What Is Bad Rabbit Ransomware?

On Tuesday, Oct. 24, a new strand of ransomware named Bad Rabbit emerged in Russia and the Ukraine.  Russian media outlets and large organizations in the Ukraine were the first organizations attacked, and then found its way into Western Europe and the United States. The initial installer masquerades as a Flash update but is believed to be an updated version of NotPetya, since the infection chain and component usage is identical.

Interestingly, this malware contains a list of hardcoded Windows credentials, most likely to brute force entry into devices on the network.  According to threat researchers, Bad Rabbit spreads using the SMB protocol within Windows. We should think of it as a bug fix maintenance release of NotPetya (within EternalBlue method of propagation removed). The purpose of using the SMB protocol is to spread laterally across an organization.

Rules to stay safe by:

General recommendations for everybody, regardless of their security vendor, include:

  • Apply all patches to operating systems
  • Protect endpoints with an up-to-date anti-virus solution
  • Promote good password hygiene policies
  • Ensure firewall and end point firmware is current
  • Implement a network sandbox to discover and mitigate new threats
  • Deploy a next-generation firewall with a gateway security subscription to stop known threats

If you have questions, please contact Ryan Carter or Joe DeLuca at 517.323.7500.