NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Just in Time Bulletin: Bad Rabbit

Aug 23, 2021

What is Bad Rabbit?

Bad Rabbit is ransomware that shares some of the NotPetya code base, but unlike NotPetya, does not rely on the EternalBlue exploit.

How does it infect?

Bad Rabbit is a drive-by malware download, which is a form of social engineering. Victims are presented with a fake Adobe Flash update prompt, which downloads the payload. Victims are then required to execute the download manually for the malware to infect.

What does it do?

Unlike WannaCry and NotPetya, which used the EternalBlue exploit, Bad Rabbit relies on lateral movement through WMIC command execution, Mimikatz, and SMB Shares. In addition, Bad Rabbit uses the same DiskCryptor driver present in NotPetya (and many other variants) to encrypt (nearly) all files on the disk.

How do I avoid this attack?

The easy answer is to never use Flash. The more nuanced solution is to avoid downloading anything from untrusted servers. If you suspect you may be running an outdated version of Flash, download an update directly from the official Adobe Flash Website.

Good to know:

While Bad Rabbit does not utilize the EternalBlue exploit, it does use the EternalRomance exploit (also from the ShadowBroker leak). EternalRomance only impacts Windows XP and Windows 2003, however it is functional against fully patched versions of both operating systems. Bad Rabbit uses the EternalRomance exploit for lateral movement, so if you do operate legacy systems in your enterprise environment, be sure to disable SMBv1.

How do I learn more?

Contact The NopSec Team