Endpoint Protection

Hi Team,

Is there any information on Petrwrap/Petya ransomeware variant. from Symantec.

With what specifically? Symantec has had signatures for this variant for quite some time now.

https://www.symantec.com/security_response/writeup.jsp?docid=2016-032913-4222-99

Not a lot of information from Symantec, and definitions of PETYA are old for this variant

• Latest Daily Certified version February 7, 2017 revision 001

Waiting SRL blog.

https://www.symantec.com/connect/symantec-blogs/sr

Info about Petya.

Discovered:

March 29, 2016

Updated:

August 26, 2016 11:53:19 AM

Also Known As:

Trojan.Cryptolocker.AJ [Symantec]

Type:

Trojan

Infection Length:

Varies

Systems Affected:

Windows

Antivirus Protection Dates

• Initial Rapid Release version May 20, 2016 revision 034
• Latest Rapid Release version February 6, 2017 revision 033
• Initial Daily Certified version May 20, 2016 revision 049
• Latest Daily Certified version February 7, 2017 revision 001
• Initial Weekly Certified release date March 30, 2016

After additional research, since this just started today, Symantec has not come out with more info. I assume that will follow here in the next couple hours or so. If running SEP 14 and all of its components, this should be detecting it, even though AV signatures may not catch it.

Early results from VirusTotal show that SEP's machine learning component is detecting it:

https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

Thanks Brian,

Please let us know if have any update and new definition released to cover.

Currently, it's detected as Trojan.gen.2:

https://www.virustotal.com/en/file/8143d7d370015ccebcdaafce3f399156ffdf045ac8bedcc67bdffb1507be0b58/analysis/

Info has been updated on VT:

https://virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

I am currently monitoring our system network. I am running SEP 14 and SEP 12. Please let me know if there is a new definitions to cover this issue.

Yes, revision 6/27/17 r1 detects it as Trojan.Gen.2

Symantec Security Response just released their blog on this:

https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know

Tanks Brian, 

I just find a small difference in detection name.

In VirusTotal, certified definitions catch this under ML.Attribute.HighConfidence , but in Petya, only update is Rapid Release defiitions

https://www.symantec.com/security_response/writeup.jsp?docid=2016-032913-4222-99

Antivirus Protection Dates

• Initial Rapid Release version May 20, 2016 revision 034
• Latest Rapid Release version June 27, 2017 revision 009
• Initial Daily Certified version May 20, 2016 revision 049
• Latest Daily Certified version February 7, 2017 revision 001
• Initial Weekly Certified release date March 30, 2016

You can mark this post as solved.