Loading...

Knowledge Center


Protecting against modified Petya ransomware variant (June 2017)
Technical Articles ID:   KB89540
Last Modified:  7/20/2017
Rated:


Environment

McAfee products that use DATs

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.
Consumer article for Petya: TS102703.

Summary

McAfee is aware of a modified Petya ransomware variant (also called PetrWrap, PetWrap, Petya.A, Petja) that has been detected in corporate environments.

  • McAfee has released an Extra.DAT (attached to this article) to include coverage for this threat.
     
  • McAfee has also released an emergency DAT to include coverage for Petya. Subsequent DATs will also include coverage.
    Minimum DATs for coverage:
     
    • VSE (8574) or higher
    • ENS (3025) or higher  
       
  • The Extra.DAT attached to this article is included in the DATs shown above. If you have not updated to the DATs shown above, you should continue to use the Extra.DAT attached to this article.
     
  • McAfee also has detection for this threat in Global Threat Intelligence (GTI) File Reputation (with a Low setting).
 

Read McAfee's observations and analysis here: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire.

This article will be updated as additional information is available. Please continue to monitor this document for updates.

Recent updates to this article

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.

Date Update
July 20, 2017 Added synonyms that customers also searched for.
July 19, 2017 Corrected the information regarding PSExec.
July 3, 2017 Updated the recommended Access Protection rules for VirusScan Enterprise and Endpoint Security to more effectively target this specific variant of Petya.
June 28, 2017 17:30 GMT Added information about ENS DAT (3025).
June 28, 2017 12:45 GMT Added information about emergency DAT 8574.
June 28, 2017 12:10 GMT Added link to McAfee's observations and analysis.
June 28, 2017 01:55 GMT Added information about Network Security (NSP) User Defined Signature (UDS) with updated coverage.
June 28, 2017 00:40 GMT Updated Existing signatures to add 0x43c0bd00- NETBIOS-SS: MS17-010 SMB Remote Code Execution (Eternal Tools and WannaCry Ransomware)
June 27, 2017 22:40 GMT
  • Added Access Protection rules for VSE and ENS.
  • Added more resources in Related Information section.
June 27, 2017 21:30 GMT
  • There were reports that some could not see the updated Extra.DAT, so we re-attached it with a new name. Correct filename should be EXTRADAT.zip.
  • Added McAfee NSP coverage for Petya.
June 27, 2017 20:23 GMT Updated with new Extra.DAT file.


This threat exhibits the following symptoms:

  • The propagation method appears to be via the Remote Desktop Protocol (RDP) and/or Server Message Block (SMB) protocols.
     
  • The ransomware might display the following message on an infected PC:

    Repairing file system on C:

    The type of the file system is NTFS.
    One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.

    WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

    CHKDSK is repairing sector xxxxx of xxxxxxxx (x%)


     
  • After encryption, impacted systems might prompt the user to reboot. After reboot, a ransom screen similar to the following is displayed:



     
  • Extensions currently known to be affected are:  
     
    .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip

Solution

​As a priority prevention action, update any systems with MS17-010if they do not already contain the patch.  
 

McAfee NSP coverage for Petya Ransomware
Existing signatures:
  • 0x43c0bd00- NETBIOS-SS: MS17-010 SMB Remote Code Execution (Eternal Tools and WannaCry Ransomware)
  • 0x43c0b800- NETBIOS-SS: Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)   
  • 0x43c0b400- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)   
  • 0x43c0b500- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145) 
  • 0x43c0b300- NETBIOS-SS: Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)
  • 0x43c0b900- NETBIOS-SS: Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)  
  • 0x451e3300- HTTP: Microsoft Office OLE Arbitrary Code Execution Vulnerability (CVE-2017-0199)
The NSP Research team has created a User Defined Signature (UDS) with updated coverage. The UDS is available to download from KB55447.

The article referenced above is available to registered ServicePortal users only.

To view registered articles:
  1. Log in to the ServicePortal at http://support.mcafee.com.
  2. Type the Article ID in the Search the Knowledge Center field on the Home page.
  3. Click Search or press ENTER. 


Access Protection rules for VirusScan Enterprise (VSE) and Endpoint Security (ENS)
The following Access Protection rules for VSE and ENS can help combat the malware.  McAfee has updated the recommended AP rules to more effectively target this specific variant of Petya.

NOTE: These Access Protection rules do not circumvent the need to implement the Extra.DAT. They are intended to assist in combating the malware, but will not prevent the malware payload from being created or executed on a system.  These two Access Protection rules will prevent rundll32.exe from starting any instances of cmd.exe, and will also prevent creation of Microsoft Technet’s PSExec utility.  These will not prevent downloading and/or saving of the original file name for PSExec, so an administrator can still make use of this utility as needed.
  
VSE Access Protection Rules
Process to include: rundll32.exe
Process to exclude:
File/Folder to block: cmd.exe
Actions: Block execution

NOTE:  This will prevent the process named rundll32.exe from executing any instances of cmd.exe, found to be a core behavior of the Malware.  This includes any legitimate software that might perform the same behavior, with custom scripting as an example.
 
Process to include: *
Process to exclude:
File/Folder to block: **\PSEXESVC.EXE
Actions:  Block creation

NOTE:  This will prevent any process from creating PSExec's remote service. Preventing this file creation can assist with preventing the replication of PSExec, a component used in replication of the malware payload. This will not prevent an administrator from saving any new copies of PSExec to systems where this rule is applied, but it will prevent PSEXESVC.EXE from being created on the target system, thus preventing the use of PSExec - whether it is used maliciously or for normal remote administrative purposes.
 
 
ENS Access Protection Rules
Create a new rule with an inclusion status of "Include" using rundll32.exe for the File name or Path
Create a sub-rule with a type of "files," and for a target include cmd.exe
Select the action to prevent execution
 
Create a new rule with an inclusion status of "Include" using * for the File name or Path
Create a sub-rule with a type of "files," and for a target include **\PSEXESVC.EXE
Select the action to prevent creation

 

Attachment

EXTRADAT.zip
3K • < 1 minute @ broadband


Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.