BadRabbit Up And Running

According to reports, a new ransomware infection dubbed “BadRabbit” is spreading in Russia and Ukraine, and one or two other places further afield. Early indications are that this is not going to become a really nasty problem, but that could be wrong.

The infection spreads via one of three methods known :-

  1. Via email promising an update to Adobe Flash player, which is a widely exploited piece of software that has had many updates distributed although not in this way.
  2. By scanning for and exploiting an old vulnerability in Microsoft’s file sharing protocol (“EternalBlue”).
  3. By making use of MiniKatz to break in with compromised credentials.

Of the methods, the last is the most serious as it would allow the infection to spread within the University. But the most likely method to break in from outside the University is the first method.

Once a machine is infected, it will immediately try to spread itself, and infect local files.

In terms of genuine measurements of how bad this problem is, the firewall is blocking incoming traffic to the Microsoft file sharing service, and the sum of each day’s block over the whole of October amounts to about 15-25 million per day. Whilst there is some increase in the last week, there is nothing to indicate that BadRabbit is having a significant effect on the network.

This entry was posted in Active Attacks, Malware and tagged , . Bookmark the permalink.