Protecting against modified Petya and BadRabbit ransomware variants

Technical Articles ID: KB89540
Last Modified: 10/5/2020

Environment

McAfee products that use DATs

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.
Consumer article for Petya and BadRabbit: TS102703.

Summary

McAfee is aware of modified Petya ransomware variants (also called PetrWrap, PetWrap, Petya.A, Petja, BadRabbit, and Bad Rabbit) that are being detected in corporate environments.

Up-to-date McAfee software detects all these threats.
On June 27, 2017 McAfee initially released an Extra.DAT (attached to this article) to include coverage for Petya.
McAfee also released an emergency DAT to include coverage for Petya on June 28, 2017. Subsequent DATs also include coverage.
Minimum DATs for coverage:
- Endpoint Security (3025) or higher
- VirusScan Enterprise (8574) or higher
The Extra.DAT attached to this article is included in the DATs shown above, and any subsequent DATs.
McAfee also has detection for these threats in Global Threat Intelligence (GTI) File Reputation (with a Low setting).

This article is updated as additional information is available. Continue to monitor this article for updates.

Recent updates to this article

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Date	Update
October 5, 2020	Added Endpoint Security 10.6.x/10.7.x categories.
September 19, 2019	Updated link to "Protecting Against Ransomware" in the Related Information section.
October 26, 2017	Updated to include BadRabbit symptoms.
July 20, 2017	Added synonyms that customers also searched for.
July 19, 2017	Corrected the information regarding PSExec.

Petya exhibits the following symptoms:

The propagation method appears to be via the Remote Desktop Protocol (RDP) and Server Message Block (SMB) protocols.
The ransomware might display the following message on an infected system:

Repairing file system on C:

The type of the file system is NTFS.
One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.

WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

CHKDSK is repairing sector xxxxx of xxxxxxxx (x%)
After encryption, impacted systems might prompt the user to reboot. After reboot, a ransom screen similar to the following displays:

Extensions currently known to be affected are:

.3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip

BadRabbit exhibits the following symptoms:

The ransomware might display the following message on an infected system:

Disable your anti-virus and anti-malware programs
Oops! Your files have been encrypted.

If you see this text, your files are no longer accessible. You might have been looking for a way to recover your files. Don't waste your time. No one will be able to recover them without our
decryption service.

We need to guarantee that you can recover all your files safely. All you need to do is submit the payment and get the decryption password.
Data on affected systems is encrypted.
The user is instructed to visit a domain (caforssztxqzf2nm.onion) on the TOR network. The payment page looks like this:

File extensions that are known to be affected are:

.3ds .7z .accdb .ai .asm .asp .aspx .avhd .back .bak .bmp .brw .c .cab .cc .cer .cfg .conf
.cpp .crt .cs .ctl .cxx .dbf .der .dib .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .hpp
.hxx .iso .java .jfif .jpe .jpeg .jpg .js .kdbx .key .mail .mdb .msg .nrg .odc .odf .odg .odi .odm
.odp .ods .odt .ora .ost .ova .ovf .p12 .p7b .p7c .pdf .pem .pfx .php .pmf .png .ppt .pptx .ps1
.pst .pvi .py .pyc .pyw .qcow .qcow2 .rar .rb .rtf .scm .sln .sql .tar .tib .tif .tiff .vb .vbox .vbs
.vcb .vdi .vfd .vhd .vhdx .vmc .vmdk .vmsd .vmtm .vmx .vsdx .vsv .work .xls .xlsx .xml .xvd .zip

Solution

As a priority prevention action, update any systems with MS17-010, if they do not already contain the update.

Network Security Platform (NSP) coverage for Petya Ransomware
Existing signatures:

0x43c0bd00- NETBIOS-SS: MS17-010 SMB Remote Code Execution (External Tools and WannaCry Ransomware)
0x43c0b800- NETBIOS-SS: Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)
0x43c0b400- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)
0x43c0b500- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
0x43c0b300- NETBIOS-SS: Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)
0x43c0b900- NETBIOS-SS: Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)
0x451e3300- HTTP: Microsoft Office OLE Arbitrary Code Execution Vulnerability (CVE-2017-0199)

The NSP Research team has created a User Defined Signature (UDS) with updated coverage. The UDS is available to download from KB55447.

The referenced article is available only to registered ServicePortal users.

To view registered articles:

Log on to the ServicePortal at http://support.mcafee.com.
Type the article ID in the search field on the home page.
Click Search or press Enter.

Access Protection rules for Endpoint Security (ENS) and VirusScan Enterprise (VSE)
The following Access Protection rules for ENS and VSE can help combat the malware. McAfee has updated the recommended Access Protection rules to more effectively target this specific variant of Petya.

NOTE: These Access Protection rules do not circumvent the need to implement the Extra.DAT. The rules are intended to help in combating the malware. But, the rules do not prevent the malware payload from being created or executed on a system. These two Access Protection rules prevent rundll32.exe from starting any instances of cmd.exe, and also prevent creation of the Microsoft TechNet PSExec utility. These rules do not prevent downloading or saving of the original file name for PSExec. So, an administrator can still use this utility as needed.

ENS Access Protection Rules
Create a rule with an inclusion status of "Include" using rundll32.exe for the File name or Path.
Create a subrule with a type of "files," and for a target include cmd.exe.
Select the action to prevent execution.

Create a rule with an inclusion status of "Include" using * for the File name or Path.
Create a subrule with a type of "files," and for a target include **\PSEXESVC.EXE.
Select the action to prevent creation.

VSE Access Protection Rules
Process to include: rundll32.exe
Process to exclude:
File/Folder to block: cmd.exe
Actions: Block execution

NOTE: This rule prevents the process rundll32.exe from executing any instances of cmd.exe, found to be a core behavior of the malware. This rule includes any legitimate software that might perform the same behavior, with custom scripting as an example.

Process to include: *
Process to exclude:
File/Folder to block: **\PSEXESVC.EXE
Actions: Block creation

NOTE: This rule prevents any process from creating the PSExec remote service. Preventing this file creation can help with preventing the replication of PSExec, a component used in replication of the malware payload. This rule does not prevent an administrator from saving any new copies of PSExec to systems where this rule is applied. But, the rule prevents PSEXESVC.EXE from being created on the target system, thus preventing the use of PSExec - whether it is used maliciously or for normal remote administrative purposes.

Related Information

More Resources:
Microsoft Security Bulletin MS17-010 – Critical: https://technet.microsoft.com/library/security/MS17-010

KB70130 - How to enable Global Threat Intelligence Technology in products
KB91934 - Protecting against Ransomware
KB50642 - How to apply an Extra.DAT locally for VirusScan Enterprise 8.x
KB67602 - How to manually check in and deploy an Extra.DAT in ePolicy Orchestrator
KB59410 - How to determine which computers have an Extra.DAT installed using ePolicy Orchestrator reporting

Attachment

EXTRADAT.zip
3K • < 1 minute @ broadband

Affected Products

Configuration
Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Endpoint Security Web Control 10.7.x
Endpoint Security Web Control 10.6.x
Network Security Manager 9.2.x
Network Security Manager 9.1.x
Network Security Manager 10.x
Network Security Sensor Appliance 9.2.x
Network Security Sensor Appliance 9.1.x
Network Security Sensor Appliance 10.x
Threat Prevention and Removal
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Protecting against modified Petya and BadRabbit ransomware variants

Environment

Summary

Solution

Related Information

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Protecting against modified Petya and BadRabbit ransomware variants

Environment

Summary

Solution

Related Information

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title