Orascu Vlad 1 Posted October 25, 2017 Share Posted October 25, 2017 Hello all Can ESET detect and stop the Bad Rabbit Ransomware ? Thank you Link to comment Share on other sites More sharing options...
ESET Moderators Peter Randziak 1,130 Posted October 25, 2017 ESET Moderators Share Posted October 25, 2017 Hello Vlad, have have this topic covered by a an article with a detailed analysis available https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/ Regards, P.R. Link to comment Share on other sites More sharing options...
itman 1,659 Posted October 27, 2017 Share Posted October 27, 2017 (edited) In light that this attack used the NSA EternalRomance exploit, might be good to review what security solutions block it. Eset was the only one that outright blocked EternalRomance in this ad hoc test by MRG: https://www.mrg-effitas.com/eternalromance-vs-internet-security-suites-and-nextgen-protections/ Also there have been later revelations on this attack since the initial reports were published. The most detailed is by Cisco here: http://blog.talosintelligence.com/2017/10/bad-rabbit.html. Of note is EternalRomance along with the other ShadowBrokers leaked NSA exploits was patch by Microsoft last June. Therefore any patched network would not have been subjected to ransomware propogation throughout the network. -EDIT- Since both Cisco and F-Secure have verified that this is a modified version on EternalRomance, Eset needs to verify: 1. Does the previous Microsoft patch mitigation against it still work. 2. Does Eset's detection for EternalRomance which is CVE based still work. Quote Exploit was not initially spotted because it was modified This was not a pure implementation, and some modifications were made to the exploit's code, hence the reason most researchers and automated scanning systems didn't detect it from the get-go. "It is very similar to the publicly available Python implementation of the EternalRomance exploit that is also exploited by [NotPetya]," Cisco Talos researchers said. "However, the BadRabbit [EternalRomance] exploit implementation is different than the one in [NotPetya], although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak." Ref.: https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-also-used-nsa-exploit/ Edited October 27, 2017 by itman Link to comment Share on other sites More sharing options...
Recommended Posts