Please make sure your policies are configured with threat prevention, using file blocking and wildfire to prevent this attack. If you’re unsure about your policies or would like a policy assessment, please reach out to NCA and we can schedule time for to review the policies and go through a best practices report. This report will look at your current policy usage, and the recommended changes in order to prevent Bad Rabbit and other threats.
Below is the summary of how different elements of our platform help prevent malicious attacks, like those that result from Bad Rabbit. If there are any you are not familiar with please let us know and we can do some education with you.
- WildFire classifies all known samples as malware, automatically blocking malicious content from being delivered to users.
- AutoFocus tracks the attack for threat analytics and hunting via the Bad Rabbit tag.
- Threat Prevention blocks malicious payloads and DNS C2 activity.
- Customers can reference Threat IDs 3088946 and 3022680, as well as Virus/Win32.WGeneric.nkrca” and “Virus/Win32.WGeneric.nkquc” signatures.
- URL Filtering blocks all known injection URLs.
- GlobalProtect extends WildFire and Threat Prevention protections to ensure consistent coverage for remote locations and users.
- Traps can prevent the malware from being executed on the endpoint automatically through the integration and threat sharing with WildFire.
- Aperture –Protects data in sanctioned SaaS applications, like Office 365, by giving complete visibility, reporting, instant classification, and granular enforcement across users, folders and file activities in the most commonly used SaaS apps.
- Block Portable Executables (PEs) according to file blocking best practices, preventing malicious payload being delivered to users.
- Multi-Factor Authentication (MFA) can stop the usage of valid credentials, which were potentially leveraged to infect additional systems across the network. In versions 8.x, Palo Alto Networks appliances can force MFA automatically (or other action) at the network level if there is a trigger that points to credential theft or abuse.
- Follow this link to see how Palo Alto Networks is preventing the Bad Rabbit ransomware.https://researchcenter.paloaltonetworks.com/2017/10/palo-alto-networks-protections-bad-rabbit-ransomware-attacks/