit: half a year ago, I wasn't able to install a printer on Vista (not my computer). I discovered that updates had failed for more than one year, no reason again. I disabled auto, forced an update by hand, failed, reboot, forced again, failed, reboot, x5 (!) then for no particular reason it worked...

Windows Update is buggy as hell...

On Linux, when something fail, you have details. Windows is a black box, it's awfully hard to find what went wrong, and it's annoying.

Closing SMBv1 solves this particular vector, but keeping up with patching will make sure that as microsoft gets zero day vulnerabilities and remediation (which they pay a lot to get as soon as possible) you will get the same remediation. Manually shutting down SMBv1 is a great added safety but people should really keep up patching.
Yes, but as I said, I haven't been able to patch my Seven for some time. Update fail, and I don't find a single reason (System file check returns "all clear", no virus, no worm, no malware)

Beside, I really don't like leaving a service running if I don't use it... Especially one related to network. I'd disable v2 and v3 too if I was sure I wouldn't have issues later (I don't care about samba shares, the only thing would be printer, but since I'm using one over IP, I don't think it's an issue)
 

Linkura

Member
I'm the only fucking user on my machine and for some reason it doesn't recognize me as an admin. Fucking Windows.
 
I just sent this onto our network security admin and turned it off on my machine. The problem is, our network team likes to automatically enable all of our shit when they sent out their periodic updates through group policy, so I'm hoping they actually will listen this time around.
 

Koren

Member
I'm the only fucking user on my machine and for some reason it doesn't recognize me as an admin. Fucking Windows.
Believe me, that the SANE thing to do. It used to be different, and it was one of the reasons Windows was so easy to infect.

You don't want admin rights at all times, you have to require them. Have you tried a right click on command to get "run as administrator"?

Why is this even on by default? Most people will not be aware of this.
It's on because if it wasn't, people with old computers may have issues to have some shares working.

But at the same time, most people shouldn't tinker Windows Update, and with some luck, the hole ISN'T there anymore, Microsoft has patched it.

So that left:
- people that disabled updates (it's a risk, and Windows says it clearly)
- people who got a virus/worm/malware (those try to stop update, and often manage to do it)
- people whose Windows Update stopped working for any reason (and I'd like to know why myself)
 

Linkura

Member
Believe me, that the SANE thing to do. It used to be different, and it was one of the reasons Windows was so easy to infect.

You don't want admin rights at all times, you have to require them. Have you tried a right click on command to get "run as administrator"?
Thank you very much. This worked and I was able to disable it. Also running Windows Update. I feel like an idiot sometimes when it comes to this stuff even though I'm probably more advanced than like 90% of the population.
 

epmode

Member
Windows Update is buggy as hell...

It certainly can be. I've found that Windows Update problems can usually be fixed by stopping the services, deleting the SoftwareDistribution folder and rebooting, but this doesn't work nearly as well in Windows 10 for me. (I work with lots of Windows 10 machines and I've run into a few Windows Update issues that I simply couldn't fix)
 

ty_hot

Member
This ramsomware got to several transportation/logistics companies in Europe. My gf work in the area and said they had to cancel lots of loads/unloads because of that.

I wonder when will be the last attack... it looks like it might become a usual thing.
 

Koren

Member
I've found that Windows Update problems can usually be fixed by stopping the services, deleting the SoftwareDistribution folder and rebooting, but this doesn't work nearly as well in Windows 10 for me. (I work with lots of Windows 10 machines and I've run into a few Windows Update issues that I simply couldn't fix)
That's a real issue, to me... It should be the most reliable component of an OS...

Aptitude definitively is in my top 3 reasons for going Linux (both for updates and for easy installs with proper dependancies handling)

I'll try your suggestion to see if it can solve my WU issue. Which Windows version? This folder is in the Windows folder?
 

LordRaptor

Member
You know all those had threads where people get all offended about microsofts heavy handed windows updates and all the sweet methods they have to disable it? Those dumbshit guys are how they infect PCs.

If MSs shitty new overly aggressive methods of running Windows Update where important security updates get bundled along with unimportant (to consumers) MS business initiatives then people searching for ways to not have things forcibly crammed down their throats at inopportune times is the end result.
 

Weckum

Member
What's scary to me is that this is the shit that gets put out in the open. What is the stuff that big governments have been working on for decades that can be used as weapons? What will happen when there is a full out war between two major powers? Electricity grids, water supply plants, whole infrastructures will get shut down.

We've seen it happen in Estonia and Ukraine, but those were just small playgrounds. The next big war is gonna wreak havoc in a very different way than just normal bombs and bullets.
 

Nokterian

Member
Mass Surveillance is keeping everyone safe...fucking hell. This is what happens when agencies like the NSA make tools and they forget that these tools will leak out. And here is the result, those tools will be abused and it will go rampart with everything from banks to hospitals to even nuclear plants.

Yes ladies and gentlemen this is your government and even our dutch government want to give also the same powers the NSA is having, there bloody idiots by doing this. Also not telling about day 0 holes is another thing they keep silenced about. It is ridiculous how these people even can think how this is going down.
 

epmode

Member
I'll try your suggestion to see if it can solve my WU issue. Which Windows version? This folder is in the Windows folder?

It's kind of a general Windows Update fix that has worked since Windows 7 and maybe even earlier. Make sure that Windows Update isn't doing anything, stop the Windows Update service and Background Intelligent Transfer Service, delete the <Windows>\SoftwareDistribution folder, then reboot.

(you could also rename the SoftwareDistribution folder instead of deleting it but restarting Windows Update just recreates it I've never found the need to revert to an old version of the folder)
 
Top Bottom