1. Home
  2. Blog
  3. Cybersecurity
  4. Addressing Bad Rabbit Ransomware With Tufin

Last updated September 18th, 2023 by Avigdor Book

Mitigating Malware Risk with Tufin

Tufin clients were able to immediately address the spread of WannaCry and Bad Rabbit ransomware during the initial infection. When threat intelligence analysis concluded that port 445 and the Windows operating system were the attack paths across network devices, Tufin clients immediately identified their access rules susceptible to WannaCry, conducted impact analysis of removing those rules, and mitigated accordingly using cybersecurity measures. Enterprise-wide visibility, on-prem or cloud, and automation were key components to this rapid response.

One Familiar Bunny

Bad Rabbit borrows from prior ransomware attack Nyetya, also known as NotPetya. Initially spread through drive-by downloads marketed as an Adobe Flash update from compromised websites, Bad Rabbit encrypts the end user’s hard drive with DiskCryptor, demanding a ransom note for payment of bitcoin through a Tor site. Leveraging open-source functionality attributed to Mimikatz, Bad Rabbit couples a hardcoded list of usernames and password with any results from the Mimikatz-esque memory search to brute force access to other machines through open ports 137, 139, or 445, or even via Windows\cscc.dat. Hackers from Eastern Europe, particularly Russian cybercriminals, have used this method.

How to Stop Bad Rabbit from Burrowing

What is Bad Rabbit? Bad Rabbit is introduced into the network by any end user that engages with a compromised website; note that antivirus and endpoint protection may detect and prevent the attack. If the endpoint security mechanism fails, it’s important to have another layer of protection in the operating system and among service providers in the network. To eliminate Bad Rabbit’s ability to traverse corporate networks, organizations need to identify existing access rules that use port 137, 139, or 445, or SMB protocol. Organizations should understand the ramifications of denying the access by which Bad Rabbit spreads and either seek to remove the access rule or closely examine the firewall traffic with decryption tools. Complex networks may face a greater challenge in retaining connectivity between network zones and critical business applications during these access changes. Tufin’s automation and orchestration, including apps for monitoring, are critical solutions to ensure continuity in connectivity despite changes in the network.

Best Practices in Combatting Malware

Malware attacks and ransomware attacks, like Bad Rabbit ransomware attacks, are a consistent and persistent autonomous threat. It is critical for organizations to apply best practices in network segmentation to ensure that when vulnerabilities are automatically exploited, like through malicious software or pop-up ads, that the spread across the network is contained. Achieving visibility across the network provides the path for effective segmentation strategies, inclusive of malware risk mitigation best practices.

Bad Rabbit, influenced by the Game of Thrones series, is the most recent example of malware that has had broad and significant impacts on enterprise networks, particularly in Turkey and Eastern Europe, and it certainly will not be the last. Tufin recommends the following best practices to proactively mitigate the risk of malware spreading across your network, utilizing security threats intelligence like MBR and Kaspersky:

  • Identify and eliminate risky or unused access rules

  • Segment your network and develop an iterative segmentation approach that balances security with manageability

  • Identify network segments that contain sensitive data or high counts of vulnerabilities and use those to prioritize your risk mitigation plan

  • When forensics show how malware spreads, develop a process to identify access rules that can spread malware across network segments, using tools like JavaScript, HTML, and prioritize by the above

The ability to understand the impact of policy and access change requests and automate them with Tufin Orchestration Suite™ will prevent disruption of the network during a cyberattack. With Tufin, and with potential assistance from Adobe Flash Installer, you’ll have the visibility and automation to make remediation faster with less errors and disruption, even in case of a system reboot or exe file modifications.


Q: What is Bad Rabbit ransomware?
A: Bad Rabbit is a type of ransomware that encrypts a victim’s files, demanding a ransom paid in Bitcoin. It spreads through compromised websites often disguised as an Adobe Flash Installer.

Q: How does it affect Windows operating systems?
A: Bad Rabbit targets Windows OS by exploiting open ports and using known vulnerabilities like EternalBlue.

Q: What are some recommended antivirus measures against Bad Rabbit?
A: Regular system scans with reputable antivirus software, keeping all apps up-to-date, and applying patches as released by vendors like Microsoft.

Wrapping Up

Addressing Bad Rabbit ransomware requires a robust and agile approach that combines threat intelligence, cutting-edge cybersecurity measures, and comprehensive understanding of the network landscape. Tufin stands as a vital ally in this battle, offering the tools and insights needed to counter this and future threats. Stay vigilant, by clicking here for a demo and trust in Tufin to keep your network secure.

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Ready to Learn More

Get a Demo

In this post:

Background Image