On Tuesday, a new ransomware appeared in Russia and the Ukraine, and began spreading throughout the region. The ransomware which has been dubbed, “Bad Rabbit,” started spreading through Russian media outlets and large corporations in the Ukraine. Quickly, it made its way to large corporations in Western Europe and the United States.
The installer is disguised as an Adobe Flash update, but it does appear that it’s just an updated version of the ransomware “NotPeyta” which was unleashed earlier this year. Bad Rabbit does contain something unusual, a hardcoded list of Windows credentials which looks like it’s being used to brute force access to devices on the network. It uses SMB to work its way across the network and does not, at this time, seem to contain any of the NSA EternalBlue code for use of propagation.
All in all it seems to be a “bug fix” or “updated” version of NotPetya minus the EternalBlue components.
Anyone who uses a Windows based network that uses the SMB protocol (almost all of them do).
General recommendations for everybody, regardless of their security vendor, include:
If you are interested in learning more about what you can do to keep your business safe from cyber-attacks like Bad Rabbit, please consider a security assessment from SumnerOne.
Originally published October 27, 2017, updated August 14, 2018