After WannaCry and Petya, the BadRabbit is another ransomware campaign of this year. Although it is not as spread as previous ransomware it still creates havoc in infected enterprise networks. The BadRabbit is in some ways similar to WannaCry and Petya ransomware - it uses the same exploit EternalRomance (SMB v1 vulnerability) to spread across the enterprise network. Users get infected after visiting infected websites and installing fake flash player update. And after that, users go down the BadRabbit hole…
To prevent the damage and protect our customers, we have updated behavior patterns used in Flowmon ADS to detect Petya (more about Petya detection here) with detection of BadRabbit ransomware. Customers are now automatically alerted when BadRabbit infects their networks. Do you want to know how we do it?
Detecting Rising Threats
Activity of majority of malware can be seen in the network traffic. Port scanning, communication with C&C servers, high data transfers or anomalies in network protocols are just some of the indicators of infected hosts in the network. Such indicators of compromise represented by anomalies and changes in the host's behavior can be easily detected by Flowmon ADS.
Different malware leaves different footprints. To detect such footprints and malware infection, we create patterns of the malware behavior and distribute it to our customers with Flowmon ADS (with valid support). By updating “Flow-based Behavior Pattern” detection method we help our customers to protect themselves against rising threats including recent BadRabbit ransomware. Moreover, customer can create their own behavior patterns using SQL-like syntax to detect various operational and security incidents (example of WannaCry detection).
If you are interested in more information, check the video below focused on detecting rising threats using behavior patterns in Flowmon ADS.