When Bad Rabbit first appeared
Posted: Thu Feb 13, 2025 3:10 am
5. It can spread horizontally across networks...
Much like Petya, Bad Rabbit has a dangerous secret up its sleeve: the malware contains an SMB component that allows it to move horizontally across an infected network and spread without user intervention, Cisco Talos researchers say.
Bad Rabbit is aided in its spread by a list of simple username and password combinations that can be used to brute-force its way through networks. The list of weak passwords contains a number of common variations, such as simple combinations of numbers or the word "password."
6. ... but doesn't use EternalBlue . there were suggestions that it, like WannaCry, used the EternalBlue exploit to spread. But that doesn't seem to be the case.
"We currently have no reason to believe that the EternalBlue poland whatsapp data was used to spread the infection," said Martin Lee, technical lead for the Security Research group at Talos.
7. It's not promiscuous. The WannaCry ransomware affected rehundds of thousands of systems worldwide. But Bad Rabbit doesn't seem to be indiscriminate, and researchers believe it only infects select targets.
“Based on our observations, this was a targeted attack against corporate networks,” Kaspersky Lab researchers reported.
And ESET researchers note that script instructions embedded in infected websites can determine whether a visitor is interesting and add content to the page if the target is deemed suitable for infection.
However, at this stage there is no obvious explanation as to why media organizations and infrastructure in Russia and Ukraine were specifically targeted.
8. It's unclear who's behind the attack. It's unclear who's distributing this ransomware and why, but the similarities to Petya have led some researchers to believe that Bad Rabbit comes from the same group of attackers — although that doesn't help in finding either the attack's initiator or their motives, since the criminal who orchestrated the June outbreak hasn't been identified.
Much like Petya, Bad Rabbit has a dangerous secret up its sleeve: the malware contains an SMB component that allows it to move horizontally across an infected network and spread without user intervention, Cisco Talos researchers say.
Bad Rabbit is aided in its spread by a list of simple username and password combinations that can be used to brute-force its way through networks. The list of weak passwords contains a number of common variations, such as simple combinations of numbers or the word "password."
6. ... but doesn't use EternalBlue . there were suggestions that it, like WannaCry, used the EternalBlue exploit to spread. But that doesn't seem to be the case.
"We currently have no reason to believe that the EternalBlue poland whatsapp data was used to spread the infection," said Martin Lee, technical lead for the Security Research group at Talos.
7. It's not promiscuous. The WannaCry ransomware affected rehundds of thousands of systems worldwide. But Bad Rabbit doesn't seem to be indiscriminate, and researchers believe it only infects select targets.
“Based on our observations, this was a targeted attack against corporate networks,” Kaspersky Lab researchers reported.
And ESET researchers note that script instructions embedded in infected websites can determine whether a visitor is interesting and add content to the page if the target is deemed suitable for infection.
However, at this stage there is no obvious explanation as to why media organizations and infrastructure in Russia and Ukraine were specifically targeted.
8. It's unclear who's behind the attack. It's unclear who's distributing this ransomware and why, but the similarities to Petya have led some researchers to believe that Bad Rabbit comes from the same group of attackers — although that doesn't help in finding either the attack's initiator or their motives, since the criminal who orchestrated the June outbreak hasn't been identified.