Endpoint Protection

Expand all | Collapse all

BadRabbit: New ransomware wave hitting RU & UA

ℬrίαη10-25-2017 10:31 AM

PaulCab10-25-2017 10:45 AM

  • 1.  BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-24-2017 03:45 PM

    https://isc.sans.edu/diary.html?n&storyid=22964

    Anyone getting any guidance from Symantec support?

    Thanks!



  • 2.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-24-2017 07:53 PM
    Expect something from Security Response shortly. Check back here.


  • 3.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-24-2017 11:36 PM
    Symantec detects all known samples as Ransom.BadRabbit. I've tested the samples and they are blocked by SEP. I would expect an official blog post to follow shortly :) The following are blocked by SEP Dropper: Fake flash installer: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da Encrypt mechanism: dispci.exe 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 Payload: infpub.da 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648


  • 4.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 12:21 AM

    Hi TORB,

     

    Thanks for your test, but if this is blocked by both v12.x and v14.x?

    Also which virus def will be fine with it?

     

    Cheers,

    Loh



  • 5.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Broadcom Employee
    Posted 10-25-2017 01:57 AM
    Hi, Is there any update from Symantec on Bad Rabbit Ransomeware???


  • 6.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Broadcom Employee
    Posted 10-25-2017 04:11 AM

    Hi,

    Can you confirm whether the signatures from 24th October 2017 r24 for SEP 12.1.4 will block the Bad Rabbit malware please?

    Many thanks.



  • 7.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 04:42 AM

    Hi Greg and other followers of this thread,

    Symantec Security Response is indeed aware of this threat (and other developments in the threat landscape.)  Protection is in place:

    Ransom.BadRabbit
    https://www.symantec.com/security_response/writeup.jsp?docid=2017-102503-0423-99

    The current definitions avalable from LiveUpdate include detection. I also recommend blocking the domain 1dnscontrol[.]com at the corporate firewall.

    As ever, ensure that backups against all manner of disasters are in place and that end users are educated in how to react to threats and to emergencies.  The following article contains additional good tips:

    Hardening Your Environment Against Ransomware
    https://www.symantec.com/connect/articles/hardening-your-environment-against-ransomware



  • 8.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 06:55 AM

    See here:

    https://www.symantec.com/security_response/writeup.jsp?docid=2017-102503-0423-99



  • 9.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 07:26 AM

    These did:

    Initial Rapid Release version October 24, 2017 revision 020



  • 10.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 07:26 AM

    Here:

    https://www.symantec.com/security_response/writeup.jsp?docid=2017-102503-0423-99



  • 11.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 10:28 AM

    Hi All, Can I take it that SEPM 12.1.6 with definitions 10/24/2017 r35 now has detection for BadRabbit?

    Cheers

     

    PaulC



  • 12.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 10:31 AM

    Yes.



  • 13.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 10:45 AM

    Thanks very much, as usual Brian

    PaulC

     

     



  • 14.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 11:00 AM

    Hi PaulC,

    You may wish considering a move to SEP 14.  It has Advanced Machine Learning capabilities that are not present in SEP 12.1.  These SEP 14 detections, like Heur.AdvML.A, Heur.AdvML.B etc, are catching a lot of malware as soon as it is released into the wild, long before there are traditional AV signatures against them.  It's won me over as the more effective version against all sorts of new malware.

       



  • 15.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 11:03 AM

    Also, please see this new blog post:

     

    BadRabbit: New strain of ransomware hits Russia and Ukraine
    https://www.symantec.com/connect/blogs/badrabbit-new-strain-ransomware-hits-russia-and-ukraine



  • 16.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Posted 10-25-2017 12:24 PM

    Hi Mick2009, Just to let you know that SEP 14 is coming to my environment very soon.

    Cheers

    PaulC



  • 17.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Broadcom Employee
    Posted 10-26-2017 09:56 AM

    I have see writeups where it indicates that bad rabbitt needs admin rights to work properly. Does it necessarily fail if the user dows not have admin rights?



  • 18.  RE: BadRabbit: New ransomware wave hitting RU & UA

    Trusted Advisor
    Posted 10-27-2017 04:33 AM

    Hello,

    Check this new Article:

    New Ransomware on the block - BadRabbit

    https://www.symantec.com/connect/articles/new-ransomware-block-badrabbit

    Regards,