Today I woke up to yet another ransomware attacking Europe, and this time it’s Bad Rabbit. The good news is that a killswitch for this ransomware is already discovered, preventing Bad Rabbit to infect any Windows system. Here is a configuration item for SCCM to quickly protect yourself.

Note: This script is not only limited to the Bad Rabbit ransomware. Simply edit $files in the discovery and remediation script and add files for other ransomware once killswitches are discovered. This Configuration Item ensures those files are present.

Download: Microsoft Technet Galleries

A configuration item in Configuration Manager is the perfect tool to ensure that these killswitch files are present on my systems. They detect if my settings, or in this case files, are present, and report compliant or non-compliant back to Configuration Manager. It can then automatically run the remediation script on the non-compliant systems.

I wanted a flexible configuration item that is able to handle more than one file, and I also wanted to remove all permissions on these files so no users would delete them by accident.

The discovery script detects if the files are present on the system, and returns $true if present, and $false if the system is not compliant.

This configuration item adds the two killswitch files to prevent Bad Rabbit Ransomware to infect Windows systems.

Ransomware Killswitch CI Discovery Script

# PowerShell CI Detection scrpit to detect the presence of killswitch files # Returns $true if compliant and $false if not # # Created by: Anders Rødland (2017-10-25) - www.andersrodland.com # Enter the full path to the killswitch files. BadRabbit ransomware killswitch used in tihs example. $files = "$env:SystemRoot\infpub.dat", "$env:SystemRoot\cscc.dat" # We assuse 0 files are compliant untill proven otherwise. $compliant = 0 foreach ($file in $files) { if ( (Test-Path -Path $file) -eq $true) { $compliant++ } else { $compliant-- } } # Verify that all files compliant on permissions if ($compliant -eq $files.Count) { $obj = $true } else { $obj = $false } # Return compliance Write-Output $obj

Ransomware Killswitch CI Remediation Script

# PowerShell CI Remediation script to remediate the presence of killswitch files # Creates the killswitch files and removes NTFS permissions and disable inheritance # # Created by: Anders Rødland (2017-10-25) - www.andersrodland.com # Enter the full path to the killswitch file. BadRabbit ransomware killswitch used in tihs example. $files = "$env:SystemRoot\infpub.dat", "$env:SystemRoot\cscc.dat" foreach ($file in $files) { Write-Verbose "Creating file: $file" Write-Output "" | Out-File -FilePath $file $acl = Get-Acl -Path $file Write-Verbose "Disabling inheritance and removing all permissions for file: $file" $acl.SetAccessRuleProtection($true, $false) Set-Acl -Path $file -AclObject $acl }