Windows 10: New global ransomware attack hits East Europe and spreading

Page 9 of 10 FirstFirst ... 78910 LastLast

  1. Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       30 Jun 2017 #81

    bro67 said: View Post
    AndreTen, I think that we can at least now state to enable Firewall protection full time on any system, whether it is running Linux, Mac OS or Windows. When troubleshooting problems, we are all going to have to remember to address the issue of if a person has a firewall enabled and make sure that everyone asks what security software they are running also. The fact that if someone blocks or disables Netbios and/or SMB ports, it will break the system.
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.


    AndreTen said: View Post
    Guys, don't worry so much about SMBv1 for home networks (OK, it's not something you really need), unless you have some irresponsible admin user in your network. This is not 1st line of attack. Any router will block this.

    Main danger for home users is still phishing with attachments and browsing on internet.
    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
      My ComputerSystem Spec


  2. Posts : 19,460
    Windows 10 Insider Preview Build 17083
       30 Jun 2017 #82

    f14tomcat said: View Post
    Thanks, I have uninstalled that feature. The only reason I asked was this was a clean install about a month ago, and it was enabled by default. I did not proactively enable the feature. Not running XP. And don't have an old printer. That is odd to me.
    I've seen quotes here and there that SMB1 was no longer enabled since March, but when I went in to check, it was enabled in my machine and I had to manually disable it. So, someone must have gotten the wrong information . . .

    Whoops! Gotta check out both of the Laptops and the other partition on this desktop. I'm pretty sure they'll have SMB1 enabled too.
      My ComputerSystem Spec


  3. Posts : 19,460
    Windows 10 Insider Preview Build 17083
       30 Jun 2017 #83

    Hydrate said: View Post
    I'll challenge myself here to translate into laymen terms. The blue flags indicate where Microsoft's protection against the ransomware is available and mitigated the threat and eliminated it.

    1. A malicious software update containing the petya.dll (dynamic link library) provided by the threat actor (entity responsible for this madness) was executed upon patient zero's machine knowing it had been vulnerable, supposedly a client of a Ukrainian account company who has run into similar security issues. AppLocker would have restricted access to executable files, therefor stopping petya.
    2. This allows the malware to propagate and hijack the master boot record with full privileges from SeDebug.


    I just got too lazy to continue, but essentially the SMB exploits spread across the networks from available from the other machines running SMB v1 and steals network credentials, find a list of all other machines, and spreads itself again using commands from WMIC and PSEXEC for remote execution across a network and allow petya.dll to spread and hijack more MBRs.
    Thanks, Hydrate! Alls I can say is that it's a good thing I don't have to do anything; otherwise I'd prolly be a goner!
      My ComputerSystem Spec


  4. Posts : 19,460
    Windows 10 Insider Preview Build 17083
       30 Jun 2017 #84

    Hydrate said: View Post
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.




    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .

    Click image for larger version. 

Name:	Security.PNG 
Views:	40 
Size:	40.6 KB 
ID:	141927
      My ComputerSystem Spec


  5. Posts : 38,043
    Dual boot Windows 10 FCU Pro x 64 & current Insider 10 Pro
       30 Jun 2017 #85

    Wynona said: View Post
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .
    I have mine set on and "PCs on my local network, and PCs on the Internet" on my Insider builds only, for I have no personal files there. I set it to off on my CU partition. I'll wait a bit longer for that to update to the next OEM Fall release. Although, they state that it's safe, I don't trust hackers so far as my CU is concerned.

    Can Delivery Optimization access my personal files?

    Delivery Optimization doesn’t access your personal files or folders or change any files on your PC.
    Windows Update Delivery Optimization: FAQ
      My ComputersSystem Spec


  6. Posts : 2,470
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)
       01 Jul 2017 #86

    Hydrate said: View Post
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.




    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
      My ComputersSystem Spec


  7. Posts : 2,470
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)
       01 Jul 2017 #87

    f14tomcat said: View Post
    Wasn't worried about anything. Just curious why it was enabled by default. Haven't had any problems, and don't intend to.

    And the only admin user on this box is me........
    SMB 1.0 was on by default on all three W10 PCs I have.
      My ComputersSystem Spec


  • Posts : 38,043
    Dual boot Windows 10 FCU Pro x 64 & current Insider 10 Pro
       01 Jul 2017 #88

    essenbe said: View Post
    No, I have no evidence or have heard none that the Russians did it, but they are big state sponsors of cyberattacks. Most of the sources state it did start with an Accounting Software Company in Russia though. That puts it a lot closer to Russia than anyone else. But yes, still speculation.
    You mean to say it was an Accounting Software Company in Ukraine, yes? At least that was in the articles linked in the OP. Have you found otherwise?

    So far as accusations that Russians being a “big state sponsors of cyberattacks”; Not doubting that, but how about our own government with possible attacks and proven hacking to spy on we citizens? Or any country for that matter. Isn’t that an attack on our privacy? That’s the whole motive using EternalBlue and other spyware. Thank our government for their insecure systems to ultimately give these idiots the tools they needed.

    Anywho, here’s a report from MS:

    On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.
    New ransomware, old techniques: Petya adds worm capabilities Windows Security
      My ComputersSystem Spec


  • Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       01 Jul 2017 #89

    Wynona said: View Post
    Thanks, Hydrate! Alls I can say is that it's a good thing I don't have to do anything; otherwise I'd prolly be a goner!
    Of course! My specialty is InfoSec and IT security. So, I've really invested my time into this new wiper.

    Steve C said: View Post
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
    To reduce the attack surface and minimize the probability of the malware spreading and to prevent future attacks, yes. I recommend blocking these ports unless you use NetBIOS. I agree with Symantec as they explain if you do not use SMB or Windows Network File Sharing capabilities, turn off NetBIOS and SMB, as well as adding the port configurations for extra protection.

    Wynona said: View Post
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .

    Click image for larger version. 

Name:	Security.PNG 
Views:	40 
Size:	40.6 KB 
ID:	141927
    Not necessarily a problem unless you have other P2P clients and services running on your IP address, (assuming poorly configured firewall and router, best to assume the worst to be secure) which can be used by attackers for a remote execution exploit or run some arbitrary code if those software are not updated and remain vulnerable.

    I turn it off because I have high speed internet and all the time in the world to download updates (automatically).

    Steve C said: View Post
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
    If you do not use NetBIOS, I suggest you turn it off in services to reduce attack surface, it's a great way for hackers to get in on a Windows box.









    I found all the rules required to block the current strain of Petya we know of: (thanks logo-symantec-dark-source <3)



    • Add the following Inbound network rules:
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any

    • Add the following Outbound network rules:
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
      • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445




    My policy is that for the ports listed, you access your Firewall (assuming for Windows 10) it's from:










    Create new firewall rules accordingly to the rules I have described above.

    If you would like, I will create a powershell script to append the same rules to your current firewall configurations!
      My ComputerSystem Spec


  • Posts : 2,470
    Windows 10 Home x64 (Laptop), Windows 10 Pro x64 (Desktop)
       02 Jul 2017 #90

    Great post 89 by Hydrate! I disabled NetBios as suggested. I also see you can disable NetBIOS via the TCP settings from the network adapter. Which is the best approach?

    I use Kaspersky Total Security and tried disabling the ports in KTS. However, video streaming from BBC iPlayer stops as soon as I disable port 137. It seems disabling these ports is not a good idea for me. It would be useful to know what these ports are used for so people can decide whether to disable them.
    Last edited by Steve C; 02 Jul 2017 at 01:36.
      My ComputersSystem Spec


  •  
    Page 9 of 10 FirstFirst ... 78910 LastLast

    Related Threads
    It seems possible that this prophetic British Medical Journal letter from May 10 edition (online May 11, the day before the WannaCry Exploit hit the world) may have focussed the current ransomware attack on UK NHS hospitals: 135086 The...
    So tonight, on the American TV show Chicago Med, the show dealt with the issue of ransomware. In this episode, the hospital’s entire computer network was locked out by Ransomware thus crippling the entire hospital. For the record, Chicago Med...
    PAX (originally known as Penny Arcade Expo) is a series of gaming festivals held in Seattle, Boston, Melbourne, and San Antonio. PAX was created by Jerry Holkins and Mike Krahulik, the authors of the Penny Arcade webcomic, because they wanted to...
    Solved Virus spreading over Wi-Fi!? in AntiVirus, Firewalls and System Security
    So, my Dad is going to purchase a new Windows Device for me (A bit late for XMas). My Dad also owns devices that have been infected be Viruses and other infections. If I connect to the Wi-Fi on my Windows Device, can Viruses and other infections...
    New Ransomware attack in AntiVirus, Firewalls and System Security
    Only 5 days out and Win10 being screwed with. This link was in an E-Mail today: New Windows 10 scam will encrypt your files for ransom | ZDNet
    Our Sites
    Site Links
    About Us
    Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

    © Designer Media Ltd
    All times are GMT -5. The time now is 11:37.
    Find Us