I'm doing an assessment on the potential outspread of Bad Rabbit in our organization. Our staff do not have admin privileges on their host machines. We have also blocked the IOCs. Am I safe to say without admin privileges, the ransomware wouldn't be able to install the fake flash update/mimikatz?
Any other pointers we need to look out for, other than the ones for WannaCry, Petya, NotPetya?
First of all inform/warn employees from your organization - not to click on fake flash installation pop-up windows.
Here is an example:
On welivesecurity.com it is said:
One of the distribution method of Bad Rabbit is via drive-by download. Some popular websites are compromised and have JavaScript injected in their HTML body or in one of their .js file.
That's from user perspective, now take technical advice:
And as @Royce Williams said, you can create following files:
c:\windows\infpub.dat && c:\windows\cscc.dat
and remove ALL PERMISSIONS (inheritance).
You can also block access to following compromised sites from this list - https://pastebin.com/raw/n7ExrTsJ
More info about badrabbit follow here.
One specific additional countermeasure is to vaccinate, using this procedure to create a couple of specific files:
C:\Windows\infpub.dat
C:\Windows\cscc.dat
... and then remove permissions inheritance from them.
