So the Petya ransomware is going crazy today hitting banks, telecoms, power companies… really anyone who has SMBv1 exposed and hasn’t bothered to patch against ETERNALBLUE (MS17-010).
Some quick protection steps:
- Patch for MS17-010 if you haven’t already.
- Disable SMBv1 if you can. It’s most likely on by default if you have not actively disabled it.
Check if it’s enabled with PowerShell.
Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
Disable with PowerShell running as admin.
Set-SmbServerConfiguration -EnableSMB1Protocol $false
The above works on versions of Windows newer than Windows 7 and Windows Server 2008 R2
Below works on Windows 7 and other versions.
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
3. You may also want to ensure you don’t have PSEXEC tools installed if not needed since Petya is taking advantage of those.
4. WMIC is also recommended to be disabled, however WMI is used for many things so that might not be an option.
5. Ensure SMB isn’t exposed to the internet through your firewall. Probably a good idea to block outgoing SMB as well.
These steps should also help against other ransomware that are using the SMB attack vector.
Stay safe out there.
- 2015 Macbook
- IoT This Week | Episode 22
- Service Canary Beta
- Episode 2 | April 11, 2015
- Sophos UTM Multiple Links