Welcome, Guest Create a Case Login

Support Center

Bad Rabbit Ransomware detection instructions

Last Updated: Oct 25, 2017 11:15AM UTC
A new ransomware attack began 24.10.2017 and hitting mostly Eastern European countries.
Please see the below instructions for detecting the ransomware on your windows machines.


1. Detecting ransomware files

Please see the ransomware files and hashes
 
install_flash_player.exe: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
infpub.dat: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
cscc.dat (dcrypt.sys): 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 
dispci.exe: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

You can download the hashes file from the following URL:

http://faf29169ff185cf73812-4a78bae36a0899612c99f5b5274b5d14.r76.cf1.rackcdn.com/Tools/ThreatResponse/Badrabbit_hashes.txt

In order to detect the malicious files you should load the hashes file to our Cyber module.

Open PEM, then Management



Go to File->New->Cyber Configuration->Default 
Name the new configuration according to your desired naming convention.





Choose the hosts that you wish to inspect



Choose "Notify on hash from file" . Click on browse and choose the file that contains the hashes.




2. Detecting ransomware registry keys

Additional to the hash match, we can also detect the ransomware registry keys. In order to do that we need to prepare some user defined keys.

Those are the malware registry entries:
HKLM\SYSTEM\CurrentControlSet\services\cscc
HKLM\SYSTEM\CurrentControlSet\services\cscc\Type	1
HKLM\SYSTEM\CurrentControlSet\services\cscc\Start	0
HKLM\SYSTEM\CurrentControlSet\services\cscc\ErrorControl	3
HKLM\SYSTEM\CurrentControlSet\services\cscc\ImagePath	cscc.dat
HKLM\SYSTEM\CurrentControlSet\services\cscc\DisplayName	Windows Client Side Caching DDriver
HKLM\SYSTEM\CurrentControlSet\services\cscc\Group	Filter
HKLM\SYSTEM\CurrentControlSet\services\cscc\DependOnService	FltMgr
HKLM\SYSTEM\CurrentControlSet\services\cscc\WOW64	1
This is how we will add those objects:

Go to Tools->User Defined->Objects Editor



Go to "Registry"



Create a record for each of the malware registry entries



Add the user defined entries to your Cyber configuration



After you run the scan, please inspect Compliance console in order to detect affected machines

 

Contact Us

04daa1f61c437d399c5f3619dce3f387@promisec.desk-mail.com
http://assets3.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete