On Tuesday, a new ransomware appeared in Russia and the Ukraine, and began spreading throughout the region. The ransomware which has been dubbed, “Bad Rabbit,” started spreading through Russian media outlets and large corporations in the Ukraine. Quickly, it made its way to large corporations in Western Europe and the United States.
The installer is disguised as an Adobe Flash update, but it does appear that it’s just an updated version of the ransomware “NotPeyta” which was unleashed earlier this year. Bad Rabbit does contain something unusual, a hardcoded list of Windows credentials which looks like it’s being used to brute force access to devices on the network. It uses SMB to work its way across the network and does not, at this time, seem to contain any of the NSA EternalBlue code for use of propagation.
All in all it seems to be a “bug fix” or “updated” version of NotPetya minus the EternalBlue components.
Who is at risk?
Anyone who uses a Windows based network that uses the SMB protocol (almost all of them do).
How do I protect against Bad Rabbit?
General recommendations for everybody, regardless of their security vendor, include:
- Apply all patches to operating systems
- Protect endpoints with an up-to-date anti-virus solution
- Promote good password hygiene policies
- Ensure firewall and end point firmware is current
- Implement a network sandbox to discover and mitigate new threats
- Deploy a next-generation firewall with a gateway security subscription to stop known threats
- Educate users about clicking on links and what the consequences should be.
If you are interested in learning more about what you can do to keep your business safe from cyber-attacks like Bad Rabbit, please consider a security assessment from SumnerOne.
Originally published October 27, 2017, updated April 20, 2018