Insights > Blog

New Bad Rabbit Ransomware Spreads Rapidly Across Multiple Countries

New Windows ransomware, dubbed ‘Bad Rabbit’, is spreading rapidly across corporate networks in Russia, Ukraine, across Europe, in the U.S., and Japan.

Bad Rabbit Ransomware Spreads Throughout the World (2).jpg

The ransomware started to infect systems on Tuesday, October 24 2017. CIPHER researchers noted that this new ransomware has similarities to WannaCry and Petya. It is actually a variant of NotPetya, with DLLs sharing 67% of the code.

Bad Rabbit’s first infection move is to pose as an Adobe Flash update when surfing to a compromised web site.  The fake Adobe update requires that the user click to execute a file. Once caught it then moves laterally through networks with SMB exploits, although it is reported that Bad Rabbit does not use the EternalBlue exploit. Lateral movement is achieved also by using the Mimikatz method of harvesting administrative credentials from system memory.

Encryption of files is achieved using open source DiskCryptor. The ransom demanded is .05 bitcoin, about $900 per infected computer. Paying the ransom is not a guarantee of getting your files back.

Indicators of Compromise (IOCs)

Indicator Type Context

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

b14d8faf7f0cbcfad051cefe5f39645f

SHA256/MD5 dispci.exe

579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

1d724f95c61f1055f0d02c2154bbccd3

SHA256/MD5 infpub.dat

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

fbbdc39af1139aebba4da004475e8839

SHA256/MD5 FlashUtil.

 

Researchers continue with more detailed analysis.

 How to Protect Yourself

  • If presented with a software update prompt while navigating a web site, go to the manufacturer’s web site to check for an update instead.
  • Always have backups of sensitive data.
  • Always have updated endpoint protection. Automatic updates are recommended.
  • Keep Windows up-to-date. Automatic updates are recommended.

 

Get more practical tips on combatting ransomware in our ‘What’s Next After WannaCry?’ blog. 

 

If you’re one of our Carbon Black customers, please also take a look at their latest blog that includes a detailed analysis of ‘Bad Rabbit’. This blog post will help you understand how the Bad Rabbit attack works and provide some recommendations on how to prevent it using Cb Defense. http://bit.ly/badrabbit_cipher

Future Proof Your Ransomware Defenses Whitepaper

 
 
 
 
 
 
 
 
 
 
 
 
 
Did you enjoy this blog article? Comment below with your feedback.

0 Comments

Submit a Comment

Your email address will not be published.

GET EMAIL UPDATES

Information Security Maturity Self-Assessment Survey

Learn More

•  Whitepapers
•  E-books
•  Checklists
•  Self-Assessments
•  Webcasts
•  Infographics