How ProTelesis and Cylance Protect Against Bad Rabbit Ransomware
October 30th, 2017 by admin
How are ProTelesis and Cylance working together to protect companies against Bad Rabbit Ransomware? The latest strain of ransomware known as “Bad Rabbit” has been getting a lot of media attention today. Most of the victims appear to be Russian news agencies and other organizations in Russia and Ukraine.Before explaining the details of this latest outbreak, rest assured that our CylancePROTECT® customers are fully protected from this Bad Rabbit Ransomware attack - the payload will be blocked.Our Threat Research partner is continuing to investigate this Bad Rabbit malware, and we’ll update this post and publish anything they find that may be of interest to our customers and community security How Bad Rabbit Works The initial infection vector is still unknown, however, after execution, the malicious DLL performs several actions including setting up scheduled tasks to run other malicious components. In all, there are five embedded executables in infpub.dat. Two versions of Mimikatz (x86 and x64) that are used to attempt credential theft which CylancePROTECT memory defense blocks with a LSASS Read violation. Two versions of a signed driver (also x86 and x64) are abused for physical access to boot sector and full disk encryption. Finally, another module infects the MBR and produces the ransom message. Analysis is still ongoing for both the DLL and MBR infector.
Key Impacts
Absent coverage by an effective anti-malware solution, Bad Rabbit will render a system completely inoperable and may spread to other systems by abusing trust inherent in corporate networks. No network connection is required to perform encryption, and recovery options may be limited. This leaves three logical possibilities:- The key (or a key generation algorithm) may be recovered
- There exists only one public-private key pair and decryption must be performed by the threat actors or they risk making the private key publicly available; or
- The attackers never meant for the files to be recovered
How Does Cylance Protect Me?
- CylancePROTECT stops both file and fileless malware, including that of the self-destructing variety. Since it operates pre-execution – before it enters memory – ransomware such as we are seeing today never has a chance to do damage or communicate with C2 servers.
- CylancePROTECT runs silently in the background to detect malicious files, with configurable options across memory, script, file, and network protection. In essence, Cylance predicts attacks – far in advance – without the blind spots found in legacy, signature-based tools.
- Finally, the CylancePROTECT Dashboard offers insight into “what could have been,” aiding in investigations on unprotected machines. But those with CylancePROTECT won’t require remediation or cleanup.
Are you interested in learning more about CylancePROTECT ? join our next best cybersecurity and antivirus software webinar to learn how our AI-driven solution can predict and prevent unknown and emerging threats.
Ransomware: Don't be the Sacrificial Lamb
Presented by:
- Richard Melick, Sr. Security Technologist at Cylance
- Alex Vega, Director of MSP/Hosting Services at ProTelesis
Wednesday, December 6 at 12:00 pm PDT
Sources Cited: Article courtesy of our partners at Cylance.
Posted in: Uncategorized, IT Security, Malware, Security