Loading...

Knowledge Center


Protecting against Ransom-WannaCry (May 2017)
Technical Articles ID:   KB89335
Last Modified:  7/20/2017
Rated:


Environment

McAfee products that use DATs


{CONSREDIR.EN_US} For more information about this attack and McAfee consumer products, see: TS102675.

Summary

McAfee is aware of a new variant of ransomware that has been detected in corporate environments. Threat Name: Ransom-WannaCry (also known as WCry, WanaCrypt, WannaCrypt, and WanaCrypt0r).

Read McAfee's observations and analysis here: https://securingtomorrow.mcafee.com/business/analysis-wannacry-ransomware-outbreak/
Read McAfee's official Threat Advisory here: PD27077.
See also the information in this Technical Brief: https://www.mcafee.com/us/resources/solution-briefs/sb-how-to-protect-against-ransomware.pdf

McAfee has released an emergency DAT to include coverage for Ransom-WannaCry, and subsequent DATs will also include coverage. Minimum DATs for coverage: 

  • VSE (8527) or higher * 
  • ENS (2978) or higher *

* McAfee-defined content protection against known variants.  

The Extra.DAT attached to this article will be included in VSE 8530 and ENS 2981.

As a best practice, configure repository update tasks with a minimal refresh interval to ensure new content is applied when McAfee releases it.

This article will be updated as additional information is available. Please continue to monitor this document for updates.

Topics in this article

Symptoms of infected systems
VSE Access Protection rules
ENS Access Protection rules
ENS Adaptive Threat Protection – Real Protect and Dynamic Application Containment
ENS Dynamic Application Containment rules
Advanced Threat Defense coverage for WannaCry Ransomware
McAfee NSP coverage for WannaCry Ransomware
Frequently Asked Questions


Recent updates to this article
{GENSUB.EN_US}
 
Date Update
July 20, 2017 Added Advanced Threat Defense content updates for WannaCry. Added FAQs in response to customer questions.
July 18, 2017 Several small additions and tweaks in response to customer questions.
June 15, 2017 Removed the Host Intrusion Prevention section. McAfee is investigating proactive measures for this product.
June 9, 2017 Added WannaCrypt as a Threat Name variant.
May 16, 2017 2:30 PM CDT Added ENS ATP settings.
May 15, 2017 11:30 AM CDT Updated Extra.DAT file EXTRA_20170514-2.zip for easier implementation on ENS.
May 15, 2017 11:00 AM CDT Updated FAQs with new question.
May 15, 2017 10:00 AM CDT Updated Extra DAT language about it being included in VSE 8530 and ENS 2981. Updated the DAC rules section.
May 14, 2017 12:45 PM CDT Updated Extra DAT attachment and language about it being required even for customers who are running VSE 8529 or ENS 2980.
May 14, 2017 8:55 AM CDT Added link to official Threat Advisory.
May 14, 2017 7:30 AM CDT Updated Extra DAT attachment.
May 13, 2017 3:05 PM CDT Added ENS Dynamic Application Containment rules and internal jumps for easier access to topics in this article. Added note to McAfee consumer customers that this article does not apply to their McAfee products.
May 13, 2017 11:15 AM CDT Updated Extra DAT attachment and language about it being required with 8527 or 8528.
May 13, 2017 9:15 AM CDT Added that emergency DAT was released, and minimum DATs for coverage.
May 12, 2017 11:55 PM CDT Added reference to KB55447 for NSP signatures.
May 12, 2017 6:00 PM CDT Added NSP signatures.
May 12, 2017 5:30 PM CDT Added link to the blog and updated an image.
May 12, 2017 5:00 PM CDT Added Frequently Asked Questions section near end of article.
May 12, 2017 4:20 PM CDT Updated Extra.DAT file attachment.
May 12, 2017 3:45 PM CDT
  • Added screenshot of the ransom message on infected machines.
  • Added IMPORTANT note under symptoms list, urging customers to update to Critical Microsoft Patch MS17-010.
May 12, 2017 2:35 PM CDT
  • Added proactive Extra.DAT file in Attachments section of this article for the latest Ransomware variant: Ransom-WannaCry, and links to related articles.
  • Added descriptive information about the VSE and ENS Access Protection Rules.
May 12, 2017 1:05 PM CDT Added synonyms of threat name.
May 12, 2017 12:30 PM CDT Article created and published.



This threat exhibits the following symptoms on infected systems:

  • Files are encrypted with the .wnry, .wcry, .wncry, .wcryt, and .wncryt extension. End users see a screen with a ransom message.
  • End users see the following Ransom-WannaCry Desktop Background:
     
  • On restarting, impacted machines have a blue screen error and cannot start. 
  • Encryption seen on local host and open SMB shares. IMPORTANT: Customers should immediately install the Critical Microsoft Patch MS17-010, to prevent SMB shares from becoming encrypted: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Back to top


VirusScan Enterprise (VSE) and Endpoint Security (ENS) Access Protection Proactive Measures
 

NOTE: The VSE and ENS Access Protection rules will prevent creation of the .WNRY file. This rule prevents the encryption routine, which is where one will see encrypted files that contain a .WNCRYT, .WNCRY and/or .WCRY extension. By implementing the block against .WNRY, other blocks are not necessary for the encrypted file types.



Use VSE Access Protection rules:

Rule1:

Rule Type: Registry Blocking Rule
Process to include: *
Registry key or value to protect: HKLM - /Software/WanaCrypt0r
Registry key or value p protect: Key
File actions to prevent: Create key or value

Rule2:

Rule Type: File/Folder Blocking Rule
Process to include: *
File or folder name to block: *.wnry
File actions to prevent: New files being created


Back to top
 


Use ENS Access Protection rules:

Rule1:

Executable1:

Inclusion: Include
File Name or Path: *



SubRule1:

SubRule Type: Registry key
Operations: Create
Target1:

Inclusion: Include
File, folder name, or file path: *\Software\WanaCrypt0r



SubRule2:

SubRule Type: Files
Operations: Create
Target1:

Inclusion: Include
File, folder name, or file path: *.wnry


 

Back to top

 

Endpoint Security (ENS) with Adaptive Threat Protection (ATP) – Real Protect and Dynamic Application Containment (DAC) 

ENS 10.5 Adaptive Threat Protection Real Protect, in conjunction with Dynamic Application Containment, provides next-generation protection against unknown exploits.

ENS with ATP provides full protection against all known variants of the WannaCry exploit. McAfee recommends the following ATP configuration for detection of unknown WannaCry variants.

  1. Configure the following setting in the Adaptive Threat Protection - Options Policy:

Rule Assignment = Security (default setting is Balanced)


 

  1. Configure the following rules in the Adaptive Threat Protection – Dynamic Application Containment policy:

Dynamic Application Containment – Containment Rules

See KB87843 – Best Practices for ENS Dynamic Application Containment Rues, and set the recommended DAC rules to Block as prescribed.

 

Back to top



ENS Dynamic Application Containment rules triggered by Ransom-WannaCry variants

This section provides additional information on observed Dynamic Application Containment rules triggered by known WannaCry variants. Additional rule enablement may not be required to effectively contain related processes not detected by other layers of the ENS security stack. See KB87843 – Best Practices for ENS Dynamic Application Containment Rues, and set the recommended DAC rules to Block as prescribed.

Rule1:

Rule Name: Executing any child process

Rule2:

Rule Name: Accessing user cookie locations

Rule3:

Rule Name: Creating files with the .html, .jpg, or .bmp extension

Rule4:

Rule Name: Creating files with the .exe extension

Rule5:

Rule Name: Modifying users' data folders

Rule6:

Rule Name: Modifying startup registry locations

Rule7:

Rule Name: Modifying critical Windows files and registry locations

Rule8:

Rule Name: Reading or modifying files on any network location

Rule9:

Rule Name: Modifying files with the .bat extension

Rule10:

Rule Name: Modifying files with the .vbs extension

Rule11:

Rule Name: Creating files with the .bat extension

Rule12:

Rule Name: Reading files commonly targeted by ransomware-class malware

Rule13:

Rule Name: Creating files on any network location

Rule14:

Rule Name: Writing to files commonly targeted by ransomware-class malware

Rule15:

Rule Name: Modifying the hidden attribute bit


Back to top



Advanced Threat Defense (ATD) Content Update Package for WannaCry available in the following builds, or later:

3.6.x – 3.6.2.103.61987 or later
3.8.x package – 3.8.2.170207.59307 or later
3.10.x – 3.10.2.170712.61985 or later
4.0 – Detection included in base install



McAfee NSP coverage for WannaCry Ransomware:

Existing signatures:

  • 0x43c0b800- NETBIOS-SS: Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)   
  • 0x43c0b400- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)   
  • 0x43c0b500- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145) 
  • 0x43c0b300- NETBIOS-SS: Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)                                                                              
  • 0x43c0b900- NETBIOS-SS: Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)                                
The NSP Research Team has reviewed the information for CVE-2017-0148 and has created a UDS.  The UDS is available from KB55447, which is available only to registered users. Log in to https://support.mcafee.com and access the article. 
 
 

Back to top

Frequently Asked Questions about Ransom-WannaCry
 

Will having McAfee Application Control (MAC) in block mode help prevent the infection?
Yes, because MAC blocks any new hash values that are not whitelisted.

Does a combination of Threat Intelligence Exchange (TIE) and ATD blocks this threat on Day 0?
TIE and ATD contained a number of 0-day WannaCry samples. For those that were missed, further intelligence was added to the cloud, that picked up subsequent WannaCry variants as 0-day. ATD also released content updates that were specific to WannaCry. These content updates are available in current builds.

Why are you naming the Access Protection rules generically?
Rule names make no impact on the rule itself and can be named anything you desire.

Shouldn't the software key use ‘\’ and not ‘/’ ?
‘\’ is the correct syntax one would enter, but the point product will modify the path and replace all ‘\’ with ‘/’ so that is the reason behind this syntax.

Shouldn't the file extension rule be: **\*.wnry ?
No. Because VSE and ENS use different wildcard syntax, it is best to use *.wnry, as both can utilize this rule properly.

What Daily DAT file will this be released in?
VSE DAT 8527 or later
ENS DAT 2978 or later

Does the DAT solve the issue? Or are the registry updates also required? 
The attached Extra.DAT, the emergency DAT, and all subsequent DATs will catch all known variants submitted to McAfee Labs at this time. The Access Protection rules are suggested as a generic approach to block all known Ransom-WannaCry variants.

Why did McAfee choose Extra.DAT and not put the prevention directly into the DAT?
Extra.DATs are being released and updated in this article as new variants of the threat are discovered in the wild. Because production DATs do not cover these newer variants, we suggest you implement Extra.DATs as they are posted, along with current production DATs.

I found the wording of the article confusing. In one place, it said: "minimum DAT for coverage: VSE 8527" and "subsequent DATs will also include coverage." But in another place it said: "attached extra.dat is required even for customers running VSE 8529." Which is correct?
8527 was the minimum DAT release for the first strain of WannaCry variants. As newer variants were released, these detections were added to the later DAT builds.
 

 

Attachment

EXTRA_20170514-2.zip
6K • < 1 minute @ 56k, < 1 minute @ broadband


Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.