The new threat is functionally similar to NotPetya, which not only encrypts the files on a target system, but also then encrypts the file system, which gives the victim a lovely ransom lock screen before the OS can even boot up.
Fortunately, there are simple things you can do to help protect yourself from this latest threat.
Event Log Monitoring
Windows Defender is capable of recognizing the threat, provided you’re using detections update 220.127.116.11 or higher. If you haven’t updated to this version, do so immediately.
Once that is done, be aware that BadRabbit will schedule tasks using the names “Viserion,” “Rhaegal” and “Drogon.” If you see any of these, it’s a clear sign of an infection in process on your network. Administrators can attach scheduled tasks to events bearing these names, running specified commands should one of these be detected. For example: initiating a “shutdown -a” command.
Obviously, this stuff can be quite complicated. We would highly recommend you reach out to us to not only scan your network, but to also evaluate your entire network for potential threats or vulnerabilities. Ransomware is a real threat that is literally shutting down businesses, and this is on a global scale. If you aren’t being proactive against hackers, you can easily find yourself locked out of your own network.
BadRabbit is just the latest in hackers’ arsenal of ransomware and threats on your network. If you are as concerned as we are, give us a quick call.