cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Sodinokibi / REvil Ransomware

Jump to solution

I am in the process of rolling out ATP as part of my ENS10.6.1 implementation. My management team frequently asks me if “we are covered” for a particular threat… Kwampirs and the Sodinokibi / REvil Ransomware variant are examples of this.

Is there a particular site that documents the most current signification threats that exist and if the fix is available via a particular DAT version or standard / custom rule? I realize that I may be asking an almost impossible question, given the number of threats, etc. Is the best method simply to place a call to Technical Support if information cannot be obtained via a quick search? Information is often scattered, yet the McAfee Threat Dashboard is a good place to start:

https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard.html

For Kwampirs, I reached out to McAfee Technical Support and I was provided a list of (47) file hashes and a note that stated McAfee addressed DAT file protection for these known Hash values.

In regards to Sodinokibi Ransomware, I  located the following excellent article and it appears that McAfee previously completed a thorough analysis on Sodinokibi Ransomware.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransom...

Thank you.

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Sodinokibi / REvil Ransomware

Jump to solution

Hey Glenn,

You might check kc.mcafee.com and look at the McAfee Insights articles.  They have a lot of coverage info, though I'm not sure if they cover these families.

For this, you also might consider a simple Expert Rule that blocks vssadmin with delete in the command line.  This, and similar coverage for WMIC, would at least give you quick insight into if you're under attack, and block the vss deletion.

Dave

View solution in original post

8 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Sodinokibi / REvil Ransomware

Jump to solution

Hey Glenn,

You might check kc.mcafee.com and look at the McAfee Insights articles.  They have a lot of coverage info, though I'm not sure if they cover these families.

For this, you also might consider a simple Expert Rule that blocks vssadmin with delete in the command line.  This, and similar coverage for WMIC, would at least give you quick insight into if you're under attack, and block the vss deletion.

Dave

View solution in original post

Highlighted

Re: Sodinokibi / REvil Ransomware

Jump to solution

Thank you Dave. I will look into this. We have a meeting with McAfee today.

Much appreciated..

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Sodinokibi / REvil Ransomware

Jump to solution

You talk about 10.6 please Migrate to 10.7 ASAP. By the way you have to Migrate to a NEW ENS Release EACH 2 MONTHS if you start complaining 😉 That's fine because in that way they catch up with evil.

Yes sometimes this is a little BIT strange. But that's simply because Mcafee want's to keep False/Positive rates down and low. All producers want that by the way. And the ONES (The new security) provider like Palo Alto (Traps) once smacked into a wall with some many False Positive because they though the are better....

The product itself SHOULD catch those things with a logic they have in ENS. But on the other hand the last few months NEWLY some EXPLOIT Rules for RYUK and other Ransomware got a separate NEW IPS Rule you have to activate special by hand.

 

 

Highlighted
Level 8
Report Inappropriate Content
Message 5 of 9

Re: Sodinokibi / REvil Ransomware

Jump to solution

Hi,

I'm just jumping in this threat as we have been impacted by the latest AKO ransomware version which destroys all snapshots, etc, and makes the device good for trash.

the rule of VSS is definitely a must-have in my opinion after this experience.

I've understood since then than McAfee requires manual access protection rules to be set in order to protect efficiently the computers. I thought there could be some kind of Library available for downloading/importing such rules?

Do you know if such a thing exists?

Besides VSS, is it any other protection rules that you would recommend?

D

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: Sodinokibi / REvil Ransomware

Jump to solution

Do you know if there is a sample of the initial infection vector, maybe on VirusTotal?  Was it a maldoc?  I'm happy to give you a rule that would protect against it and any similar attacks.  I've asked McAfee repeatedly for a private, customer-only location where rules could be shared.  If more customers ask maybe it will get traction.  

I'm not going to post any advanced rules publicly because I don't want attackers to have access, but hit me up in PM and I can get it to you through other means.

Dave

Highlighted

Re: Sodinokibi / REvil Ransomware

Jump to solution

May I ask. Did you have ENS 10.6 or 10.7 in place or was this even covered under a released DAT?

I realize that DATS cannot provide 100% assurance all of the time and I need to ficus my efforts on implementing Access Protection and Exploit Prevention Rules.

Thank you.

Highlighted

Re: Sodinokibi / REvil Ransomware

Jump to solution

Thank you for your comments. I don't have McAfee IPS in place, so that is a mute issue. I am sure that we have some other type of IPS in place though. Upgrading every two months is not reasonable...given that I have a lot of managed devices and I need to ensure that the version I upgrade to is stable. Let's face it...there have been some version release issues and testing can take a while.

I may upgrade my DEV environment to 10.7...but I was waiting for the release of SP1.

Thank you.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: Sodinokibi / REvil Ransomware

Jump to solution

Hello Glenn,

IPS is IN ENS 10.6/10.7 (Its inlcuded for free now=

Mcafee MADE VSE 8.8 + HIPS into 1 PRODUCT ENS.

(H)IPS is now in the ENS EXPLOIT Modul. You d'nt have so many IPS Filters like in the old HIPS prodcuts but they are groeing and you can make custom. Those are however Export rules and not often used because they are dangerous if you don't 100% fully understand the syntax and what it does.

 

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community