How McAfee Products Can Protect Against BadRabbit Ransomware

How McAfee Products How McAfee Products like McAfee Threat Intelligence Exchange, McAfee Endpoint protection Can Protect Against BadRabbit Ransomware Ransomware is malware that utilizes encryption to hold an unfortunate casualty’s data at payment. A client’s basic information is scrambled so they can’t get to individual documents and payment is requested to give access to the records. Ransomware utilizes Hilter kilter encryption. This is cryptography that uses a couple of keys to encode and decode a document.

The open private pair of keys is extraordinarily produced by the assailant for the person in question, with the private key to unscramble the documents put away on the aggressor’s server. The assailant makes the private key accessible to the unfortunate casualty simply after the payoff is paid, however as found in ongoing ransomware crusades, that isn’t generally the situation. Without access to the private key, it is about difficult to decode the documents that are being held for the payoff. Get support for McAfee by Expert

McAfee is leading the way enterprises to protect against emerging threats such as BadRabbit ransomware, remediate complex security issues, and combat attacks with an intelligent end-to-end security platform that provides adaptable and continuous protection as a part of the threat defense life cycle.

McAfee had zero-day protection for components of the initial BadRabbit attack in the form of behavioral, heuristic, application control, and sandbox analyses. This post provides an overview of those protections with the following products:

  • McAfee Endpoint Protection (ENS)
  • McAfee VirusScan Enterprise (VSE)
  • McAfee Threat Intelligence Exchange (TIE)
  • McAfee Network Security Platform (NSP)
  • McAfee products using DAT files

Frequently updated technical details can be found in the McAfee Knowledge Center article KB89335. We will update this post as more product information becomes available.

McAfee Endpoint Protection (ENS)

Dynamic Application Control (DAC) successfully provided our customers with zero-day protection from BadRabbit ransomware and prevented any potential damage from occurring when “Security” mode is enabled.

How McAfee Products Can Protect Against BadRabbit Ransomware Access Protection Rules: Setting up McAfee Endpoint protection rules to prevent the creation of the following files prevents the ransomware from executing and encrypting files:

  • C:\Windows\cscc.dat
  • C:\Windows\infpub.dat
  • C:\Windows\dispci.exe

The following screenshots show steps for creating rules for McAfee Endpoint Security:

Enabling Joint Threat Intelligence (JTI) Rules 239 and 242 also prevents the ransomware from executing.

McAfee Threat Intelligence Exchange (TIE)

McAfee Threat Intelligence Exchange (TIE) further enhances a customer’s security posture. With the ability to aggregate reputation verdicts from ENS, VSE, McAfee Web Gateway, and McAfee Network Security Platform, TIE can quickly share reputation information related to BadRabbit with any integrated vector. By providing the ability to use Global Threat Intelligence (GTI) for a global reputation query, TIE also enables integrated products to make an immediate decision prior to the execution of the ransomware payload, and leverage the reputation cached in the TIE database.

There are currently three samples associated with this ransomware campaign, representing the dropper and the main executable that could be added manually. (GTI automatically updates these file hashes.)


McAfee Network Security Platform (NSP) How McAfee Products Can Protect Against BadRabbit Ransomware

How McAfee Products Can Protect Against BadRabbit Ransomware McAfee NSP is one product that quickly responds to prevent exploits and protect assets within networks. The McAfee NSP team works diligently to develop and deploy user-defined signatures (UDS) for critical matters. Within a 24-hour period, several UDS was created and uploaded for customers to deploy on their network sensors. In this case, the UDS explicitly targeted the exploit tools EternalBlue, Eternal Romance SMB Remote Code Execution, and DoublePulsar. There were also related indicators of compromise released that could be added to a blacklist to block potential threats associated with the original Trojan. Get support for McAfee by Expert

A Network Security Platform Emergency User Defined Signature (UDS) has been created to detect this threat. The UDS and its release notes are available for download from Knowledge Base article KB55447.

Use with NSM versions 8.1.x.x and 8.3.x.x
Use with NSM version 9.1.x.x

  • Please read the release notes carefully for important information.
  • Knowledge Base article KB55447 is available only to registered users. Log in to and search for the article ID.
  • McAfee products using DAT files
  • On October 25, McAfee released on DAT 8695 to include coverage for BadRabbit ransomware and variants.

Read Also

Last Updated on February 1, 2022