This post has been updated with information about McAfee Enterprise Security Manager and McAfee Web Gateway (June 28, 14:20 Pacific time).
A new variant of the ransomware Petya (also called Petrwrap) began spreading around the world on June 27. Petya is ransomware that exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. This ransomware encrypts the master boot records of infected Windows computers, making the machines unusable.
The initial attack vector is unclear, but aggressive worm-like behavior helps spread the ransomware. (Read McAfee’s detailed technical analysis of the Petya ransomware.)
Microsoft released a set of critical patches on March 14 to remove the underlying vulnerability in supported versions of Windows, but many organizations may not yet have applied these patches.
How McAfee products can protect against Petya ransomware
As with WannaCry and other similar attacks, a layered, integrated cyber defense system that combines advanced analytics, threat intelligence, signatures, and human expertise is the best way to protect your business against emerging threats. McAfee’s collaborative cyber defense system leads the way for enterprises to protect against emerging threats such as Petya ransomware, remediate complex security issues, and enable business resilience. By empowering integrated security platforms with advanced malware analytics and threat intelligence, our system provides adaptable and continuous protection as a part of the threat defense life cycle.
Attacks like Petya and its future variants cannot win against a collaborative cybersecurity ecosystem that works as a team and empowers protective tools to make better decisions at the point of attack.
McAfee offers early protection for components of the initial Petya attack in the form of advanced malware behavior analysis with Real Protect Cloud and the brand-new Dynamic Neural Network (DNN) analysis techniques available in McAfee Advanced Threat Defense (ATD). ATD 4.0 introduced a new detection capability using a multilayered, back-propagation neural network (DNN) leveraging semisupervised learning. DNN looks at certain features exercised by a malware to come up with a positive or negative verdict to determine whether the code is malicious.
Whether in standalone mode or connected to McAfee endpoint or network sensors, ATD combines threat intelligence with sandbox behavior analysis and advanced machine learning to provide zero-day, adaptable protection. Real Protect, part of the Dynamic Endpoint solution, also uses machine learning and link analysis to protect against malware without signatures and provide rich intelligence to the Dynamic Endpoint and the rest of the McAfee ecosystem. Real Protect combined with Dynamic Application Containment provided early protection against Petya.
Multiple McAfee products provide additional protection to either contain the attack or prevent further execution. This post provides an overview of those protections with the following products:
McAfee Endpoint Security
Thus systems using McAfee ENS 10 are protected from known samples and variants with both signatures and Threat Intelligence.
Adaptive Threat Protection
- Adaptive Threat Protection (ATP), with rule assignment configured in *Balanced mode” (Default in ATP\Options\Rule Assignment setting), will protect against both known and unknown variants of the Petya ransomware.
- The ATP module protects against this unknown threat with several layers of advanced protection and containment:
- ATP Real Protect Static uses client-side pre-execution behavioral analysis to monitor unknown malicious threats before they launch.
- ATP Real Protect Cloud uses cloud-assisted machine learning to identify and clean the threat, as shown below:
- ATP Dynamic Application Containment (DAC) successfully contains the threat and prevents any potential damage from occurring (DAC events noted below):
Advanced Threat Defense
- McAfee Advanced Threat Defense (ATD) 4.0 with Deep Neural Network and Dynamic Sandbox identified the threat and proactively updated the cyber defense ecosystem:
McAfee Enterprise Security Manager
McAfee Enterprise Security Manager (ESM) is a security information and event management solution that delivers actionable intelligence and integrations to prioritize, investigate, and respond to threats. The Suspicious Activity Content Pack and Exploit Content Pack for McAfee ESM have been updated with WannaCry-specific rules, alarms, and watchlists so you can find and identify possible infections. These updates will also help protect against Petya. Both packs are available for download in the McAfee ESM console at no cost. Default correlation rules in McAfee ESM can also alert users of increased levels of horizontal SMB scans.
Similar to WannaCry, the Petya attack presents a learning opportunity for security operations center analysts. Understanding and automating these best practices will help you handle the next fast-moving attack.
McAfee Web Gateway
McAfee Web Gateway (MWG) is a product family (appliance, cloud, and hybrid) of web proxies that provides another potential layer of protection against Petya variants delivered through the web (HTTP/HTTPS) using multiple real-time scanning engines. Known variants will be blocked by GTI reputation and antimalware scanning as web traffic is processed through the proxy.
Coupling MWG with ATD allows for further inspection and an effective prevention and detection approach.
McAfee products using DAT files
McAfee released an Extra.DAT to include coverage for Petya. McAfee also released an emergency DAT to include coverage for this threat. Subsequent DATs will include coverage. The latest DAT files are available via Knowledge Center article KB89540.
As our analysis continues, we will provide updates on how to leverage McAfee solutions to protect, detect, and correct against advanced cyber threats.