The Windows Defender team recently updated the malware encyclopedia with a new ransomware threat, Ransom:Win32/Tibbar (also known as Bad Rabbit). This update includes comprehensive guidance on mitigating the new threat. Microsoft antimalware solutions, including Windows Defender Antivirus and Microsoft Antimalware for Azure services and virtual machines, were updated to detect and protect against this threat.
This post summarizes additional measures that you can take to prevent and detect this threat for workloads running in Azure through Azure Security Center. Get more information on enabling Azure Security Center.
Prevention
Azure Security Center scans your virtual machines and servers to assess the endpoint protection status. Issues without sufficient protection are identified in Compute, along with any related recommendations.
Drilling into the Compute pane, or the overview recommendations pane, shows more details including the Endpoint Protection installation recommendation, as shown below.
Clicking on this leads to a dialog allowing selection and installation of an endpoint protection solution, including Microsoft’s own antimalware solution for Azure services and virtual machines, which will help protect against such ransomware threats.
These recommendations and associated mitigation steps are available to Azure Security Center Free tier customers.
Detection
Azure Security Center customers who have opted into the Standard-Tier also benefit from generic and specific detections related to the Ransom:Win32/Tibbar.A (Bad Rabbit) ransomware. These alerts are accessed via the Detection pane highlighted below, and require the Azure Security Center Standard tier.
For example, generic alerts related to ransomware include:
- Event log clearing which ransomware, such as Bad Rabbit, performs
- Deleting shadow copies to prevent customers from recovering data. An example is shown below:
In addition, Azure Security Center has updated its ransomware detection with specific IOCs related to Bad Rabbit.
You should follow the remediation steps detailed in the alert, namely:
- Run a full anti-malware scan and verify that the threat was removed.
- Install and run Microsoft Safety Scanner.
- Perform these actions preemptively on other hosts in your network.
Although the alert relates to a specific host, sophisticated ransomware tries to propagate to other nearby machines. It is important to apply these remediation steps to protect all hosts on the network, not just the host identified in the alert.