This blog was written by Javier Inclan.
McAfee is leading the way enterprises protect against emerging threats such as BadRabbit ransomware, remediate complex security issues, and combat attacks with an intelligent end-to-end security platform that provides adaptable and continuous protection as a part of the threat defense life cycle.
McAfee had zero-day protection for components of the initial BadRabbit attack in the form of behavioral, heuristic, application control, and sandbox analyses. This post provides an overview of those protections with the following products:
- McAfee Endpoint Protection (ENS)
- McAfee VirusScan Enterprise (VSE)
- McAfee Threat Intelligence Exchange (TIE)
- McAfee Network Security Platform (NSP)
- McAfee products using DAT files
Frequently updated technical details can be found in the McAfee Knowledge Center article KB89335. We will update this post as more product information becomes available.
McAfee Endpoint Protection (ENS)
Dynamic Application Control (DAC) successfully provided our customers with zero-day protection from BadRabbit ransomware and prevented any potential damage from occurring when “Security” mode is enabled.
In addition, McAfee Endpoint Security mitigation methods for assorted malware are available in the following product guide.
Access Protection Rules: Setting up access protection rules to prevent the creation of the following files prevents the ransomware from executing and encrypting files:
The following screenshots show steps for creating rules for McAfee ENS:
McAfee VirusScan Enterprise (VSE)
The following screenshots show steps for creating Access Protection Rules for McAfee VirusScan Enterprise (VSE). For VSE, one rule must be created for each file mentioned in the behavior section:
Enabling Joint Threat Intelligence (JTI) Rules 239 and 242 also prevents the ransomware from executing.
McAfee Threat Intelligence Exchange (TIE)
McAfee Threat Intelligence Exchange (TIE) further enhances a customer’s security posture. With the ability to aggregate reputation verdicts from ENS, VSE, McAfee Web Gateway, and McAfee Network Security Platform, TIE can quickly share reputation information related to BadRabbit with any integrated vector. By providing the ability to use Global Threat Intelligence (GTI) for a global reputation query, TIE also enables integrated products to make an immediate decision prior to execution of the ransomware payload, and leverage the reputation cached in the TIE database.
There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable that could be added manually. (GTI automatically updates these file hashes.)
McAfee Network Security Platform (NSP)
McAfee NSP is one product that quickly responds to prevent exploits and protect assets within networks. The McAfee NSP team works diligently to develop and deploy user-defined signatures (UDS) for critical matters. Within a 24-hour period, several UDS were created and uploaded for customers to deploy on their network sensors. In this case, the UDS explicitly targeted the exploit tools EternalBlue, Eternal Romance SMB Remote Code Execution, and DoublePulsar. There were also related indicators of compromise released that could be added to a blacklist to block potential threats associated with the original Trojan.
A Network Security Platform Emergency User Defined Signature (UDS) has been created to detect this threat. The UDS and its release notes are available for download from Knowledge Base article KB55447.
Use Emergency_UDS_1.zip with NSM versions 8.1.x.x and 8.3.x.x
Use Emergency_UDS_2.zip with NSM version 9.1.x.x
Please read the release notes carefully for important information.
Knowledge Base article KB55447 is available only to registered users. Log in to https://support.mcafee.com and search for the article ID.
McAfee products using DAT files
On October 25, McAfee released on DAT 8695 to include coverage for BadRabbit ransomware and variants.