Tuesday’s massive ransomware outbreak was, in fact, something much worse

Enlarge / Code in Tuesday's attack, shown on the left, was altered to permanently destroy hard drives. (credit: Matt Suiche)

Tuesday's massive outbreak of malware that shut down computers around the world has been almost universally blamed on ransomware, which by definition seeks to make money by unlocking data held hostage only if victims pay a hefty fee. Now, some researchers are drawing an even bleaker assessment—that the malware was a wiper with the objective of permanently destroying hard drives.

Initially, researchers said the malware was a new version of the Petya ransomware that first struck in early 2016. Later, researchers said it was a new, never-before-seen ransomware package that mimicked some of Petya's behaviors. With more time to analyze the malware, researchers on Wednesday are highlighting some curious behavior for a piece of malware that was nearly perfect in almost all other respects: its code is so aggressive that it's impossible for victims to recover their data.

In other words, the researchers said, the payload delivered in Tuesday's outbreak wasn't ransomware at all. Instead, its true objective was to permanently destroy as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak.

Read 8 remaining paragraphs | Comments

NotPetya Ransomeware Wreaking Havoc

The latest splash has been made by the Petya or NotPetya Ransomware that exploded in Ukraine and is infecting companies all over the World. It’s getting some people in deep trouble as there’s no way to recover the files once encrypted. The malware seems to be trying to hide it’s intent as it doesn’t really […] The post NotPetya Ransomeware...

Read the full post at darknet.org.uk

How to Protect Against Petya Ransomware in a McAfee Environment

A new variant of the ransomware Petya (also called Petrwrap) began spreading around the world on June 27. Petya is ransomware that exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. This ransomware encrypts the master boot records of infected Windows computers, making the machines unusable.

The initial attack vector is unclear, but aggressive worm-like behavior helps spread the ransomware. (Read McAfee’s detailed technical analysis of the Petya ransomware.)

Microsoft released a set of critical patches on March 14 to remove the underlying vulnerability in supported versions of Windows, but many organizations may not yet have applied these patches.

 

How McAfee products can protect against Petya ransomware

As with WannaCry and other similar attacks, a layered, integrated cyber defense system that combines advanced analytics, threat intelligence, signatures, and human expertise is the best way to protect your business against emerging threats. McAfee’s collaborative cyber defense system leads the way for enterprises to protect against emerging threats such as Petya ransomware, remediate complex security issues, and enable business resilience. By empowering integrated security platforms with advanced malware analytics and threat intelligence, our system provides adaptable and continuous protection as a part of the threat defense life cycle.

Attacks like Petya and its future variants cannot win against a collaborative cybersecurity ecosystem that works as a team and empowers protective tools to make better decisions at the point of attack.

McAfee offers early protection for components of the initial Petya attack in the form of advanced malware behavior analysis with Real Protect Cloud and the brand-new Dynamic Neural Network (DNN) analysis techniques available in McAfee Advanced Threat Defense (ATD). ATD 4.0 introduced a new detection capability using a multilayered, back-propagation neural network (DNN) leveraging semisupervised learning. DNN looks at certain features exercised by a malware to come up with a positive or negative verdict to determine whether the code is malicious.

Whether in standalone mode or connected to McAfee endpoint or network sensors, ATD combines threat intelligence with sandbox behavior analysis and advanced machine learning to provide zero-day, adaptable protection. Real Protect, part of the Dynamic Endpoint solution, also uses machine learning and link analysis to protect against malware without signatures and provide rich intelligence to the Dynamic Endpoint and the rest of the McAfee ecosystem. Real Protect combined with Dynamic Application Containment provided early protection against Petya.

Multiple McAfee products provide additional protection to either contain the attack or prevent further execution. This post provides an overview of those protections with the following products:

McAfee Endpoint Security

Threat Prevention

Thus systems using McAfee ENS 10 are protected from known samples and variants with both signatures and Threat Intelligence.

Adaptive Threat Protection

  • Adaptive Threat Protection (ATP), with rule assignment configured in *Balanced mode” (Default in ATP\Options\Rule Assignment setting), will protect against both known and unknown variants of the Petya ransomware.
  • The ATP module protects against this unknown threat with several layers of advanced protection and containment:
    • ATP Real Protect Static uses client-side pre-execution behavioral analysis to monitor unknown malicious threats before they launch.
    • ATP Real Protect Cloud uses cloud-assisted machine learning to identify and clean the threat, as shown below:

  • ATP Dynamic Application Containment (DAC) successfully contains the threat and prevents any potential damage from occurring (DAC events noted below):

Advanced Threat Defense

  • McAfee Advanced Threat Defense (ATD) 4.0 with Deep Neural Network and Dynamic Sandbox identified the threat and proactively updated the cyber defense ecosystem:

McAfee products using DAT files

McAfee released an Extra.DAT to include coverage for Petya. McAfee also released an emergency DAT to include coverage for this threat. Subsequent DATs will include coverage. The latest DAT files are available via Knowledge Center article KB89540.

As our analysis continues, we will provide updates on how to leverage McAfee solutions to protect, detect, and correct against advanced cyber threats.

The post How to Protect Against Petya Ransomware in a McAfee Environment appeared first on McAfee Blogs.