The BadRabbit ransomware attack is an ongoing campaign that currently affects organizations across Eastern Europe and Russia. It involves encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
Reports indicate that BadRabbit ransomware is considered to be a new variant of Petya ransomware. Currently, BadRabbit is spread through a fake Adobe Flash Player installer, wherein compromised media or news websites serve BadRabbit ransomware when a targeted user attempts to run the fake Adobe Flash Player installer. This type of attack is considered a drive-by attack and does not use any exploits to compromise the system.
Cisco Talos has released a blog post that details Talos research into the BadRabbit threat. The post is available at the following link: Threat Spotlight: Follow the Bad Rabbit
Users are encouraged to use the official Adobe website to install Adobe Flash Player.
Users are encouraged to run up-to-date antimalware software.
Users are encouraged to maintain good backups from which they can restore their systems in the event that systems become infected with BadRabbit.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators can apply Snort SIDs 44646, 44647, 44648, 44649, and 44650 to help prevent BadRabbit ransomware attacks.