en-US
search-icon

Knowledge Base

Are SonicWall customers protected from BadRabbit?

Description

Yes. SonicWall Capture Labs released signatures to protect against Bad Rabbit malware that are available for anyone with an active Gateway Security subscription (GAV/IPS).  In addition, SonicWall Capture Advanced Threat Protection (ATP) sandboxing service is designed to provide real-time protection against new strains of malware even before signatures are available on the firewall.

Cause

On Tuesday, Oct. 24, a new strand of ransomware named Bad Rabbit appeared in Russia and the Ukraine and spread throughout the day. It first was found after attacking Russian media outlets and large organizations in the Ukraine. The initial installer masquerades as a Flash update.  Interestingly, this malware contains a list of hardcoded Windows credentials, most likely to brute force entry into devices on the network, according to SonicWall Capture Labs Threat researchers. 

Resolution

SonicWall customers should immediately ensure they have the Capture Advanced Threat Protection sandbox service turned on with their next-generation firewalls and the Block Until Verdict feature is activated.  For Bad Rabbit, there is no need to update the signatures on SonicWall firewalls, as they are automatically propagated to the worldwide installed base upon deployment.

To confirm that Capture ATP is enabled login to the firewall and navigate to:

  • For SonicOS 6.2 and earlier click Capture ATP | Settings. Ensure that "Block file download until a verdict is returned" is enabled.
    Image
  • For SonicOS 6.5 and later click Manage | Security Services | Capture ATP. Ensure that "Block file download until a verdict is returned" is enabled.
    Image

 To confirm your Gateway Anti Virus has the latest signatures navigate to:

  • For SonicOS 6.2 and earlier click Security Services | Gateway Anti-Virus. Use the search box and type "BadRabbit."
    Image
  • For SonicOS 6.5 and later click Manage | Security Services | Gateway Anti-virus. In the lookup search string box type "BadRabbit."
    Image

General recommendations for everybody, regardless of their security vendor, include:

  • Apply all patches to operating systems
  • Protect endpoints with an up-to-date anti-virus solution
  • Ensure firewall and end point firmware is current
  • Implement a network sandbox to discover and mitigate new threats
  • Deploy a next-generation firewall with a gateway security subscription to stop known threats

For more information see: