Ransomware Interceptor (Pilot)

How to Use Interceptor

Trellix has added detection for the WannaCry ransomware malware infections (outbreak pertaining to May 12, 2017) in the new version of Trellix Ransomware Interceptor (MRI v0.5.0.338).

Ransomware malware has evolved to be a tremendous threat in recent years. Such malware will install on your system, encrypt or damage data on your system in a way that in many cases is irrecoverable unless you have a decryption key. Consumers may have to pay the malware authors hefty amounts of money (varies from a few 100 to a 1000 USD) to obtain the recovery key. Failure to do so typically results in permanent loss of data.

Installer Details

Interceptor comes with 2 installers:

1. x86 or 32 bit version for installing MRI on 32 bit OSes.
2. x64 or 64 bit version for installing MRI on 64 bit OSes.

Use the appropriate installer for your target OS.

Review KB 87658 If HIPS 8.0 Patch 5, 6, or 7 are installed in your environment. It’s advised not to install this product until you have read and understood this Knowledge Center article.

Once the install process is complete, a reboot is recommended. MRI will be visible via a TaskBar Icon. The Interceptor process is named “McAfeeRansomwareInterceptorWin32.exe”. The installer also includes a built-in Uninstaller. The same installer when run again post installation, gives the user the option to uninstall the software. Additionally, users can navigate through Windows Uninstallation menu to remove this tool.

The Interceptor Task Bar Menu

Menu items exist when the user right clicks on the Task Bar icon.

1. Start/Stop Monitoring: This gives the user control to enable/disable monitoring of the entire system by this tool
2. Whitelist a File: This option allows users to add files to a whitelist. This option gives users control to disable monitoring of specific files/processes. Once a file is whitelisted, it can’t be removed from the whitelist. Use this cautiously such as in cases of misdetection. &Interceptor is usually smart enough to identify clean processes automatically.
   
3. View Detection Log: This option allows a user to view the log containing prior detections.
4. About: Provides details about this tool.

Detection & Logging

Detections are made visible via a Balloon pop up and a detection window as shown below:

Additionally, detections are logged in “MRIProtectionLog.txt”. This file can be viewed at any time via the Taskbar menu, “View Detection Log”.

On detection, we only terminate the offending process. We do not delete them. This provides customers more control of their environment.

Supported Operating Systems

Interceptor is recommended to be run on any Windows Operating systems Windows 7 and later.

Disclaimer

Assume your files are encrypted by Stampado ransomware. Below we see the affected system’s screen after the infection, with email ID

1. Interceptor is currently in pilot. It is always advisable to try any new tool on non-critical end points first, to ensure it does not cause any unanticipated negative issues in your specific environment.
2. Unlike some of our other free tools such as Stinger, this is not expected to be an exhaustive generic malware tool. The tool however has features to assist our customers detect more than just ransomware.
3. Like most tools, there may be certain limitation in our tool and its ability to detect. We are aware of these and continually strive to improve our tools and their detection.
4. We have consciously tried to ensure that this product is usable, performant and has no quality issues, however this is a pilot, and we expect occasional issues.
5. This is not a static detection tool.
6. This tool does generate some network traffic. We however, do not gather any user or system specific information. Internet connectivity is recommended for added protection.
7. From time to time, you may need to update the tool. It is recommended that you Uninstall the previous version prior to installing any new build.

Ransomware Specific Information

McAfee regularly publishes documentation around various Ransomware families providing detailed Threat Advisories containing behavioral information, Indicators of Compromise (IOC), mitigation techniques etc. This information can be leveraged by end users for identification and remediation of different ransomware infections. The following are some useful links for end-users:

1. Users can access McAfee’s documentation related to Ransomware by visiting the McAfee Service Portal.
   1. Search for advisories by searching, “Threat Advisories”. Examples are:
      1. TeslaCrypt
      2. Ransomware-WannaCry
      3. Combatting Ransomware
   2. Select “Knowledge Center” for Knowledge Base Articles.
2. WannaCry Detection Information
   1. The new version of MRI (v0.5.0.338) is an enhancement to the already released version of MRI. (previous version : v0.5.0.192). The new version will have the same detection efficacy as the previously released version (in addition to WannaCry detections).
   2. MRI is meant to block encryption attempts only. It has limited cleaning capabilities but in the case of WannaCry it can detect and disable malicious services on the system provided a detection happens.
   3. There are instances of WannaCry that do not infect the system but try to just run the Windows SMB exploit on remote machines via a service. This case is not covered by MRI since no encryptions happen on the local machine.

Download Interceptor for 32-bit systems Download Interceptor for 64-bit systems

Additionally, detections are logged in “MRIProtectionLog.txt”. This file can be viewed at any time via the Taskbar menu, “View Detection Log”.On detection, we only terminate the offending process. We do not delete them. This provides customers more control of their environment.

On detection, we only terminate the offending process. We do not delete them. This provides customers more control of their environment.