After the latest Bad Rabbit ransomware attack all Top VM vendors Qualys, Tenable, Rapid7 wrote blog posts on this topic on the same day. Two days later Tripwire also published own  review. Why do they care? They do not make antiviruses, endpoint protection or firewalls – the common tools against this kind of threats. So, what’s the point?

Well, they do it is obviously to promote their products and services. But how exactly?

Vulnerabilities

To be functional, malware may exploit vulnerabilities in unpatched systems. These lacks of patching can be detected by Vulnerability Scanner via authenticated and unauthenticated checks.

For example, Bad Rabbit malware uses well-known SMBv1 exploit and Tenable informs us in “Detecting Bad Rabbit Ransomware” post that vulnerability can be detected using plugins:

• 97737 – MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
• 97833 – MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)

Indicators of Compromise

Infected hosts have indicators of compromise – files, windows registry keys and values, processes. All of them can be checked using a vulnerability scanner. Thus, VM can be a tool for detecting compromised hosts. This feature is pretty popular now among VM vendors.

In Bad Rabbit case Qualys recommends to search files using QID 1043 check:

• %windir%\infpub.dat
• %windir%\dispci.exe
• %windir%\cscc.dat

Qualys also provide hashes for detecting files in Indication of Compromise (IOC) mode. Hashes for these files were mentioned:

• install_flash_player.exe
• C:\Windows\dispci.exe
• C:\windows\infpub.dat
• C:\windows\cscc.dat [32 drv]
• C:\windows\cscc.dat  [64 drv]
• mimikatz x86
• mimikat x64

Tenable Security detects compromised hosts using plugins:

• Malicious Process Detection (59275)
• Malicious File Detection (88961)

Misconfigurations

To be functional, malware may exploit systems that were not configured correctly. Most of  modern Vulnerability Scanners can perform configuration/compliance checks.

BadRabit malware uses mimikatz to extract plaintext passwords from memory for further spreading. Thus, VM vendors could write something about Windows hardening, for example based on “Defending Against Mimikatz” article, right?

But none of them actually gave a direct recommendations. Only Tripwire gave a link to a list of “22 Ransomware Prevention Tips“. Here I would like to mention a great compliance management tool ComplianceCheck by AltxSoft, that was promoted as a solution against ransomware (“Altx-Soft ComplianceCheck against cryptolockers and ransomware“).

In conclusion

Ransomeware attacks, that we all have seen this year (WannaCry, Petya and now Bad Rabbit) are all pretty similar from Vulnerability Management point of view. Should VM vendors react on each of them? IMHO, yes, they should. But it depends on what kind of report it will be.

The common words about of malware behavior are not really interesting. Endpoint / antivirus / threat intelligence vendors, like Kaspersky, Eset or Cisco Talos with all theirs skill in malware research  will make a better report anyway.

As an end-user of VM solution, I like when the vendor use all this hype around the malware attack to demonstrate:

• Why this attack was actually possible? (Vulnerabilities)
• Concrete ways to mitigate risk using  vendor’s product. (It is  much more effective then any kind of training)
• A sign that vendor’s product is still in active phase of development and is not abandoned.(The most important!)