It seems that we can't get through a week without some new cyber-nasty rearing its ugly head. I'm finding the best part of all this is the imaginative names that new threats come with. It's like the bad guys have marketing departments. So, this week, the ransomware marketing machine has dredged up BadRabbit.
BadRabbit looks Iike a derivative of NetPetya and has mainly hit systems in Eastern Europe. The main vector used to spread this sucker is dodgy Flash updates distributed as part of a drive-by download. Once it's on a system, it can spread laterally through an organsaition without user intervention using a bunch of known, weak passwords as part of brute force attack, as well as exploiting SMB vulnerabilities.
While most end-point security vendors say they protect against BadRabbit, Kaspersky Lab says blocking c:\windows\infpub.dat and C:\Windows\cscc.dat from running will prevent infection.
Palo Alto Networks' Christopher Budd said, "Bad Rabbit is not as widespread of an attack as Petya/NotPetya but is causing severe disruptions where it is occurring. It is similar to Petya/NotPetya in terms of the impact of a successful attack. However, it is a different attack with different malware".
There's a detailed analysis of how BadRabbit works at the Malwarebytes website.
Kevin Epstein, Vice President, Threat Operations at Proofpoint, said "BadRabbit is not leveraging the EternalBlue exploit. We have not observed this malware being spread via email at this time".
As always, defence starts with good cyber hygiene. Patching system, maintaining up-to-date end-point protection and blocking the ability for unsafe executables to run go a long way to protecting you from threats.