Cisco Talos: Bad Rabbit vulnerability detected
October 2017 by Cisco Talos
Talos has observed a new advanced ransomware worm, Bad Rabbit, which has similarities to Nyetya (aka Not-Petya), found mainly targeting Eastern Europe and Russia. From what has been seen so far, the user needs to download, and manually execute a dropper purporting to be a Flash Player update from legitimate compromised websites.
Similar to Nyetya, Bad Rabbit leverages a custom version of the Mimikatz password recovery tool and uses SMB network shares to attempt to spread to further hosts in the local network. This attack combines the technique of distributing malware from compromised websites, with the worm functionality that was recently seen in WannaCry and Nyetya / Not-Petya.
Based on current information, the malware appears to have been active for approximately six hours before the website distributing this malware was taken down. However, this attack is evidence that threat actors are continuously learning and seeking to refine their attack techniques. Cisco Talos continuously monitors the threat environment in order to provide protection against the latest threats.
Organisations need to ensure that they adopt a multilayered approach to security: blocking access to malicious websites, blocking the downloading of malware, and stopping the infection of devices with endpoint protection, combined with sound backup policy and user education.