enSilo Protects OOTB: Bad Rabbit Ransomware
WHAT IS KNOWN?
Bad Rabbit is a new ransomware campaign discovered yesterday, October 24, 2017, by ESET researchers. (enSilo’s endpoint protection platform already protects against this.)
Method of Distribution?
The ransomware was distributed via a fake Flash update.
Currently, there is no evidence of any targeted industries.
What is known at the moment is that Bad Rabbit ransomware was mainly spread in Russia, Ukraine, Turkey, Bulgaria. Today, it appears that Bad Rabbit ransomware has been detected in the United States.
How is Bad Rabbit being distributed?
It can occur when a user is browsing. A fake pop-up of a Flash update will appear. Then an installer of Flash is piggy-backed with an added DLL.
The capability to spread laterally through an organization.
How is it Spreading?
Searches, Looks, Sees, Spreads. Searches for specific credentials, looks for open shares and sees if any open shares are open and then spreads like a worm. It has two capabilities of spreading via SMB.
1. Open SMB shares. If open spread through SMB protocol
2. Hardcoded list. Hard coded list of user names and passwords. It has its own payload of MimiKats.
Most Important Take Away
- Any attempt of Bad Rabbit to spread or encrypt files is blocked by enSilo.
Any attempt by Bad Rabbit to spread via SMB is blocked out-of-the-box by enSilo’s Exfiltration Prevention policy.
Any attempt by Bad Rabbit to encrypt files is blocked out-of-the-box by enSilo’s Ransomware Prevention policy.