On October 24, a large-scale ransomware campaign spread across Europe, in campaigns closely mimicking the NotPetya attacks from earlier this year.
Bad Rabbit appeared to infect machines via a drive-by-download that prompted the user to download a fake Adobe Flash installer. No exploits were used during initial infection. Once executed, Bad Rabbit shared similar worming capabilities as NotPetya & WannaCry.
The default and advanced policies shipping in Cb Defense block Bad Rabbit before any signatures/hashes were identified.
“Not_listed/Unknown” files invoking ransomware-like behavior is very effective against these “commodity” ransomware strains:
Process tree of a Bad Rabbit termination:
Cb Defense Streaming Prevention TTP’s associated with Bad Rabbit (Note the streaming prevention TTPs of “access_data_files”, “data_to_encrypt”):
What a block looks like to an end user:
About Streaming Ransomware Prevention
The newest release of Cb Defense uses “Streaming Ransomware Prevention,” expanding on Carbon Black’s breakthrough “Streaming Prevention” technology. This innovation leverages event-stream processing, the same technology that revolutionized algorithmic day-trading, to continuously update risk profiles based on a stream of computer activity. When multiple, potentially malicious events occur in a cluster, Cb Defense blocks the attack, whether file-based or fileless. By building upon an event-stream model, rather than the file-based signature approach used by ineffective legacy antivirus solutions, Cb Defense is able to:
- Detect and prevent ransomware attacks, even if the attack uses an unknown file or no file at all.
- Work online or offline, protecting systems from the most dangerous ransomware, even if they are disconnected from the corporate network or the cloud.
- Enable smooth operations with virtually no performance impact for end-users.
For more information about the rise of ransomware, and what you can do about Bad Rabbit, check out the Ransomware Epidemic: Stop Bad Rabbit In Its Tracks webcast hosted by Rick McElory, Security Strategist at Carbon Black.