Bad Rabbit: A Hare-Raising Campaign
On October 24, numerous users fell victim to a multifaceted malware campaign. The “Bad Rabbit” attack (named after the messaging on the ransomware payment site(s)) rapidly hopped across the Ukraine, Russia, and potentially other locations (reports have yet to be confirmed).
The components and style of the attack were not novel, but this campaign does serve as a reminder on just how effective the ‘bad guys’ can be when they embrace patched exploits (the EternalRomance exploit) along with the old standbys (ransomware and wiping components, and Mimikatz).
Bad Rabbit’s initial attack vector was a drive-by download claiming to be an update for Adobe Flash Player. Once active on a system, the malware drops and activates additional components, which includes the ransomware, credential dumping, and disk encryption (DiskCryptor) components. Scheduled tasks are also used to kick off both a system reboot, and the ransomware component.
While it is tempting to jump to conclusions around the origins of this attack (due to it being similar in functionality to NotPetya), it is important to note that the codebase for Bad Rabbit is not identical/shared with any other previous attack. Any conclusions drawn around attribution are speculative and should be considered with a heaping bowl of salt.
Cylance customers are fully protected against the Bad Rabbit attack. In fact, our technology protects against these types of threats without the need for any updating/adjustments to our detection capabilities. Protecting systems against evil unknowns, whenever they occur, is core to our mission, and Bad Rabbit has again proven the power of our true AI-based approach to full system protection.
Additionally, we have posted two blogs covering the technical details and prevention of this threat. Additional prevention options can be explored as well. These include restricting execution for non-privileged (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog