Jump to content

Bad Rabbit Ransomware

Recommended Posts

In light that this attack used the NSA EternalRomance exploit, might be good to review what security solutions block it. Eset was the only one that outright blocked EternalRomance in this ad hoc test by MRG: https://www.mrg-effitas.com/eternalromance-vs-internet-security-suites-and-nextgen-protections/

Also there have been later revelations on this attack since the initial reports were published. The most detailed is by Cisco here: http://blog.talosintelligence.com/2017/10/bad-rabbit.html. Of note is EternalRomance along with the other ShadowBrokers leaked NSA exploits was patch by Microsoft last June. Therefore any patched network would not have been subjected to ransomware propogation throughout the network.


Since both Cisco and F-Secure have verified that this is a modified version on EternalRomance, Eset needs to verify:

1. Does the previous Microsoft patch mitigation against it still work.

2. Does Eset's detection for EternalRomance which is CVE based still work.


Exploit was not initially spotted because it was modified

This was not a pure implementation, and some modifications were made to the exploit's code, hence the reason most researchers and automated scanning systems didn't detect it from the get-go.

"It is very similar to the publicly available Python implementation of the EternalRomance exploit that is also exploited by [NotPetya]," Cisco Talos researchers said. "However, the BadRabbit [EternalRomance] exploit implementation is different than the one in [NotPetya], although it is still largely based on the EternalRomance exploit published in the ShadowBrokers leak."

Ref.: https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-also-used-nsa-exploit/

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...