Bad Rabbit Ransomware

Ransomware Killswitch Files – Configuration Item

How to create ransomware killswitch files with MEMCM. Today I woke up to yet another ransomware attacking Europe, and this time it’s Bad Rabbit. The good news is that a killswitch for this ransomware is already discovered, preventing Bad Rabbit to infect any Windows system. Here is a configuration item for SCCM to quickly protect yourself.

Note: This script is not only limited to the Bad Rabbit ransomware. Simply edit $files in the discovery and remediation script and add files for other ransomware once killswitches are discovered. This Configuration Item ensures those files are present.

Download: Microsoft Technet Galleries

A configuration item in Configuration Manager is the perfect tool to ensure that these killswitch files are present on my systems. They detect if my settings, or in this case files, are present, and report compliant or non-compliant back to Configuration Manager. It can then automatically run the remediation script on the non-compliant systems.

I wanted a flexible configuration item that is able to handle more than one file, and I also wanted to remove all permissions on these files so no users would delete them by accident.

The discovery script detects if the files are present on the system, and returns $true if present, and $false if the system is not compliant.

This configuration item adds the two killswitch files to prevent Bad Rabbit Ransomware to infect Windows systems.

Ransomware Killswitch CI Discovery Script

# PowerShell CI Detection scrpit to detect the presence of killswitch files
# Returns $true if compliant and $false if not
#
# Created by: Anders Rødland (2017-10-25) - www.andersrodland.com

# Enter the full path to the killswitch files. BadRabbit ransomware killswitch used in tihs example.
$files = "$env:SystemRoot\infpub.dat", "$env:SystemRoot\cscc.dat"

# We assuse 0 files are compliant untill proven otherwise.
$compliant = 0
foreach ($file in $files) {
    if ( (Test-Path -Path $file) -eq $true) {
        $compliant++
    }
    else {
        $compliant--
    }
}

# Verify that all files compliant on permissions
if ($compliant -eq $files.Count) {
    $obj = $true
}
else {
    $obj = $false
}

# Return compliance
Write-Output $obj

Ransomware Killswitch CI Remediation Script

# PowerShell CI Remediation script to remediate the presence of killswitch files
# Creates the killswitch files and removes NTFS permissions and disable inheritance
#
# Created by: Anders Rødland (2017-10-25) - www.andersrodland.com

# Enter the full path to the killswitch file. BadRabbit ransomware killswitch used in tihs example.
$files = "$env:SystemRoot\infpub.dat", "$env:SystemRoot\cscc.dat"

foreach ($file in $files) {
    Write-Verbose "Creating file: $file"
    Write-Output "" | Out-File -FilePath $file
    $acl = Get-Acl -Path $file
    Write-Verbose "Disabling inheritance and removing all permissions for file: $file"
    $acl.SetAccessRuleProtection($true, $false)
    Set-Acl -Path $file -AclObject $acl
}

Anders Rødland

Anders Rødland started his IT career in 2006. My main focus is MS Configuration Manager and client management, and I have passed 17 Microsoft certifications since then. My main expertise is on client management with Microsoft Endpoint Manager: Intune and Configuration Manager. I also do a lot of work on the security side with Microsoft Defender for Endpoint. In addition to my Microsoft certification, I also have an ITIL v3 Foundation certification. This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.