Are you sick of ransomware yet? I sure am. Nonetheless, another new Ransomworm started spreading through Eastern Europe on Tuesday.
Called Bad Rabbit, this new ransomware variant primarily affected companies in Russia and the Ukraine, although it has had limited distribution in a few other countries as well. Victims seem to get it by visiting a hijacked or malicious web site that offers up a “Flash” update. Of course, this update is just a ruse, and the victim really installs this new ransomware sample. I call this a ransomworm because, like WannaCry, it has features that allow it to spread automatically through your local network. Unlike WannaCry, however, it doesn’t leverage the NSA-leaked SMB vulnerability, rather it uses hard-coded or stolen passwords to try to connect to other network computers. Watch my YouTube video below to learn more about Bad Rabbit, and how you can make sure you aren’t affected by it.
Quick note for WatchGuard Firebox users that want to know how our products block this threat:
- If you have APT Blocker, it could catch and block this ransomware immediately.
- Our GAV product did not catch this zero hour (that’s what APT Blocker is for), but did get signatures updates to catch it within the day.
- Our Threat Detection and Response product will detect Bad Rabbit’s files, and we updated HRP so that it should prevent known variants from running on your computer.
Episode Runtime: 3:52
Direct YouTube Link: https://www.youtube.com/watch?v=g9zTDRr8HRM
- New ransomworm hitting Russia and Ukraine – Ars Technica
- A strain of ransomware spreads in Eastern Europe – Technology Review
- Russian news hacked by ransomware – Forbes
- Researcher’s tweet about DiskCryptor – Twitter
- Researcher’s tweet about hard-coded credentials – Twitter
—Corey Nachreiner, CISSP (@SecAdept)
Leave a Reply