Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Bad Rabbit Ransomware is Rebuilt NotPetya

The current “Bad Rabbit” ransomware outbreak has been generating quite a bit of news, with some conflicting accounts of its origin. Clarifying here that Bad Rabbit is a variant of the widely reported “NotPetya” ransomware, which we covered in a blog earlier this year.

Bad Rabbit leverages one of the U.S. National Security Agency-developed exploits stolen and released by the Shadow Brokers group last April. Among those exploits was EternalBlue, used by WannaCry last May. Bad Rabbit utilizes EternalRomance, which, like EternalBlue, targets a (different) vulnerability in SMBv1, the Microsoft Server Message Block (SMB) file sharing protocol.

Although Bad Rabbit shares some similarities to NotPetya (for example, a virtually identical ransom note and propagation via the SMB vulnerability), much of the NotPetya code has been rewritten. This time around, Bad Rabbit employs a Trojan-like tool to mine credentials from infected systems, something that NotPetya did not do.

Bad Rabbit ransom page

Figure 1: Ransom page from the Bad Rabbit ransomware.

Cyren detects Bad Rabbit as W32/DiskCoder.A.gen!Eldorado and W32/DiskCoder.B.gen!Eldorado.

Cyren offers protection from dangerous ransomware attacks, like Bad Rabbit, through cloud-based Email Security Gateway and Web Security Gateway services. Learn more about ransomware at our ransomware resource page.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...