Bad Rabbit Ransomware

Ransomware Killswitch Files – Configuration Item

Today I woke up to yet another ransomware attacking Europe, and this time it’s Bad Rabbit. The good news is that a killswitch for this ransomware is already discovered, preventing Bad Rabbit to infect any Windows system. Here is a configuration item for SCCM to quickly protect yourself.

Note: This script is not only limited to the Bad Rabbit ransomware. Simply edit $files in the discovery and remediation script and add files for other ransomware once killswitches are discovered. This Configuration Item ensures those files are present.

Download: Microsoft Technet Galleries

A configuration item in Configuration Manager is the perfect tool to ensure that these killswitch files are present on my systems. They detect if my settings, or in this case files, are present, and report compliant or non-compliant back to Configuration Manager. It can then automatically run the remediation script on the non-compliant systems.

I wanted a flexible configuration item that is able to handle more than one file, and I also wanted to remove all permissions on these files so no users would delete them by accident.

The discovery script detects if the files are present on the system, and returns $true if present, and $false if the system is not compliant.

This configuration item adds the two killswitch files to prevent Bad Rabbit Ransomware to infect Windows systems.

Ransomware Killswitch CI Discovery Script



Ransomware Killswitch CI Remediation Script



Anders Rødland

Anders Rødland started his IT career in 2006. My main focus is MS Configuration Manager and client management, and I currently hold active 15 Microsoft certifications. Certified on Windows Server, Windows Client, SQL, Exchange and System Center Configuration Manager. Anders Rødland also holds an ITIL Foundation certification. This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.