Disable SMBv1 to Mitigate Petya

Disable SMBv1 to Mitigate Petya

2 Minutes Read Updated on May 21, 2025

On June 27th a Ransomware campaign named Petya (the current version named Petwrap) has been promoted around the world, successfully attacking organizations such as governments, banks, airports and manufacturers.

As stated by Thehackernews:

“The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding demands $300 in bitcoins.

According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours”.

Unlike the Wannacry case, Petya is more harmful. The campaign is using a sophisticated attack method that was leaked by the NSA which led to the fast distribution of the ransomware once inside the organization. The Petya attack is utilizing the SMBv1 protocol, Microsoft recommended  to stop using this protocol about 3 years ago. As stated in a blog post we published earlier this year Microsoft encouraged organizations to move to the new SMB versions and harden SMBv1- https://calcomsoftware.com/disable-hardening-smbv1

During the past 6 months, a few critical vulnerabilities were found in the SMBv1 protocol, allowing remote code execution. Joining Microsoft, the US-CERT and CIS are also encouraging organizations to stop using and harden SMBv1. Although Microsoft published patches that should be implemented immediately, there are reports of patched servers that got infected. Patching SMBv1 is a temporary solution as this 30-year-old protocol has many vulnerabilities yet to be revealed, if ever.

Hardening SMBv1 should take place immediately and is critical for protecting the organizational network. The same exploit methodology used by the Petya and Wannacry campaigns can be used by other attacks utilizing other/new vulnerabilities in SMBv1.

IT teams should keep in mind that there is an operational risk in disabling SMBv1 as legacy systems and applications might still use it; the usage of the SMBv1 protocol should be mapped and all the dependencies must be revealed on servers before hardening. Using the Calcom Hardening Solution (CHS) learning capabilities saves time and lowers the operational risk related to hardening SMBv1. CHS learning mode provides automated usage mapping and reveals the systems and applications dependent on the protocol.

This attack is just one example out of many that organizations could avoid if implementing common hardening standards for computers.

Petya Affect:

For more information:

https://thehackernews.com/2017/06/petya-ransomware-attack.html

https://www.scmagazine.com/global-petya-ransomware-attack-spreading-quickly/article/671372/

https://superuser.com/questions/1211055/what-is-the-implication-of-ms17-010-patch-and-smbv1-deactivation-related-to-wann

https://community.spiceworks.com/topic/1995980-smb-v1-and-wannacry-wannacrypt-expliot

https://www.scmagazine.com/no-i-dont-wannacry-and-wannacry-20/article/661490/ 

Roy
Roy Ludmir is a results-driven Business Development Manager at CalCom with 13 years of experience in enterprise security software. He specializes in strategic partnerships, compliance automation, and DevOps enablement—helping global teams streamline system hardening and boost compliance.

Related Articles

Windows Update Bug Crashes Domain Controllers

Windows Update Bug Crashes Domain Controllers

March 21, 2024

Windows Patch Tuesday Updates Windows administrators have cautioned that after applying the KB5035855 and KB5035857…

Windows 11 Boosts Security: NTLM Out, Kerberos In

Windows 11 Boosts Security: NTLM Out, Kerberos In

May 21, 2024

Microsoft’s initiative to phase out NTLM Microsoft’s initiative to phase out NTLM authentication in favor…

MadLicense CVE-2024-38077 RCE Threatens All Windows Servers

MadLicense CVE-2024-38077 RCE Threatens All Windows Servers

August 13, 2024

MadLicense CVE-2024-38077 RCE Vulnerability The latest CVE-2024-38077 Remote Code Execution vulnerability (RCE) and coined MadLicense…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article