Beware the Bad Rabbit
The Threat
This ransomware variant is delivered via malicious websites that instructs the user to update flash. Upon clicking on the “Update Flash” pop-up or link, the virus is downloaded and executed. Once the PC boots, a ransom note is displayed similar to the recent WannaCry attack. The malware also includes techniques to spread laterally through the network. The first technique involves a hacking tool known as Mimikatz, which is able to obtain passwords from memory on the infected system. The second, via the EternalBlue exploit (MS17-010) is again something that was evident with WannaCry. The malware also has a hard- coded list of usernames and passwords.
There has been no evidence of the ransomware being delivered via phishing emails to date, however given this is always a likely attack vector, users should be cautious when clicking links or opening attachments from unexpected sources. The attack vector currently appears to be via users visiting compromised websites directly but users should be wary of any suspicious-looking emails or communications.
What to do?
The best advice at the moment is simply not to click any links relating to Adobe flash which browsing the web.