IMPORTANT: Coverage previously provided by Extra.DAT is now included in DAT versions:
- 4487 V3 DATs (ENS)
- 10035 V2 DATs (VSE)
The above DATs were released on July 4, 2021.
Detection details:
- Dropper-FYD!561CFFBABA71
- Ransom-revil.c
Endpoint Security and VirusScan Enterprise:
Coverage for known malware variants is provided by the DAT content listed above or newer. McAfee recommends scanning with current production DATs.
McAfee has generated product intelligence reports based on IOCs related to the campaign, which are attached to this article. These reports contain additional ENS countermeasures that have been demonstrated to trigger against the known attack behavior.
NOTE: Before you implement the recommendations, you must test the rules thoroughly. Thorough testing ensures rule integrity. It also ensures that no legitimate application, in-house developed or otherwise, is deemed malicious and prevented from functioning in your production environment. The rules suggested can be set in report-only mode for testing purposes to check whether they cause any conflict in your environment. After you determine that the rules do not block any activity from legitimate applications, or created necessary exclusions, you can set the rules to block and apply these settings to all relevant systems.
MVISION EDR:
A real-time search of selected
IOCs can be done with a search as described below:
HostInfo and Files name, full_name, create_user_name, sha1, md5, sha256 where Files sha256 equals "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e" or Files sha256 equals "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"