cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4

How to detect and block RYUK RansomWare

Jump to solution

We are running ENS 10.7 but without ATP. My boss wants us to get McAfee to block this Ransomware. 

 

I have create a AP rule that detects and blocks any creation of *.ryk files. However, what registry key file path would I use also.

 

It seems to mention that it adds this key and value but how do you add this to AP. Can you add this how string as a reg file path?

“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos”

Can anyone share how they are blocking this Ransomware with ENS 10.7

1 Solution

Accepted Solutions
mpatel127
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: How to detect and block RYUK RansomWare

Jump to solution

Hi @twenden ,

Thank you for contacting McAfee Community support.

As a source of information specifically for RYUK, I would suggest you to kindly refer updated Threat Advisory:Ransom-Ryuk>>https://kc.mcafee.com/corporate/index?page=content&id=KB91844&locale=en_US

In General if you want to setup configuration for ransomware protection then please refer this KBA 
Protecting against Ransomware>>https://kc.mcafee.com/corporate/index?page=content&id=KB91934

Now coming back to your specific request where you want to block creation of svchos value under registry location “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”:

Please follow below steps and create rule accordingly:-

1.Log on to the ePO console.
2.Click Menu, Policy Catalog.
3.From the Product list, select Endpoint security Threat Prevention.
4.From the Category list on, select Access Protection.
5.Click EDIT on the policy where you want to add the new user-defined Access Protection Rule.
6.Under Rule TAB. Click on ADD Button.
You will be asked to enter below information.
       Name:- Block creation of svchos under RUN registry
       Select BLOCK and Report Both.
Under Executable:- Click on ADD
        Name:- Block creation for All
        Inclusion Status:- Include
        File name or Path:- *
        Click SAVE And Scroll-Down the page
Under SubRules:- Click on ADD
        Name:-Block svchos Creation
        Subrule type:- Registry Value
        Operations:- Write,Create
         Under Targets Click on ADD
                      Inclusion Status:- Include
                      Registry Value:-*/Software/Microsoft/Windows/CurrentVersion/Run/svchos
                      Click SAVE.
         Click SAVE Again to save Subrule.
Click SAVE Again to save Rule.
Click SAVE OnceAgain to save policy settings.

7.Apply the modified policy on test machine and run below command to confirm if your access protection rule is applied correctly or not.

How to Test if rule is configured as expected.

1.Open Powershell with Administrator rights.
2.Enter command:- REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos”
3.Check output. If you ERROR:-Access is denied. It confirms rule applied successfully.

I have also attached my test policy for you to use.

Let us know if you need any clarification on information provided and we will get back to you.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
MayurKumar P

View solution in original post

3 Replies

Re: How to detect and block RYUK RansomWare

Jump to solution

There are so many variables here.   I would strongly recommend deploying ATP, especially given you own it.   Ensure cloud detection is on and working with it. 

 

Dave

mpatel127
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: How to detect and block RYUK RansomWare

Jump to solution

Hi @twenden ,

Thank you for contacting McAfee Community support.

As a source of information specifically for RYUK, I would suggest you to kindly refer updated Threat Advisory:Ransom-Ryuk>>https://kc.mcafee.com/corporate/index?page=content&id=KB91844&locale=en_US

In General if you want to setup configuration for ransomware protection then please refer this KBA 
Protecting against Ransomware>>https://kc.mcafee.com/corporate/index?page=content&id=KB91934

Now coming back to your specific request where you want to block creation of svchos value under registry location “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”:

Please follow below steps and create rule accordingly:-

1.Log on to the ePO console.
2.Click Menu, Policy Catalog.
3.From the Product list, select Endpoint security Threat Prevention.
4.From the Category list on, select Access Protection.
5.Click EDIT on the policy where you want to add the new user-defined Access Protection Rule.
6.Under Rule TAB. Click on ADD Button.
You will be asked to enter below information.
       Name:- Block creation of svchos under RUN registry
       Select BLOCK and Report Both.
Under Executable:- Click on ADD
        Name:- Block creation for All
        Inclusion Status:- Include
        File name or Path:- *
        Click SAVE And Scroll-Down the page
Under SubRules:- Click on ADD
        Name:-Block svchos Creation
        Subrule type:- Registry Value
        Operations:- Write,Create
         Under Targets Click on ADD
                      Inclusion Status:- Include
                      Registry Value:-*/Software/Microsoft/Windows/CurrentVersion/Run/svchos
                      Click SAVE.
         Click SAVE Again to save Subrule.
Click SAVE Again to save Rule.
Click SAVE OnceAgain to save policy settings.

7.Apply the modified policy on test machine and run below command to confirm if your access protection rule is applied correctly or not.

How to Test if rule is configured as expected.

1.Open Powershell with Administrator rights.
2.Enter command:- REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos”
3.Check output. If you ERROR:-Access is denied. It confirms rule applied successfully.

I have also attached my test policy for you to use.

Let us know if you need any clarification on information provided and we will get back to you.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
MayurKumar P

twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: How to detect and block RYUK RansomWare

Jump to solution

Thanks. I will give that a try in our test environment tomorrow. 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community