Update: BadRabbit – What you Need to Know
Update: While there have been updates that BadRabbit has infected some US machines, it doesn’t seem to be as widespread as initially feared. This isn’t to mean that we should let our guards down. Continue to work with your end users to make sure they don’t click to update flash, except from Adobe’s site. Also, train them to be wary of updates that are not pushed down from either internal IT or their IT provider.
Currently, in Russian, Ukraine, Japan and Germany there is another cryptolocker outbreak called BadRabbit. We at Thrive are concerned this might turn global, so we want to update everyone on what it is, how it works, and how you can protect yourselves.
This is not a zero-day attack, this is a combination of social engineering and re-using other attacks. There are three main stages to this attack.
Initially, the attacker poses as a fake flash update, hoping the users will download and run the update. Since flash is constantly needing updates, this is not unexpected for the user to see. Currently, the malware is being hosted on hacked Russian media websites. But there might be other locations where this is being hosted.
Once the user runs the flash update the malware tries to spread via SMB (windows file share). This is very much like the Petya attack that we saw a few months ago. All Thrive clients already have been patched for this, so the chance of it spreading once inside your network is very small. It also uses a standard list of bad passwords to try to propagate through the network. So always use strong passwords even inside your corporate firewall.
Finally, it encrypts your data and posts a w