Detect the latest ransomware threat (aka Bad Rabbit) with Azure Security Center

Publié le 26 octobre, 2017

Principal Security Engineering Manager, Microsoft Threat Intelligence Center

The Windows Defender team recently updated the malware encyclopedia with a new ransomware threat, Ransom:Win32/Tibbar (also known as Bad Rabbit). This update includes comprehensive guidance on mitigating the new threat. Microsoft antimalware solutions, including Windows Defender Antivirus and Microsoft Antimalware for Azure services and virtual machines, were updated to detect and protect against this threat.

This post summarizes additional measures that you can take to prevent and detect this threat for workloads running in Azure through Azure Security Center. Get more information on enabling Azure Security Center.

Prevention

Azure Security Center scans your virtual machines and servers to assess the endpoint protection status. Issues without sufficient protection are identified in Compute, along with any related recommendations.

Azure Security Center

Drilling into the Compute pane, or the overview recommendations pane, shows more details including the Endpoint Protection installation recommendation, as shown below.

Compute

Clicking on this leads to a dialog allowing selection and installation of an endpoint protection solution, including Microsoft’s own antimalware solution for Azure services and virtual machines, which will help protect against such ransomware threats.

Endpoint Protection

Select Endpoint Protection

These recommendations and associated mitigation steps are available to Azure Security Center Free tier customers.

Detection

Azure Security Center customers who have opted into the Standard-Tier also benefit from generic and specific detections related to the Ransom:Win32/Tibbar.A (Bad Rabbit) ransomware. These alerts are accessed via the Detection pane highlighted below, and require the Azure Security Center Standard tier.

Security Center - Overview

For example, generic alerts related to ransomware include:

  • Event log clearing which ransomware, such as Bad Rabbit, performs
  • Deleting shadow copies to prevent customers from recovering data. An example is shown below:

All file shadow copies have been detected

In addition, Azure Security Center has updated its ransomware detection with specific IOCs related to Bad Rabbit.

Possible ransomware evidence detected

You should follow the remediation steps detailed in the alert, namely:

  1. Run a full anti-malware scan and verify that the threat was removed.
  2. Install and run Microsoft Safety Scanner.
  3. Perform these actions preemptively on other hosts in your network.

Although the alert relates to a specific host, sophisticated ransomware tries to propagate to other nearby machines. It is important to apply these remediation steps to protect all hosts on the network, not just the host identified in the alert.