Disable SMBv1 to Mitigate Petya

By Roy, on June 27th, 2017

On June 27th a Ransomware campaign named Petya (the current version named Petwrap) has been promoted around the world, successfully attacking organizations such as governments, banks, airports and manufacturers.

As stated by Thehackernews:

“The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding demands $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours”.

Unlike the Wannacry case, Petya is more harmful. The campaign is using a sophisticated attack method that was leaked by the NSA which led to the fast distribution of the ransomware once inside the organization. The Petya attack is utilizing the SMBv1 protocol, Microsoft recommended  to stop using this protocol about 3 years ago. As stated in a blog post we published earlier this year Microsoft encouraged organizations to move to the new SMB versions and harden SMBv1- https://calcomsoftware.com/disable-hardening-smbv1/

During the past 6 months, a few critical vulnerabilities were found in the SMBv1 protocol, allowing remote code execution. Joining Microsoft, the US-CERT and CIS are also encouraging organizations to stop using and harden SMBv1. Although Microsoft published patches that should be implemented immediately, there are reports of patched servers that got infected. Patching SMBv1 is a temporary solution as this 30-year-old protocol has many vulnerabilities yet to be revealed, if ever.

Hardening SMBv1 should take place immediately and is critical for protecting the organizational network. The same exploit methodology used by the Petya and Wannacry campaigns can be used by other attacks utilizing other/new vulnerabilities in SMBv1.

IT teams should keep in mind that there is an operational risk in disabling SMBv1 as legacy systems and applications might still use it; the usage of the SMBv1 protocol should be mapped and all the dependencies must be revealed on servers before hardening. Using the Calcom Hardening Solution (CHS) learning capabilities saves time and lowers the operational risk related to hardening SMBv1. CHS learning mode provides automated usage mapping and reveals the systems and applications dependent on the protocol.

This attack is just one example out of many that organizations could avoid if implementing common hardening standards for computers.

Petya Affect:

For more information: