How McAfee Products Can Protect Against BadRabbit Ransomware

By on

McAfee is leading the way enterprises protect against emerging threats such as BadRabbit ransomware, remediate complex security issues, and combat attacks with an intelligent end-to-end security platform that provides adaptable and continuous protection as a part of the threat defense life cycle.

McAfee had zero-day protection for components of the initial BadRabbit attack in the form of behavioral, heuristic, application control, and sandbox analyses. This post provides an overview of those protections with the following products:

Frequently updated technical details can be found in the McAfee Knowledge Center article KB89335. We will update this post as more product information becomes available.

McAfee Endpoint Protection (ENS)

Dynamic Application Control (DAC) successfully provided our customers with zero-day protection from BadRabbit ransomware and prevented any potential damage from occurring when “Security” mode is enabled.

In addition, McAfee Endpoint Security mitigation methods for assorted malware are available in the following product guide.

Access Protection Rules: Setting up access protection rules to prevent the creation of the following files prevents the ransomware from executing and encrypting files:

  • C:\Windows\cscc.dat
  • C:\Windows\infpub.dat
  • C:\Windows\dispci.exe

The following screenshots show steps for creating rules for McAfee ENS:

Figure 1.

Figure 2. 

Figure 3.

Figure 4.

McAfee VirusScan Enterprise (VSE)

The following screenshots show steps for creating Access Protection Rules for McAfee VirusScan Enterprise (VSE). For VSE, one rule must be created for each file mentioned in the behavior section:

Figure 5.

Figure 6.

Figure 7.

Enabling Joint Threat Intelligence (JTI) Rules 239 and 242 also prevents the ransomware from executing.

McAfee Threat Intelligence Exchange (TIE)

McAfee Threat Intelligence Exchange (TIE) further enhances a customer’s security posture. With the ability to aggregate reputation verdicts from ENS, VSE, McAfee Web Gateway, and McAfee Network Security Platform, TIE can quickly share reputation information related to BadRabbit with any integrated vector. By providing the ability to use Global Threat Intelligence (GTI) for a global reputation query, TIE also enables integrated products to make an immediate decision prior to execution of the ransomware payload, and leverage the reputation cached in the TIE database.

There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable that could be added manually. (GTI automatically updates these file hashes.)

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

 

McAfee Network Security Platform (NSP)

McAfee NSP is one product that quickly responds to prevent exploits and protect assets within networks. The McAfee NSP team works diligently to develop and deploy user-defined signatures (UDS) for critical matters. Within a 24-hour period, several UDS were created and uploaded for customers to deploy on their network sensors. In this case, the UDS explicitly targeted the exploit tools EternalBlue, Eternal Romance SMB Remote Code Execution, and DoublePulsar. There were also related indicators of compromise released that could be added to a blacklist to block potential threats associated with the original Trojan.

A Network Security Platform Emergency User Defined Signature (UDS) has been created to detect this threat. The UDS and its release notes are available for download from Knowledge Base article KB55447.

IMPORTANT:
Use Emergency_UDS_1.zip with NSM versions 8.1.x.x and 8.3.x.x
Use Emergency_UDS_2.zip with NSM version 9.1.x.x

Please read the release notes carefully for important information.

Knowledge Base article KB55447 is available only to registered users. Log in to https://support.mcafee.com and search for the article ID.

McAfee products using DAT files 

On October 25, McAfee released on DAT 8695 to include coverage for BadRabbit ransomware and variants.

Categories: Business
Tags: , , ,

Leave a Comment

Similar articles

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making ...
Read Blog
Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received ...
Read Blog