New Windows ransomware, dubbed ‘Bad Rabbit’, is spreading rapidly across corporate networks in Russia, Ukraine, across Europe, in the U.S., and Japan.

The ransomware started to infect systems on Tuesday, October 24 2017. CIPHER researchers noted that this new ransomware has similarities to WannaCry and Petya. It is actually a variant of NotPetya, with DLLs sharing 67% of the code.

Bad Rabbit’s first infection move is to pose as an Adobe Flash update when surfing to a compromised web site.  The fake Adobe update requires that the user click to execute a file. Once caught it then moves laterally through networks with SMB exploits, although it is reported that Bad Rabbit does not use the EternalBlue exploit. Lateral movement is achieved also by using the Mimikatz method of harvesting administrative credentials from system memory.

Encryption of files is achieved using open source DiskCryptor. The ransom demanded is .05 bitcoin, about $900 per infected computer. Paying the ransom is not a guarantee of getting your files back.

Indicators of Compromise (IOCs)

Researchers continue with more detailed analysis.

 How to Protect Yourself

• If presented with a software update prompt while navigating a web site, go to the manufacturer’s web site to check for an update instead.
• Always have backups of sensitive data.
• Always have updated endpoint protection. Automatic updates are recommended.
• Keep Windows up-to-date. Automatic updates are recommended.

Get more practical tips on combatting ransomware in our ‘What’s Next After WannaCry?’ blog. 

If you’re one of our Carbon Black customers, please also take a look at their latest blog that includes a detailed analysis of ‘Bad Rabbit’. This blog post will help you understand how the Bad Rabbit attack works and provide some recommendations on how to prevent it using Cb Defense. http://bit.ly/badrabbit_cipher