Sophos Community
  • User
  • Help
  • Site
  • Search
  • User
  • All Groups
  • Knowledge Base
  • Blog
  • More
  • Cancel

Knowledge Base

  • Advisories
  • +CyberoamOS
  • +Data Control and DLP
  • Email Appliance
  • +Endpoint Security and Control
  • +Free Tools
  • +General
  • +Mobile
  • +PureMessage
  • +Reflexion
  • +SafeGuard encryption
  • +Server protection
  • +Sophos Central
  • Sophos Clean
  • Sophos Home
  • +Sophos UTM 9
  • Web Appliance
  • +XG Firewall
Tweets by @SophosSupport

Bad Rabbit ransomware: What to do

  • Article ID: 127730
  • Updated: 2 Nov 2017
  • 13 people found this helpful
  • Available in: English | Español | Italiano | 日本語 | Français | Deutsch

Overview

Sophos is aware of a widespread ransomware attack which is affecting several organizations in multiple countries. It is known as Bad Rabbit and has similarities to the recent Petya/NotPetya ransomware attack that affected Ukraine and other countries. Initial reports are, Bad Rabbit is mainly affecting Russian organizations but other countries are affected as well.

The following sections are covered:

  • Are Sophos customers protected?
  • What you should do to protect your organization
  • Sophos protection timeline
  • Related information

Are Sophos customers protected?

Sophos Intercept X and Exploit Prevention customers were protected against this attack proactively with no updates required.

The investigation of this threat is still ongoing and this article will be updated with more information as it becomes available.

For more information about protection in other Sophos products, see the table below.

Sophos Endpoint and Server products Protection available from Action needed
Endpoint Protection October 24, 2017 18:48 UTC Ensure Sophos is up to date.
Intercept X Already protected None required
Endpoint Exploit Prevention (EXP) Already protected None required
Server Protection October 24, 2017 18:48 UTC Ensure Sophos is up to date.
Sophos Home October 24, 2017 18:48 UTC Ensure Sophos is up to date.

What you should do to protect your organization

Follow any actions needed for the Sophos products you are using, as detailed in the Are Sophos customers protected? section above.

Additionally Sophos recommends following the Anti-Virus and HIPS best practice settings and checking if the computers are running the latest updates.

Sophos protection timeline

The table below provides a timeline of new/additional protection created for this threat.

Threat Name Threat Identity file (IDE) Protection Availability
  Publication Started Publication Finished
Ransomware Not required Already protected in Sophos Intercept X and Exploit Prevention
Mal/Generic-S Live Protection 2017-10-24 18:48 UTC 2017-10-24 18:48 UTC
Troj/Ransom-ERK
rans-erk.ide 2017-10-24 21:22 UTC 2017-10-24 21:24 UTC

Related information

  • Bad Rabbit ransomware outbreak

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Article appears in the following topics
  • Advisories
  • Endpoint Security and Control > Endpoint protection > Sophos Anti-Virus > For Windows XP+ > Protection > Live Protection

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

  • Submit
Sophos Footer
  • T&Cs
  • Help
  • Cookie Info
  • Contact Support

© 1997 - 2019 Sophos Ltd. All rights reserved.