McAfee Threat Update – Petya Ransomware Variants

A new variant of the Petya ransomware (also called Petrwrap) began spreading internationally on Tuesday, June 27. The initial attack vector is unclear, but aggressive worm-like behavior helps spread the ransomware.

How does the Petya variant work?
The ransomware exploits the vulnerability CVE-2017-0144 in Microsoft's implementation of the Server Message Block protocol. It encrypts a system’s master boot record and files—a double stroke that renders the disk inaccessible and prevents most users from recovering anything on it.

The new variant has further increased its nastiness by adding a spreading mechanism similar to what we saw in WannaCry just a few weeks ago. A set of critical patches was released by Microsoft on March 14 to remove the underlying vulnerability in supported versions of Windows, but many organizations may not yet have applied these patches.

What was McAfee’s response?
On June 27, McAfee received multiple reports of the attack and began analyzing samples of the malware, confirming that McAfee Global Threat Intelligence (GTI) was protecting against current known samples at the low setting. The company released Knowledge Base article KB89540 with initial information about the attack as well as suggested steps for preventing its impact.

McAfee released an Extra.DAT to include coverage for Petya. McAfee also released an emergency DAT to include coverage for this threat. Subsequent DATs will include coverage. The latest DAT files are available via KB89540.

Our analysis and customer support continued as we began publishing our findings on McAfee’s Securing Tomorrow blog:

How do McAfee products neutralize the threat?
McAfee offers early protection for components of the initial Petya attack in the form of advanced malware behavior analysis with Real Protect Cloud and the new Dynamic Neural Network (DNN) analysis techniques available in McAfee Advanced Threat Defense (ATD). McAfee ATD 4.0 introduced a new detection capability utilizing a multi-layered, back propagation neural network (DNN) leveraging semi-supervised learning.

Whether in standalone mode or connected to the McAfee endpoint or network sensors, McAfee ATD combines threat intelligence with sandbox behavior analysis and advanced machine learning to provide adaptable, zero-day protection. Real Protect, part of the Dynamic Endpoint solution, also uses machine learning and link analysis to protect against malware without signatures and provide rich intelligence back into the Dynamic Endpoint and rest of the McAfee ecosystem.

As our analysis continues, we will provide updates on how to leverage McAfee solutions to protect, detect, and correct against advanced cyberthreats. Review KB89540 for updates.

What should I do next?