Just in Time Bulletin: Bad Rabbit

What is Bad Rabbit?

Bad Rabbit is ransomware that shares some of the NotPetya code base, but unlike NotPetya, does not rely on the EternalBlue exploit.

How does it infect?

Bad Rabbit is a drive-by malware download, which is a form of social engineering. Victims are presented with a fake Adobe Flash update prompt, which downloads the payload. Victims are then required to execute the download manually for the malware to infect.

What does it do?

Unlike WannaCry and NotPetya, which used the EternalBlue exploit, Bad Rabbit relies on lateral movement through WMIC command execution, Mimikatz, and SMB Shares. In addition, Bad Rabbit uses the same DiskCryptor driver present in NotPetya (and many other variants) to encrypt (nearly) all files on the disk.

How do I avoid this attack?

The easy answer is to never use Flash. The more nuanced solution is to avoid downloading anything from untrusted servers. If you suspect you may be running an outdated version of Flash, download an update directly from the official Adobe Flash Website.

Good to know:

While Bad Rabbit does not utilize the EternalBlue exploit, it does use the EternalRomance exploit (also from the ShadowBroker leak). EternalRomance only impacts Windows XP and Windows 2003, however it is functional against fully patched versions of both operating systems. Bad Rabbit uses the EternalRomance exploit for lateral movement, so if you do operate legacy systems in your enterprise environment, be sure to disable SMBv1.

How do I learn more?

Contact The NopSec Team