IMPORTANT: New QRadar Petya Ransomware Content Extension Available!

Hey all,

This is an informational post to alert users to new QRadar content that is available for Petya. If there are questions though, feel free to ask me.

**IMPORTANT**
For QRadar admins attempting to detect Petya Ransomware, a new QRadar Content Extension is available for QRadar 7.2.8 and later. Working with the X-Force team, we have included signatures, new custom rules, file hashes, known IPs, known hostnames, and more in to a new content pack that all Administrators are encouraged to download and install to assist with detection.

**Direct link**:
[https://exchange.xforce.ibmcloud.com/hub/extension/bb078141beace9e2aea196f3614d08cf][1]

NOTE: You must sign in (free registration) to download the QRadar Petya Content Extension. Guests cannot download or comment on the X-Force site without signing in.

**Content Pack Information**
Out of the box QRadar will detect Petya Ransomware as it moves laterally, exploits vulnerabilities and communicates with non-trusted internet sources. This content pack adds additional detection based on snort signatures and collaboratively developed threat intelligence for higher fidelity detection.

This content pack contains:
– 4 Reference sets
– 7 Building Blocks
– 1 Custom Rule
– 1 Custom Function (Convert to Hex)

The 4 reference sets for the Petya Malware contain IP’s, Filename, Hash, HostNames for the Petya Malware from the collection for X-Force (up-to-date as of 2pm BST, 28th June, 2017) https://exchange.xforce.ibmcloud.com/collection/Petya-Ransomware-Campaign-9c4316058c7a4c50931d135e62d55d89

Also, we have included a custom function that converts the raw payload of flows into HEX format, so if you are using QFlow and see this network traffic signature below, your organization will be alerted for possible early detection of the malware.

alert tcp any any -> any 445 (msg:”ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010″; flow:established,to_server; content:”|8000a80000000000000000000000000000000000
ffff000000000000ffff00000000000000000000000000000000
00000000000000f1dfff000000000000000020
f0dfff00f1dfffffffffff600004100000000080efdfff|”; CVE-2017-0143 classtype:attempted-admin; sid:2024297; rev:1;)

All building blocks and reference sets are linked to the custom rule as part of this content pack and an offense will get created for the IP’s, Filename, Hostnames, Hashes & Signature from X-Force Threat Intelligence as part of this content pack.

[1]: https://exchange.xforce.ibmcloud.com/hub/extension/bb078141beace9e2aea196f3614d08cf

Related:

Leave a Reply