Loading...

Knowledge Center


Protecting against modified Petya and BadRabbit ransomware variants
Technical Articles ID:   KB89540
Last Modified:  10/26/2017
Rated:


Environment

McAfee products that use DATs

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.
Consumer article for Petya and BadRabbit: TS102703.

Summary

McAfee is aware of modified Petya ransomware variants (also called PetrWrap, PetWrap, Petya.A, Petja, BadRabbit, and Bad Rabbit) that are being detected in corporate environments.

  • These threats are all detected by up-to-date McAfee software.
     
  • On June 27, 2017 McAfee initially released an Extra.DAT (attached to this article) to include coverage for Petya.
     
  • McAfee also released an emergency DAT to include coverage for Petya on June 28, 2017. Subsequent DATs will also include coverage.
    Minimum DATs for coverage:
     
    • VSE (8574) or higher
    • ENS (3025) or higher  
       
  • The Extra.DAT attached to this article is included in the DATs shown above, and any subsequent DATs.
     
  • McAfee also has detection for these threats in Global Threat Intelligence (GTI) File Reputation (with a Low setting).


Analysis
Read McAfee's observations and analysis on these threats here:


This article will be updated as additional information is available. Please continue to monitor this document for updates.

Recent updates to this article

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.

Date Update
October 26, 2017 Updated to include BadRabbit symptoms.
July 20, 2017 Added synonyms that customers also searched for.
July 19, 2017 Corrected the information regarding PSExec.
July 3, 2017 Updated the recommended Access Protection rules for VirusScan Enterprise and Endpoint Security to more effectively target this specific variant of Petya.
June 28, 2017 17:30 GMT Added information about ENS DAT (3025).
June 28, 2017 12:45 GMT Added information about emergency DAT 8574.
June 28, 2017 12:10 GMT Added link to McAfee's observations and analysis.
June 28, 2017 01:55 GMT Added information about Network Security (NSP) User Defined Signature (UDS) with updated coverage.
June 28, 2017 00:40 GMT Updated Existing signatures to add 0x43c0bd00- NETBIOS-SS: MS17-010 SMB Remote Code Execution (Eternal Tools and WannaCry Ransomware)
June 27, 2017 22:40 GMT
  • Added Access Protection rules for VSE and ENS.
  • Added more resources in Related Information section.
June 27, 2017 21:30 GMT
  • There were reports that some could not see the updated Extra.DAT, so we re-attached it with a new name. Correct filename should be EXTRADAT.zip.
  • Added McAfee NSP coverage for Petya.
June 27, 2017 20:23 GMT Updated with new Extra.DAT file.

 

  • Petya exhibits the following symptoms:
     
    • The propagation method appears to be via the Remote Desktop Protocol (RDP) and/or Server Message Block (SMB) protocols.
       
    • The ransomware might display the following message on an infected PC:

      Repairing file system on C:

      The type of the file system is NTFS.
      One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.

      WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

      CHKDSK is repairing sector xxxxx of xxxxxxxx (x%)


       
    • After encryption, impacted systems might prompt the user to reboot. After reboot, a ransom screen similar to the following is displayed:




       
    • Extensions currently known to be affected are:  
       
      .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip

 

  • BadRabbit exhibits the following symptoms:
     
    • The ransomware might display the following message on an infected PC:

      Disable your anti-virus and anti-malware programs
      Oops! Your files have been encrypted.

      If  you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our
      decryption service.

      We need to guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.


       
    • Data on affected systems is encrypted.

       
    • The user is instructed to visit a domain (caforssztxqzf2nm.onion) on the TOR network. The payment page looks like this:



       
    • File extensions that are known to be affected are:  
       
      .3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf
      .cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp
      .hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm
      .odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1
      .pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs
      .vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

       

Solution

​As a priority prevention action, update any systems with MS17-010if they do not already contain the patch.  
 

McAfee NSP coverage for Petya Ransomware
Existing signatures:
  • 0x43c0bd00- NETBIOS-SS: MS17-010 SMB Remote Code Execution (External Tools and WannaCry Ransomware)
  • 0x43c0b800- NETBIOS-SS: Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)   
  • 0x43c0b400- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)   
  • 0x43c0b500- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145) 
  • 0x43c0b300- NETBIOS-SS: Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)
  • 0x43c0b900- NETBIOS-SS: Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)  
  • 0x451e3300- HTTP: Microsoft Office OLE Arbitrary Code Execution Vulnerability (CVE-2017-0199)
The NSP Research team has created a User Defined Signature (UDS) with updated coverage. The UDS is available to download from KB55447.

The referenced article is available only to registered ServicePortal users.

To view registered articles:
  1. Log on to the ServicePortal at http://support.mcafee.com.
  2. Type the article ID in the search field on the Home page.
  3. Click Search or press ENTER. 


Access Protection rules for VirusScan Enterprise (VSE) and Endpoint Security (ENS)
The following Access Protection rules for VSE and ENS can help combat the malware.  McAfee has updated the recommended AP rules to more effectively target this specific variant of Petya.

NOTE: These Access Protection rules do not circumvent the need to implement the Extra.DAT. They are intended to assist in combating the malware, but will not prevent the malware payload from being created or executed on a system.  These two Access Protection rules will prevent rundll32.exe from starting any instances of cmd.exe, and will also prevent creation of Microsoft Technet’s PSExec utility.  These will not prevent downloading and/or saving of the original file name for PSExec, so an administrator can still make use of this utility as needed.
  
VSE Access Protection Rules
Process to include: rundll32.exe
Process to exclude:
File/Folder to block: cmd.exe
Actions: Block execution

NOTE:  This will prevent the process named rundll32.exe from executing any instances of cmd.exe, found to be a core behavior of the Malware.  This includes any legitimate software that might perform the same behavior, with custom scripting as an example.
 
Process to include: *
Process to exclude:
File/Folder to block: **\PSEXESVC.EXE
Actions:  Block creation

NOTE:  This will prevent any process from creating PSExec's remote service. Preventing this file creation can assist with preventing the replication of PSExec, a component used in replication of the malware payload. This will not prevent an administrator from saving any new copies of PSExec to systems where this rule is applied, but it will prevent PSEXESVC.EXE from being created on the target system, thus preventing the use of PSExec - whether it is used maliciously or for normal remote administrative purposes.
 
 
ENS Access Protection Rules
Create a new rule with an inclusion status of "Include" using rundll32.exe for the File name or Path
Create a sub-rule with a type of "files," and for a target include cmd.exe
Select the action to prevent execution
 
Create a new rule with an inclusion status of "Include" using * for the File name or Path
Create a sub-rule with a type of "files," and for a target include **\PSEXESVC.EXE
Select the action to prevent creation

 

Attachment

EXTRADAT.zip
3K • < 1 minute @ broadband


Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.