Users of Webroot secured against BadRabbit

A new virus infection under the name of BadRabbit is active at the moment.


The infection that's pops up looks familiar because this ransom screen looks a lot like the NotPetya attack that wreaked havoc in June/July of this year.


This infection is called BadRabbit and like NotPetya it restarts machines so it can encrypt the MBR.The MBR (Master Boot Record) is essential for starting your OS so once it is encrypted you won't even be able to get into Windows without paying a ransom.


It is a very professionally made infection that uses a lot of clever tricks to spread.


The Good News

Webroot totally protects against Bad Rabbit. When this infection tries to restart your machine WSA will prompt you with a warning about unauthorised MBR alternation related to this attack. 


Webroot also blocks files responsible for this in the Threat Intelligence Network. 


However this infection points out the importance of a few steps: 

  • Don't have your users running as admins (where possible) 
  • This infection uses hardcoded commonly used passwords so don't use easily guessable passwords.
  • Update Windows! This abuses an exploit that was patched by Microsoft in March. This exploit has been used to destroy machines all year. 
  • Definitely backup. All it takes is for one mistake or for one machine where Webroot is uninstalled and you will lose data. Once it's encrypted there is no way of getting it back 

Here is a link a malware researcher (not Webroot) put together with more details about this infection: