On October 24,
What we’re doing:
- Specific detection rules have been deployed to esNETWORKTM sensors.
- Known file hashes have been blacklisted in
esENDPOINT TM toprevent execution.
- Distribution sites have been blacklisted using Asset Manager Protect, via
What you should do:
- Disable local admin shares using Group Policy. Deny remote use of local admin credentials.
- Avoid reusing local administrator account passwords across systems.
- Disable or limit remote WMI and file sharing.
- Conduct regular backups of data.
- Limit workstation-to-workstation communication using host-based firewalls.
- Additional prevention steps can be found in US-CERT Alert TA17-181A.
- The ransomware dropper is distributed via a fake Adobe Flash update delivered via drive-by download attacks. The victim must manually download and execute the file with administrator privileges.
- Bad Rabbit uses Mimikatz to extract credentials from the system and spreads via Server Message Block (SMB) and WMIC using compromised credentials or a hardcoded credential dictionary. It does not use the EternalBlue exploit (unlike NotPetya).
- We advise that those who fall victim to a ransomware attack should not pay ransom demands, as there is no guarantee that files will be unencrypted.
For more information please visit: