Endpoint Protection

https://isc.sans.edu/diary.html?n&storyid=22964

Anyone getting any guidance from Symantec support?

Thanks!

Expect something from Security Response shortly. Check back here.

Symantec detects all known samples as Ransom.BadRabbit. I've tested the samples and they are blocked by SEP. I would expect an official blog post to follow shortly :) The following are blocked by SEP Dropper: Fake flash installer: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da Encrypt mechanism: dispci.exe 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 Payload: infpub.da 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

Hi TORB,

 

Thanks for your test, but if this is blocked by both v12.x and v14.x?

Also which virus def will be fine with it?

 

Cheers,

Loh

Hi, Is there any update from Symantec on Bad Rabbit Ransomeware???

Hi,

Can you confirm whether the signatures from 24th October 2017 r24 for SEP 12.1.4 will block the Bad Rabbit malware please?

Many thanks.

Hi Greg and other followers of this thread,

Symantec Security Response is indeed aware of this threat (and other developments in the threat landscape.)  Protection is in place:

Ransom.BadRabbit
https://www.symantec.com/security_response/writeup.jsp?docid=2017-102503-0423-99

The current definitions avalable from LiveUpdate include detection. I also recommend blocking the domain 1dnscontrol[.]com at the corporate firewall.

As ever, ensure that backups against all manner of disasters are in place and that end users are educated in how to react to threats and to emergencies.  The following article contains additional good tips:

Hardening Your Environment Against Ransomware
https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware

See here:

https://www.symantec.com/security_response/writeup.jsp?docid=2017-102503-0423-99

These did:

Initial Rapid Release version October 24, 2017 revision 020

Here:

https://www.symantec.com/security_response/writeup.jsp?docid=2017-102503-0423-99

Hi All, Can I take it that SEPM 12.1.6 with definitions 10/24/2017 r35 now has detection for BadRabbit?

Cheers

 

PaulC

Yes.

Thanks very much, as usual Brian

PaulC

 

 

Hi PaulC,

You may wish considering a move to SEP 14.  It has Advanced Machine Learning capabilities that are not present in SEP 12.1.  These SEP 14 detections, like Heur.AdvML.A, Heur.AdvML.B etc, are catching a lot of malware as soon as it is released into the wild, long before there are traditional AV signatures against them.  It's won me over as the more effective version against all sorts of new malware.

   

Also, please see this new blog post:

 

BadRabbit: New strain of ransomware hits Russia and Ukraine
https://www.symantec.com/connect/blogs/badrabbit-new-strain-ransomware-hits-russia-and-ukraine

Hi Mick2009, Just to let you know that SEP 14 is coming to my environment very soon.

Cheers

PaulC

I have see writeups where it indicates that bad rabbitt needs admin rights to work properly. Does it necessarily fail if the user dows not have admin rights?

Hello,

Check this new Article:

New Ransomware on the block - BadRabbit

https://www.symantec.com/connect/articles/new-ransomware-block-badrabbit

Regards,