cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
galih27
Level 9
Report Inappropriate Content
Message 1 of 13

Amcore Update does not detect DearCry Ransomware

Recently "there is information that the proxylogon ms.exchange vulnerability is used by the Dearcry group to run the ransomware

I got the sample from https://any.run/
I tried to run the ransomware and amcore 4372 did not detect this ransomware

 

20210313_041320.jpg

 

12 Replies
vivs
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 13

Re: Amcore Update does not detect DearCry Ransomware

Hello @galih27 

Thanks for your post.

You should be opening a Service Request with Support.

There is a Extra Dat available for lower known IOC.

Please connect with the team and this further.

Was my reply helpful?

If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 13

Re: Amcore Update does not detect DearCry Ransomware

Hi @galih27,

Thank you for your post. May I request you for the md5 of this sample? Let me quickly look this up internally and confirm if we have coverage via regular AMCore or Extra DAT. If not, I would recommend going for an SR with coverage request and this will be actioned as quick as possible from our end.

Additionally, if you have any information or advisory or blog article on what CVE from the Exchange Vulnerabilities released recently are being used is available with you, kindly please share the same for our investigation.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
galih27
Level 9
Report Inappropriate Content
Message 4 of 13

Re: Amcore Update does not detect DearCry Ransomware

md5 details

0e55ead3b8fd305d9a54f78c7b56741a
cdda3913408c4c46a6c575421485fa5b
c6eeb14485d93f4e30fb79f3a57518fc

you can use any.run to take virus samples,

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 13

Re: Amcore Update does not detect DearCry Ransomware

HI @galih27,

Thank you or your quick response.

I can confirm that we do detect these samples, however, no VIA AMCore DAT. We use GTI/Artemis to detect these samples

  • Ransom-DearCry!0E55EAD3B8FD
  • Ransom-DearCry!C6EEB14485D9
  • Ransom-DearCry!CDDA3913408C

This is to ensure your machines are protected instantly when it is indeed connected to the internet. May I know if you have any support request created with us already on this matter? A DAT based coverage is expected soon, however, a Support Request should help us expedite the same.

From my end, let me raise a request for the coverage and get back to you on he update as well here.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
galih27
Level 9
Report Inappropriate Content
Message 6 of 13

Re: Amcore Update does not detect DearCry Ransomware

because our server condition has no internet connection requesting to add detection in amcore I have submitted a Service Request # 4-21766716091
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 13

Re: Amcore Update does not detect DearCry Ransomware

Hi @galih27,

Thank you for your response. That is indeed a valid concern. While almost all such GTI detections eventually make it to our Amcore Update, they do take a few days for them to be tested as signatures before release depending on the threat severity.

For the given list of IOCs in the Service Request, I have verified that all of them are covered vi Amcore V3 DAT update except for the below hash:

654afdd7eec3b73a12b75266c47ee25c

I will have the Engineer review this one right away and get back to you with an update on the same.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
galih27
Level 9
Report Inappropriate Content
Message 8 of 13

Re: Amcore Update does not detect DearCry Ransomware

Thank you brothers
you have forwarded my information to the relevant team ..

I have concerns because our country is included in the area that is being attacked in Mvision Insight
galih27
Level 9
Report Inappropriate Content
Message 9 of 13

Re: Amcore Update does not detect DearCry Ransomware

bro, please update the following md5 hash to amcore latest update

f2e22df5e284587dc36f8041129af391
aef2ae9b36989bab8818696de5ccd5e7
10e8a2b044cc6e2628b48a5d9506d974
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 13

Re: Amcore Update does not detect DearCry Ransomware

Hi @galih27,

Thank you for your response!

f2e22df5e284587dc36f8041129af391 and 10e8a2b044cc6e2628b48a5d9506d974 do not have a DAT based detection yet and hence I request you to kindly raise a Service Request with relevant Threat advisory so that this can be addressed ASAP.

aef2ae9b36989bab8818696de5ccd5e7 - detected as PHP/ChinaChopper by latest DAT.

I sincerely hope this helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community