How ProTelesis and Cylance Protect Against Bad Rabbit Ransomware

October 30th, 2017 by admin

How are ProTelesis and Cylance working together to protect companies against Bad Rabbit Ransomware? The latest strain of ransomware known as “Bad Rabbit” has been getting a lot of media attention today. Most of the victims appear to be Russian news agencies and other organizations in Russia and Ukraine.
Before explaining the details of this latest outbreak, rest assured that our  CylancePROTECT® customers are fully protected from this Bad Rabbit Ransomware attack - the payload will be blocked.
Our Threat Research partner is continuing to investigate this Bad Rabbit malware, and we’ll update this post and publish anything they find that may be of interest to our customers and community security How Bad Rabbit Works The initial infection vector is still unknown, however, after execution, the malicious DLL performs several actions including setting up scheduled tasks to run other malicious components. In all, there are five embedded executables in infpub.dat. Two versions of Mimikatz (x86 and x64) that are used to attempt credential theft which CylancePROTECT memory defense blocks with a LSASS Read violation. Two versions of a signed driver (also x86 and x64) are abused for physical access to boot sector and full disk encryption. Finally, another module infects the MBR and produces the ransom message. Analysis is still ongoing for both the DLL and MBR infector.

Key Impacts

Absent coverage by an effective anti-malware solution, Bad Rabbit will render a system completely inoperable and may spread to other systems by abusing trust inherent in corporate networks. No network connection is required to perform encryption, and recovery options may be limited. This leaves three logical possibilities:
  • The key (or a key generation algorithm) may be recovered
  • There exists only one public-private key pair and decryption must be performed by the threat actors or they risk making the private key publicly available; or
  • The attackers never meant for the files to be recovered
We will continue researching this malware and will update this post as needed.

How Does Cylance Protect Me?

  • CylancePROTECT stops both file and fileless malware, including that of the self-destructing variety. Since it operates pre-execution – before it enters memory – ransomware such as we are seeing today never has a chance to do damage or communicate with C2 servers.
  • CylancePROTECT runs silently in the background to detect malicious files, with configurable options across memory, script, file, and network protection. In essence, Cylance predicts attacks – far in advance – without the blind spots found in legacy, signature-based tools.
  • Finally, the CylancePROTECT Dashboard offers insight into “what could have been,” aiding in investigations on unprotected machines. But those with CylancePROTECT won’t require remediation or cleanup.

Are you interested in learning more about CylancePROTECT ? join our next best cybersecurity and antivirus software webinar to learn how our AI-driven solution can predict and prevent unknown and emerging threats.

Ransomware: Don't be the Sacrificial Lamb

Presented by:

  • Richard Melick, Sr. Security Technologist at Cylance
  • Alex Vega, Director of MSP/Hosting Services at ProTelesis

Wednesday, December 6 at 12:00 pm PDT

Register to ProTelesis and Cylance Protect Best Cybersecurity and antivirus Software
Sources Cited: Article courtesy of our partners at Cylance.

Posted in: Uncategorized, IT Security, Malware, Security

Aerial view of city skyline, with a heavy blue tint

Get In Touch

Want to know more about how a particular solution can help your business? Get connected. From beginning to end, communication is the key to our success. You will be communicated with every step of the way and throughout the entire process. And in the end, you’ll have the utmost confidence in your staff, and the products and/or services we have provided for you.

Contact Form