Petya. NotPetya. Now BadRabbit. Ransomware keeps evolving and wreaking havoc worldwide.
There’s no evidence that phishing emails have delivered Bad Rabbit, the new ransomware strain which hit Russian, Eastern European and some U.S. networks this week. But nonetheless at PhishMe, BadRabbit has caught our eye.
Here’s what we’ve seen reported.
BadRabbit is similar to notPetya, which terrorized networks back in June. It appears to start with a malvertising or drive-by attack, with victims taking the bait of a fake Flash update prompt.
There’s evidence that BadRabbit borrows or reuses code from notPetya. Both notPetya and BadRabbit utilize typical lateral movement tricks: abuse of default passwords and weak network passwords, Mimikatz password extraction for reuse and reports of network exploitation.
The major difference: BadRabbit seems to be a more functional than notPetya, with a colorful Tor site for ransom payments. There’s no word on whether paying the ransom gets your machines unlocked.
Figure 1 – Animated GIF of payment site
Our initial take:
Earlier ransomware/destructive ransomware crises have shown that many enterprises and critical infrastructure providers are still vulnerable to simple attacks such as exploitation of patched vulnerabilities and abuse of weak/default passwords.
These are generally addressed “Infosec 101” best practices: a regular, planned software update process and good password habits.
Also, just as BadRabbit is a follow-up to notPetya, we can expect future attacks following this newly-set trend.
And finally, though we’ve seen no trace of phishing emails used to spread BadRabbit, this newest ransomware threat is a reminder that phishing typically is used to deliver malware—and a good reason to make sure your phishing defense is up to par.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.