Windows 10: New global ransomware attack hits East Europe and spreading

I'd think that this speaks for itself. Stop using SMB1 | Storage at Microsoft

It's not a secure protocol and the only reasons you should be running it is for Windows XP, compatibility reasons across different devices such as old printers.

So, disable it otherwise or patch your system from Petya's known attack vectors such as using WUSA for an update, MBAM, Perfmon, AppLocker, the list goes on.

 

What is the most fascinating @Wynona, malware did have strict policy to stay undisclosed. If certain AV solution was present on infected computer it went straight to destroying of file system, otherwise it went for compromising computer and checked the network for further vulnerabilities.

In my opinion, main target was collecting of credentials, or just make as much mess as they could.

 

Thanks, I have uninstalled that feature. The only reason I asked was this was a clean install about a month ago, and it was enabled by default. I did not proactively enable the feature. Not running XP. And don't have an old printer. That is odd to me.

 

Guys, don't worry so much about SMBv1 for home networks (OK, it's not something you really need), unless you have some irresponsible admin user in your network. This is not 1st line of attack. Any router will block this.

Main danger for home users is still phishing with attachments and browsing on internet.

 

Wasn't worried about anything. Just curious why it was enabled by default. Haven't had any problems, and don't intend to.

And the only admin user on this box is me........

 

Exactly. *Cool
MS will disable it in the next builds, at least that is what they told..

 

AndreTen, I think that we can at least now state to enable Firewall protection full time on any system, whether it is running Linux, Mac OS or Windows. When troubleshooting problems, we are all going to have to remember to address the issue of if a person has a firewall enabled and make sure that everyone asks what security software they are running also. The fact that if someone blocks or disables Netbios and/or SMB ports, it will break the system.

 

I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question. *chuckle

You dismiss Petya's attack vector too simply.

If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

Then you have nothing to worry about, regardless of having a router with basic set up.

Shares will be accessed, so it is a pertinent threat to home users once infected.

 

I've seen quotes here and there that SMB1 was no longer enabled since March, but when I went in to check, it was enabled in my machine and I had to manually disable it. So, someone must have gotten the wrong information . . .

Whoops! Gotta check out both of the Laptops and the other partition on this desktop. I'm pretty sure they'll have SMB1 enabled too. *Sad

 

Thanks, Hydrate! Alls I can say is that it's a good thing I don't have to do anything; otherwise I'd prolly be a goner! *Sad

 

I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .

 

I have mine set on and "PCs on my local network, and PCs on the Internet" on my Insider builds only, for I have no personal files there. I set it to off on my CU partition. I'll wait a bit longer for that to update to the next OEM Fall release. Although, they state that it's safe, I don't trust hackers so far as my CU is concerned.

Windows Update Delivery Optimization: FAQ

 

Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?

 

SMB 1.0 was on by default on all three W10 PCs I have.

 

You mean to say it was an Accounting Software Company in Ukraine, yes? At least that was in the articles linked in the OP. Have you found otherwise?

So far as accusations that Russians being a “big state sponsors of cyberattacks”; Not doubting that, but how about our own government with possible attacks and proven hacking to spy on we citizens? Or any country for that matter. Isn’t that an attack on our privacy? That’s the whole motive using EternalBlue and other spyware. Thank our government for their insecure systems to ultimately give these idiots the tools they needed.

Anywho, here’s a report from MS:

New ransomware, old techniques: Petya adds worm capabilities Windows Security