Bad Rabbit Ransomware: Protection Guide

TL;DR

Bad Rabbit is an old but still dangerous ransomware that spreads through drive-by downloads and exploiting SMB vulnerabilities. This guide explains how to check if you’re vulnerable, protect your systems, and what to do if infected.

Checking for Vulnerability & Protection Steps

1. Understand How Bad Rabbit Spreads: It initially spread via compromised websites distributing a fake Adobe Flash installer. More recently it exploits SMBv1 (Server Message Block version 1).
2. Disable SMBv1: This is the most important step! Older versions of Windows are particularly vulnerable.
   • Windows 10/11 & Server 2016/2019/2022: Open PowerShell as Administrator and run:

     Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

   • Older Windows (e.g., Windows 7): Go to Control Panel -> Programs -> Turn Windows features on or off, uncheck ‘SMB 1.0/CIFS File Sharing Support’. You’ll need to restart your computer.
3. Patch Your Systems: Ensure all operating systems (Windows, macOS, Linux) are fully updated with the latest security patches. This includes not just the OS itself but also applications like web browsers and Adobe Flash (if still in use).
4. Antivirus/Anti-malware Software: Make sure your antivirus software is up to date and running regular scans.
   • Most reputable antivirus products will detect Bad Rabbit. Check your vendor’s website for specific updates related to this threat.
5. Firewall Configuration: Ensure your firewall blocks unnecessary SMB traffic (ports 137, 138, 139 and 445). While disabling SMBv1 is best, a strong firewall adds an extra layer of protection.
6. Web Browser Security:
   • Use a modern web browser (Chrome, Firefox, Edge) with built-in security features.
   • Enable pop-up blockers and avoid clicking on suspicious links or downloading files from untrusted sources.
   • Consider using a browser extension like uBlock Origin to block malicious ads and scripts.
7. Regular Backups: This is crucial! If you are infected, backups are your best chance of recovery without paying the ransom.
   • Follow the 3-2-1 backup rule: 3 copies of your data, on 2 different media types, with 1 copy offsite.

What to Do If Infected

1. Isolate the Infected System: Immediately disconnect the infected computer from the network (Wi-Fi and Ethernet). This prevents further spread of the ransomware.
2. Do NOT Pay the Ransom: Paying the ransom does not guarantee file recovery, and it funds criminal activity.
3. Identify the Infection: Bad Rabbit typically displays a ransom note requesting payment in Bitcoin. The files will have extensions like .rabbit or similar.
4. Report the Incident: Report the infection to your local cyber security authorities (e.g., Action Fraud in the UK).
5. Restore from Backups: If you have recent, clean backups, restore your data from them. Ensure the backup media is verified as safe before restoring.
6. Seek Professional Help: Contact a reputable cyber security firm for assistance with removal and recovery if you are not comfortable handling it yourself. They can help analyze the infection and ensure complete eradication.

Further Resources

• NCSC (National Cyber Security Centre): https://www.ncsc.gov.uk