A new highly-capable ransomware dubbed BadRabbit has surfaced overnight infecting Windows machines which visit certain malicious websites.

Security experts say most of BadRabbit’s victims are located in Russia, Ukraine, and Bulgaria with some infections registered in Japan.

How can I stay safe?

All users:

  • Only install Flash updates from within the application or from Adobe’s official site.
  • Ensure Windows is automatically updated.
  • Ensure antivirus is automatically updated.

Windows 10 users:

Visitors to these websites are greeted with messages that pretend to offer updates to Adobe Flash.Infection begins through malicious and seemingly legitimate websites that are designed to appeal to specific audiences. These are known as watering hole websites.

BadRabbit infects users who install those fake updates.

Keep safe

Users: The best defence against BadRabbit is cyber security best practice:

Additionally, Windows 10 users should consider activating a new free feature called Controlled Folder Access which can protect files from ransomware and other malware.


Follow the above tips and consider:

  • Disabling SMB version 1.
  • Ensuring administrator passwords are complex and unique. Reused domain administrator accounts could lead to BadRabbit spreading and causing mass compromise.
  • Restrict administrator rights on endpoints.
  • Distributing the files c:\windows\infpub.dat and c:\windows\cscc.dat to Windows endpoints and marking them read-only. These files serve as a killswitch preventing BadRabbit from firing.
  • Disabling Windows Management Instrumentation (WMI) service.

For the geeks

BadRabbit, while modelled off the June NotPetya wiper malware, does not spread via EternalBlue (MS17-010).

It searches for 13 SMB shares open on internal networks and uses Mimikatz to pull credentials from memory, along with a short list of hardcoded default logins.

BadRabbit encrypts the Master File Table and sets a reboot via Windows scheduled task to complete the action. Some of those tasks are named after Game of Thrones references Drogon and Rhaegal.

Encryption occurs using the open source DiskCryptor full drive encryption platform and 2048 bit encrypted keys.