Cb Defense’s ‘Streaming Ransomware Prevention’ Stops Bad Rabbit in Its Tracks

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

On October 24, a large-scale ransomware campaign spread across Europe, in campaigns closely mimicking the NotPetya attacks from earlier this year.

Bad Rabbit appeared to infect machines via a drive-by-download that prompted the user to download a fake Adobe Flash installer. No exploits were used during initial infection. Once executed, Bad Rabbit shared similar worming capabilities as NotPetya & WannaCry by leveraging the now famous EternalBlue exploit.

The default and advanced policies shipping in Cb Defense block Bad Rabbit before any signatures/hashes were identified.

“Not_listed/Unknown” files invoking ransomware-like behavior is very effective against these “commodity” ransomware strains:

Process tree of a Bad Rabbit termination:

Cb Defense Streaming Prevention TTP’s associated with Bad Rabbit (Note the streaming prevention TTPs of “access_data_files”, “data_to_encrypt”):

What a block looks like to an end user:

About Streaming Ransomware Prevention

The newest release of Cb Defense uses “Streaming Ransomware Prevention,” expanding on Carbon Black’s breakthrough “Streaming Prevention” technology. This innovation leverages event-stream processing, the same technology that revolutionized algorithmic day-trading, to continuously update risk profiles based on a stream of computer activity. When multiple, potentially malicious events occur in a cluster, Cb Defense blocks the attack, whether file-based or fileless. By building upon an event-stream model, rather than the file-based signature approach used by ineffective legacy antivirus solutions, Cb Defense is able to:

  • Detect and prevent ransomware attacks, even if the attack uses an unknown file or no file at all.
  • Work online or offline, protecting systems from the most dangerous ransomware, even if they are disconnected from the corporate network or the cloud.
  • Enable smooth operations with virtually no performance impact for end-users.

______________________________________________

 

Bad Rabbit

For more information about the rise of ransomware, and what you can do about Bad Rabbit, check out the Ransomware Epidemic: Stop Bad Rabbit In Its Tracks webcast hosted by Rick McElory, Security Strategist at Carbon Black.

Sign Up Here

______________________________________________

The post Cb Defense’s ‘Streaming Ransomware Prevention’ Stops Bad Rabbit in Its Tracks appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
153 Followers
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel