As I posted last week, the Petya ransomware attack might have been more of a disruptive or damage inflicting attack than having the ransom motive.

The Petya or NonPetya (as some researchers claim) malware attack was propagated using vulnerabilities in the SMB v1 (Server Message Block) protocol.  This is another good reason to not use operating systems that are past their end of lifecycle or “sunsetted.”

When an operating system is supported, vulnerabilities are often discovered and the operating system’s vendor then creates a patch or a “fix” for the vulnerability.  After support ends, as it has for Windows XP and Windows Server 2003, no patches or fixes would be expected to be forthcoming when additional vulnerabilities are discovered.  These leave the users of those systems possibly at perpetual risk until they decide to update their systems.

The Petya ransomware propagates itself through remote code execution by using a vulnerability in SMB v1.0.  Server Message Block v1 has been a deprecated protocol for years.  Microsoft recommends that you disable the SMBv1 protocol completely.  This is another good reason to not have XP or Server 2003 still in an environment since those OS’s rely on SMB v1.  Also, some older scanner/printers rely on SMBv1 for their “Scan To” feature, so some newer servers might have it turned on and could be vulnerable.

Microsoft Security Bulletin MS17-010 has an explanation and links to patches for various Windows versions:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

References:

Krebs, B. (2017, June 27). Krebs on Security. Retrieved June 30, 2017, from https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/#more-39734

Mackie, K. (2017, June 28). New Petya Ransomware Outbreak Tapping SMB 1 Windows Flaw. Retrieved July 09, 2017, from https://redmondmag.com/articles/2017/06/27/petya-ransomware-outbreak.aspx