How McAfee Products Can Protect Against BadRabbit Ransomware
McAfee is leading the way enterprises protect against emerging threats such as BadRabbit ransomware, remediate complex security issues, and combat attacks with an intelligent end-to-end security platform that provides adaptable and continuous protection as a part of the threat defense life cycle.
McAfee had zero-day protection for components of the initial BadRabbit attack in the form of behavioral, heuristic, application control, and sandbox analyses. This post provides an overview of those protections with the following products:
- McAfee Endpoint Protection (ENS)
- McAfee VirusScan Enterprise (VSE)
- McAfee Threat Intelligence Exchange (TIE)
- McAfee Network Security Platform (NSP)
- McAfee products using DAT files
Frequently updated technical details can be found in the McAfee Knowledge Center article KB89335. We will update this post as more product information becomes available.
McAfee Endpoint Protection (ENS)
Dynamic Application Control (DAC) successfully provided our customers with zero-day protection from BadRabbit ransomware and prevented any potential damage from occurring when “Security” mode is enabled.
In addition, McAfee Endpoint Security mitigation methods for assorted malware are available in the following product guide.
Access Protection Rules: Setting up access protection rules to prevent the creation of the following files prevents the ransomware from executing and encrypting files:
- C:\Windows\cscc.dat
- C:\Windows\infpub.dat
- C:\Windows\dispci.exe
The following screenshots show steps for creating rules for McAfee ENS:
Figure 1.
Figure 2.
Figure 3.
Figure 4.
McAfee VirusScan Enterprise (VSE)
The following screenshots show steps for creating Access Protection Rules for McAfee VirusScan Enterprise (VSE). For VSE, one rule must be created for each file mentioned in the behavior section:
Figure 5.
Figure 6.
Figure 7.
Enabling Joint Threat Intelligence (JTI) Rules 239 and 242 also prevents the ransomware from executing.
McAfee Threat Intelligence Exchange (TIE)
McAfee Threat Intelligence Exchange (TIE) further enhances a customer’s security posture. With the ability to aggregate reputation verdicts from ENS, VSE, McAfee Web Gateway, and McAfee Network Security Platform, TIE can quickly share reputation information related to BadRabbit with any integrated vector. By providing the ability to use Global Threat Intelligence (GTI) for a global reputation query, TIE also enables integrated products to make an immediate decision prior to execution of the ransomware payload, and leverage the reputation cached in the TIE database.
There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable that could be added manually. (GTI automatically updates these file hashes.)
- 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
- 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93
- 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
McAfee Network Security Platform (NSP)
McAfee NSP is one product that quickly responds to prevent exploits and protect assets within networks. The McAfee NSP team works diligently to develop and deploy user-defined signatures (UDS) for critical matters. Within a 24-hour period, several UDS were created and uploaded for customers to deploy on their network sensors. In this case, the UDS explicitly targeted the exploit tools EternalBlue, Eternal Romance SMB Remote Code Execution, and DoublePulsar. There were also related indicators of compromise released that could be added to a blacklist to block potential threats associated with the original Trojan.
A Network Security Platform Emergency User Defined Signature (UDS) has been created to detect this threat. The UDS and its release notes are available for download from Knowledge Base article KB55447.
IMPORTANT:
Use Emergency_UDS_1.zip with NSM versions 8.1.x.x and 8.3.x.x
Use Emergency_UDS_2.zip with NSM version 9.1.x.x
Please read the release notes carefully for important information.
Knowledge Base article KB55447 is available only to registered users. Log in to https://support.mcafee.com and search for the article ID.
McAfee products using DAT files
On October 25, McAfee released on DAT 8695 to include coverage for BadRabbit ransomware and variants.
The post How McAfee Products Can Protect Against BadRabbit Ransomware appeared first on McAfee Blogs.
Read more: How McAfee Products Can Protect Against BadRabbit Ransomware
More antivirus and malware news?
- The Emerging Landscape of AI-Driven Cybersecurity Threats: A Look Ahead
- Day Trader Indicted for Hacking, Securities Fraud
- Resolved: ANGEL to be unavailable from 5 a.m. – 6 a.m. ET on Wednesday, 3/29
- Earthwave rolls out complete security operations center package
- Review: Malwarebytes Anti-Malware Free
- Fraudsters are playing a different kind of card game
- Resolved: E-mail Virus Definition Update Suspended for August 11
- Windows 10 password manager bug is hiding good news
- How to avoid a disastrous recovery
- Could the UK be about to break end-to-end encryption?