Mimecast Statement on Bad Rabbit Ransomware Attack

Blog Post created by user.RZYHBOK9oJ Employee on Oct 24, 2017

Today, a new ransomware attack called Bad Rabbit has hit businesses in Russia and Ukraine and has been identified as an updated strain of the ExPetr/Petya ransomware identified last year.


This new variant is installed via drive-by download as a fake Adobe Flash update. It is then able to spread rapidly to other machines on the network using the same exploit used previously by WannaCry and Petya. 


We are continuing to investigate and monitor, but at present have not seen email used as a distribution mechanism.


Note though, that once installed, the ransomware attempts to steal and exfiltrate credentials from the infected machine.  Stolen credentials are often used to log in to corporate webmail systems like Outlook Web Access where phishing campaigns can be launched from genuine employee mailboxes.


At this time, it appears that customers with Mimecast Internal Email Protect are protected from internally-generated phishing campaigns which result from stolen credentials being used to gain unauthorized access to corporate webmail.  We will continue to monitor the situation.


We recommend customers install required operating system patches from Microsoft to mitigate the risk of infection from Bad Rabbit and other previous variants.


As further information becomes available, we will make you aware here or on the Mimecast blog.