On October 24th, reports began to emerge about a Petya variant dubbed BadRabbit, spreading from Russia, Ukraine, Turkey and Bulgaria. Later that evening our Cyber Defense Center saw infections spreading through western Europe, particularly Belgium and tentatively Sweden. It’s reported BadRabbit has infected networks in the US too.
Badrabbit is an evolution on (Not)Petya crypto ransomware. It has some key differences:
- It doesn’t use the EternalBlue SMB vulnerability
- It uses a pretty straightforward drive by ”flash update” to infect machines. In other words, they rely on tricking the user.
- It uses a crude hardcoded password system for ”lateral movement”.
- They put more effort in the payment and returning private keys processes, using a TOR website. This indicates, in contrast with NotPetya, these people are more serious about making money off of BadRabbit.
We will closely monitor impact and share updates over the day. Our Cyber Defence Center customers will get new information as it comes in.
How to mitigate
- Most AV’s have updated signatures that detect BadRabbit.
- Furthermore, as long as you don’t run with administrator privileges, you should be ok. Researchers report they haven’t found any UAC bypassing techniques.
- Another researcher has found a ”vaccination” for BadRabbit: creating 2 files (c:\windows\infpub.dat and c:\windows\cscc.dat) and removing all permissions stops BadRabbit in it’s track. We have tried this method and can confirm it works.