Update: BadRabbit – What you Need to Know

Update: While there have been updates that BadRabbit has infected some US machines, it doesn’t seem to be as widespread as initially feared.  This isn’t to mean that we should let our guards down.  Continue to work with your end users to make sure they don’t click to update flash, except from Adobe’s site.  Also, train them to be wary of updates that are not pushed down from either internal IT or their IT provider.

Currently, in Russian, Ukraine, Japan and Germany there is another cryptolocker outbreak called BadRabbit. We at Thrive are concerned this might turn global, so we want to update everyone on what it is, how it works, and how you can protect yourselves.

This is not a zero-day attack, this is a combination of social engineering and re-using other attacks. There are three main stages to this attack.

Initially, the attacker poses as a fake flash update, hoping the users will download and run the update. Since flash is constantly needing updates, this is not unexpected for the user to see. Currently, the malware is being hosted on hacked Russian media websites. But there might be other locations where this is being hosted.

Once the user runs the flash update the malware tries to spread via SMB (windows file share). This is very much like the Petya attack that we saw a few months ago. All Thrive clients already have been patched for this, so the chance of it spreading once inside your network is very small. It also uses a standard list of bad passwords to try to propagate through the network. So always use strong passwords even inside your corporate firewall.

Finally, it encrypts your data and posts a warning to pay approximately $283.
Most of the major Anti-Virus vendors are already blocking this. If you want to know the technical details, we recommend preventing the following files from executing:

C:\Windows\infpub.dat
C:\Windows\ccscc.dat

While all Thrive customers should be protected from this malware with the combination of both patching and antivirus, we still recommend warning your users not to click on any applications that ask you to update your flash. If possible, you might want to consider turning off flash on your corporate machines. If you are not a Thrive customer or do not take advantage of our managed workstations or servers, make sure your machines are patched and running updated antivirus software.

We recommend contacting your Thrive Account Manager to discuss Security Awareness Training or patching if you don’t already have it.