Stopping the Bad Rabbit in its Tracks

25 October 2017

Another day, another ransomware outbreak—or so it seems. Today’s subject, dubbed ‘Bad Rabbit’, is yet another variant of Petya/Not Petya spread by way of a fake Flash update screen displayed to users on compromised websites. It is demanding ransom of 0.05BTC, around $272 USD at the time of writing, to decrypt your files. If you don’t pay in the first 40 hours, the amount will increase.

While this outbreak seems a world away, having spread first through Russia and the Ukraine, it has now being reported in Germany, Turkey, Poland and South Korea. As it continues to spread across networks and additional compromised sites, there are a couple steps you can take to prevent Bad Rabbit from making an appearance on your PCs.

  • Create two files on your Windows machine, one named infpub.dat and another named cscc.dat in the C:\Windows\ directory, and remove all permissions (inheritance). If the ransomware attempts to install, it will not be able to create these files itself and will fail. Thanks to Amit Serper (@0xAmit on Twitter) for this one.
  • Train your users to spot fake install/update screens. This one is definitely more difficult than the first one, but will have the added benefit of protecting your users and network from future ransomware and malware. CNet has a good write-up on how to spot fake Flash updates, available here.

Ransomware attacks are only increasing in frequency and sophistication over time, so be wary of suspicious-looking updates, prompts, and email attachments—and stay up to date on all system updates.