Hello folks
I reveive the following error from several of our sites and IPSEC partners:
2017:11:13-11:04:04 sg330a-2 snort[32130]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop"
reason="MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt" group="500" srcip="192.168.60.113" dstip="172.20.1.2"
proto="6" srcport="53006" dstport="445" sid="44649" class="A Network Trojan was Detected" priority="1" generator="1" msgid="0"
The dstip ist always a internal Windows 2016 DNS Server and the dstport ist always 445.
Why is this going to the DNS Servers?
We put an infpub.dat and a cscc.dat file in the Windows Root as explained here: https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware?hs_amp=true None of the users has admin rights. I doubt that so many computer are infected.
This thread was automatically locked due to age.