McAfee Threat Update – Petya Ransomware Variants

A new variant of the Petya ransomware (also called Petrwrap) began spreading internationally on Tuesday, June 27. The initial attack vector is unclear, but aggressive worm-like behaviour helps spread the ransomware.

How does the Petya variant work?

The ransomware exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. It encrypts a system’s master boot record and files—a double stroke that renders the disk inaccessible and prevents most users from recovering anything on it.The new variant has further increased its nastiness by adding a spreading mechanism similar to what we saw in WannaCry just a few weeks ago. A set of critical patches was released by Microsoft on March 14 to remove the underlying vulnerability in supported versions of Windows, but many organizations may not yet have applied these patches.

What was McAfee’s response?

On June 27, McAfee received multiple reports of the attack and began analyzing samples of the malware, confirming that McAfee Global Threat Intelligence (GTI) was protecting against current known samples at the low setting. The company released a Knowledge Base article, KB89540, with initial information about the attack as well as suggested steps for preventing its impact.McAfee released an Extra.DAT to include coverage for Petya.McAfee also released an emergency DAT to include coverage for this threat. Subsequent DATs will include coverage. The latest DAT files are available via KB89540.Our analysis and customer support continued as we began publishing our findings on McAfee’s Securing Tomorrow blog:

How do McAfee products neutralize the threat?

McAfee offers early protection for components of the initial Petya attack in the form of advanced malware behavior analysis with Real Protect Cloud and the new Dynamic Neural Network (DNN) analysis techniques available in McAfee Advanced Threat Defense (ATD). McAfee ATD 4.0 introduced a new detection capability utilizing a multi-layered, back propagation neural network (DNN) leveraging semi-supervised learning.

Whether in stand-alone mode or connected to the McAfee Endpoint or network sensors, McAfee ATD combines threat intelligence with sandbox behavior analysis and advanced machine-learning to provide adaptable, zero-day protection. Real Protect, part of the Dynamic Endpoint solution, also uses machine-learning and link analysis to protect against malware without signatures and provide rich intelligence back into the Dynamic Endpoint and rest of the McAfee Ecosystem.

In summary, an integrated McAfee cyber security system protects against known Petya variants as follows:

  • McAfee Endpoint Security (ENS) with Global Threat Intelligence (GTI) and On Access Scan policy with the sensitivity level set to “LOW” protect against known samples and variants. Learn more about recommended McAfee GTI file reputation settings in KB74983, with more information in KB53735.
  • McAfee Threat Intelligence Exchange (TIE) with GTI protect against known samples and variants.

As our analysis continues, we will provide updates on how to leverage McAfee solutions to protect, detect, and correct against advanced cyber threats.

What should I do next?

Leave a Reply