ENSILO BLOG 

enSilo Protects OOTB: Bad Rabbit Ransomware

WHAT IS KNOWN?

Bad Rabbit is a new ransomware campaign discovered yesterday, October 24, 2017, by ESET researchers. (enSilo’s endpoint protection platform already protects against this.)

Method of Distribution?

The ransomware was distributed via a fake Flash update.

Industries affected?

Currently, there is no evidence of any targeted industries.

Targeted countries?

What is known at the moment is that Bad Rabbit ransomware was mainly spread in Russia, Ukraine, Turkey, Bulgaria. Today, it appears that Bad Rabbit ransomware has been detected in the United States.

How is Bad Rabbit being distributed?

It can occur when a user is browsing. A fake pop-up of a Flash update will appear. Then an installer of Flash is piggy-backed with an added DLL.

Greatest Concern

The capability to spread laterally through an organization.

How is it Spreading?

Searches, Looks, Sees, Spreads. Searches for specific credentials, looks for open shares and sees if any open shares are open and then spreads like a worm. It has two capabilities of spreading via SMB.

1. Open SMB shares. If open spread through SMB protocol

Picture1.png

2. Hardcoded list. Hard coded list of user names and passwords. It has its own payload of MimiKats.

Picture2.png

Most Important Take Away

  • Any attempt of Bad Rabbit to spread or encrypt files is blocked by enSilo.

Picture3_ExfiltrationPrevention.png

Any attempt by Bad Rabbit to spread via SMB is blocked out-of-the-box by enSilo’s Exfiltration Prevention policy.

Picture4_RansomwarePrevention.png

Any attempt by Bad Rabbit to encrypt files is blocked out-of-the-box by enSilo’s Ransomware Prevention policy.

REQUEST A DEMO TODAY

Sign Up for a Demo Today

SANS review of ensilo

CATEGORIES 

FEATURED ARTICLES

tag cloud