Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Preventing BadRabbit ransomware attack using Trend Micro products

    • Updated:
    • 27 Oct 2017
    • Product/Version:
    • Deep Discovery Inspector 3.8
    • Deep Discovery Inspector All.All
    • Deep Security 10.All
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Deep Security All.All
    • Deep Security as a Service All.All
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Messaging Security Virtual Appliance All.All
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • InterScan Web Security Virtual Appliance All.All
    • OfficeScan 11.0
    • OfficeScan All.All
    • OfficeScan XG.All
    • ScanMail for Exchange 12.0
    • ScanMail for Exchange All.All
    • Platform:
    • N/A N/A
Summary

Updated:  October 27, 2017 @ 3:15 PM GMT

A ransomware campaign is currently ongoing, hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed BadRabbit (which we detect as RANSOM_BADRABBIT.A). Leveraging our cross-generational blend of XGen™ security capabilities, Trend Micro products with machine learning enabled can proactively detect this ransomware as TROJ.Win32.TRX.XXPE002FF019 without the need for a pattern update. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.

 

Details
Public

What do we know about the infection?

There have been several early reports on this particular infection, and Trend Micro is trying to validate these sources independently to ensure their accuracy.

It appears that BadRabbit spreads via fake Flash updates, incorporates the use of Mimikatz to extract credentials (an open source tool that has been used in previous attacks), and is apparently trying using a list of common hard-coded credentials such as Admin, Guest, User, root, etc. There is evidence to also support that the BadRabbit ransomware is using a legitimate tool — DiskCryptor — for encryption of victim's systems.

Updated analysis indicates that Bad Rabbit also spreads via the SMB file sharing protocol. It attempts to brute force any administrative shares it finds; if successful it drops a copy of itself into these shares. If these bruteforce attacks fails, it uses an exploit related to the one of the other recent Shadow Brokers SMB vulnerabilities to drop copies onto these shares. This is a divergence from the earlier Petya attacks, which used the EternalBlue vulnerability.

What steps do I need to take to reduce the risk of infection?

As with other simlar threats, Trend Micro recommends that customer implement the following best practices as a bare minimum:

  • Patch and update your systems, or consider a virtual patching solution.
  • Enable your firewalls as well as intrusion detection and prevention systems.
  • Proactively monitor and validate traffic going in and out of the network.
  • Implement security mechanisms for other points of entry attackers can use, such as email and websites.
  • Deploy application control to prevent suspicious files from executing on top of behavior monitoring that can thwart unwanted modifications to the system.
  • Employ data categorization and network segmentation to mitigate further exposure and damage to data.
  • Disable SMB (v1) on vulnerable machines – using either GPO or by following the instructions provided by Microsoft.
  • Ensure that all of the latest patches (if possible using Virtual Patching solution) are applied to affected operating systems.

Protect your organization using Trend Micro Products

Trend Micro recommends a layered security approach on endpoint, messaging, and gateway, to ensure that all potential entry and compromise points have protection against these types of threats:

  • Trend Micro Predictive Machine Learning (found in products such as OfficeScan XG) detects the ransomware threat as TROJ.Win32.TRX.XXPE002FF019.
  • Trend Micro Web Reputation Services (WRS) is already classifying the reported Flash URL vector as malicious in products that utilize this feature.
  • Trend Micro Deep Discovery Analyzer (DDAN) is currently detecting parts of this threat as VAN_FILE_INFECTOR.UMXX. 
  • Smart Scan Agent Pattern and Official Pattern Release: Trend Micro is in the process of adding known variant and component detections into its patterns.
    • Smart Scan Pattern (TBL) - Currently being detected as Ransom_BADRABBIT.A starting with patterns 17594.019.00 and 17594.020.00
    • Smart Scan Agent Pattern and Official Pattern Release (conventional) - Currently beign detected as Ransom_BADRABBIT.A, Ransom_BADRABBIT.SMA, and Ransom_BADRABBIT.A into pattern 13.739.00
    Please note that these patterns are the minimum recommended ones that contain protection for this threat -- however, due to new components and variants being discovered it is important that customers ALWAYS obtain the latest pattern files to ensure up-to-date protection.  Also note that the minimum Scan Engine version needed for protection with the above patterns is 9.8x.
  • Trend Micro TippingPoint updated filter(s) for BadRabbit are scheduled to be released in our standard weekly DV release cycle on October 31st. However, if a customer needs immediate coverage, a custom filter, badrabbit_js_report_request.csw, may be obtained earlier by contacting TippingPoint TAC.
  • Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) DPI rules specifically for BadRabbit are also planned for inclusion in the upcoming regular security update (Oct. 31):
    • Rule 1008678 - Identified BADRABBIT Downloader JS Over HTTP
    • Rule 1008679 - Identified BADRABBIT Ransomware Propagation Over SMB
In addition, the following already relreased DPI rules cover specific aspects to help mitigate the ransomware:
  • Rule 1001852 - Identifed Attempt to Brute Force Windows Login Credentials
  • Rule 1008227 - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)
  • Rule 1007114 - Portable Executable File Uploaded on SMB Share (Set to Detect only by default)


 
Trend Micro highly recommends that vendor critical patches are applied as soon as possible upon release. Customers and partners who may need some additional information or have questions are encouraged to contact their authorized Trend Micro technical support representative for further assistance.

Additional Information

Below is additional technical information on the known variants and components of this ransomware attack:

Trend Micro Blogs

Trend Micro Security News

3rd Party Information

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1118637
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.