SoreBrect Ransomware was publicly made known on the public on June 15, 2017 by third party researcher (http://www.securityweek.com/fileless-code-injecting-ransomware-sorebrect-emerges )
Among its highlights of the ransomware capabilities are:-
- A Fileless Ransomware “SOREBRECT” Discovered that have the capability to inject the Malicious code into the target and Encrypt the victim’s data. its PsExec utility lets you execute processes on other systems.
- SOREBRECT developed with more stealthy and self-destruct routine capability make it as Fileless Malware. Before terminating the main Binary it executes the encryption routine to inject the code into legitimate process called svchost.exe
- It’s Evasion Technique Avoid Detection and Difficult to Deleted from affecting systems event logs other tracking artifacts that forensics information such as files executed on the system, including their timestamps.
- These stealthy functions help to SOREBRECT activities from being tracked.
How did McAfee ENS 10.5 fare against this malware.=======================In the announcement by third party research, 6 known malware hashes were made known and we selected a sample to be tested against McAfee ENS 10.5.1.
In the test, AV were turned off as to ensure only DAC and RP is providing the protection to the endpoint. As a result, the malware was successfully prevented by the DAC rules (which is shown below). A video of the testing is shown below
- McAfee ENS 10.5 (DAC / RP) successfully detected and prevented the ransomware from infecting the machine. Below are the DAC rules that prevented the ransomware
|DAC Rules||Included in McAfee ENS 10.5 Best Practices for DAC (referring to McAfee Default Security)|
|Executing any child process||YES|
|Modifying the Services registry location||YES|
|Modifying users' data folders||NO|
|Modifying the hidden attribute bit||YES|
|Modifying user policies||YES|
|Writing to files commonly targeted by ransomware-class malware||YES|
- McAfee ENS 10.5 provided the protection against this ransomware since Dec 2016, whereas the ransomware was made known to public on the 15 June 2017. Taking those two dates, McAfee endpoint solution provided pre-emptive protection of 6 months before this ransomware was publicly known