Blog
/
/
October 24, 2017

Investigating the BadRabbit Cyber Threat

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
24
Oct 2017
This blog post describes the currently-circulating ransomware called BadRabbit and how Darktrace’s machine learning technology detects it.

This blog post describes the currently circulating ransomware called BadRabbit and how Darktrace’s machine learning technology detects it. BadRabbit is a self-propagating piece of malware that uses SMB to spread laterally. The campaign is reminiscent of the WannaCry and NotPetya attacks seen earlier this year. Some of the functionality in BadRabbit and the modus operandi of how it infects the targets is similar to the NotPetya attack.

The attack initially hit companies in Russia and Ukraine on October 24th, 2017. Since, the ransomware has spread to other countries across the world as well.

Infection process

The initial infection vector appears to be via drive-by downloads and social engineering using fake Adobe Flash player files. Various news and media websites predominantly but not exclusively in Russia and Ukraine served their visitors with pop-up alerts asking them to download Adobe Flash player software updates. It is unclear at this point if the websites were compromised, or if the advertisement networks were leveraged to display the fake Adobe Flash downloads.

This technique of presenting users with fake updates, commonly Adobe Flash, containing ransomware, adware or other forms of malware, has gained traction in the last six months. The same approach is often applied to trick users into inadvisable actions, such as downloading malware when browsing TV streaming websites, or torrent websites.

Once downloaded, a user has to execute the fake Adobe Flash player with administrative credentials manually. No exploits are used to automatically execute the malware. The malware creates a scheduled task for another file upon execution. The ransomware then encrypts files on the compromised devices using a hard-coded list of file extensions using a RSA 2048 key. The criminals demand a Bitcoin payment for decrypting the files. Users are pointed to a .onion website, which has to be accessed via Tor, to pay the ransom.

BadRabbit can brute-force its way over SMB to other devices on the network using a hard-coded list of common credentials. The malware appears to contain a stripped-down version of the Mimikatz tool which is used to gather credentials on Windows machines. This is likely used to further enhance its lateral movement capabilities using SMB.

Update (October 30, 2017): As the investigation of BadRabbit capabilities continued over the weekend, new details about how BadRabbit spreads have been uncovered. BadRabbit appears to be using the EternalRomance exploit that targets CVE-2017-0145, patched by Microsoft in March 2017, to propagate within the internal network over SMB. As Darktrace’s AI does not rely on identifying individual exploits to detect breaches, this latest discovery does not affect Darktrace’s capability to identify BadRabbit infections. All of the previously identified detection capabilities still hold true.

Darktrace instantly detects BadRabbit

Darktrace has strong detection capabilities for this campaign without the use of any signatures. In fact, we alerted a number of our customers within seconds of the initial fake Flash Player download on their respective networks, and well before the extent of the campaign was publicly known.

The initial fake Adobe Flash Player download from 1dnscontrol[.]com is immediately detected as a suspicious download:

If the early signs of BadRabbit go undetected, the infected devices start brute-forcing access to other devices on the network using SMB - causing thousands of SMB session login attempts per endeavored lateral movement over port 445. This highly anomalous behavior marks a sharp departure from customers’ normal ‘pattern of life’, making BadRabbit very easy to detect for Darktrace’s machine learning technology. Within seconds, Darktrace alerted the affected organizations about this attack flagging it as ‘SMB Session Brute Force’. The below shows an ongoing lateral movement attempt from an infected device to another client device using SMB session brute-force.

Infected devices make connection attempts to one or two seemingly randomly generated IP addresses on the internet over port 445 and also port 139. Examples of these failed connection attempts are displayed below. Darktrace instantly recognized this as unusual behavior for the infected device:

Compromised devices will attempt to move laterally on the network in a search for other devices to infect. Darktrace’s AI algorithms can swiftly recognize this anomalous behavior, alerting the affected organization in real time about these ‘Unusual Internal Connections’, as well as potential ‘Network Scans’.

The below model breaches seen in Darktrace are expected in a BadRabbit infection. Please be aware that not all models listed below are expected to breach in every infection - this depends on the actual behavior observed by Darktrace.

Anomalous File / EXE from Rare External Destination
Device / SMB Session Brute Force
Unusual Activity / Unusual Internal Connections
Device / Network Scan
Unusual Activity / Sustained Unusual Activity
Anomalous Connection / Suspicious Read / Write Ratio
Compliance / Tor Usage

The Darktrace ‘Omnisearch’ and ‘Advanced Search’ features can be used to identify any connections made to the known network Indicators of Compromise:

1dnscontrol[.]com(hosting the fake Adobe Flash player file)185.149.120[.]3(static IP observed, victims HTTP POSTing to the IP)

Conclusion

BadRabbit is a machine-speed ransomware attack that exhibits some of the functionality and infection mechanics of the WannaCry and NotPetya breaches observed earlier this year. The BadRabbit malware masks itself as an ‘Adobe Flash’ software update, tempting unsuspecting users to initiate a download. After the initial impact, the attack can spread from machine to machine without human intervention.

Darktrace’s AI algorithms are quick to detect the highly anomalous patterns of behavior that BadRabbit triggers on a network, alerting the security team in real time. We have seen BadRabbit bypass traditional security controls around the globe, demonstrating once again the futility of attempting to identify and stop threats with rules and signatures. As Darktrace’s machine learning technology doesn’t rely on any assumptions of what ‘bad’ looks like and detects unfolding attacks not by what they are but by what they do, it is very powerful at catching and stopping ransomware attacks like BadRabbit in real time.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Global Field CISO

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

OT

/

April 4, 2025

Darktrace Named as Market Leader in the 2025 Omdia Market Radar for OT Cybersecurity Platforms

Default blog imageDefault blog image

We are pleased to announce that Darktrace / OT has been named a Market Leader in Omdia’s  2025 Market Radar for OT Cybersecurity Platforms. We believe this highlights our unique capabilities in the OT security market and follows similar recognition from Gartner who recently named Darktrace / OT as the sole Visionary in in the Magic Quadrant for Cyber Physical Systems (CPS) Protection Platforms market.

Historically, IT and OT systems have been managed separately, creating challenges due to the differences of priorities between the two domains. While both value availability, IT emphasizes confidentiality and integrity whereas OT focuses on safety and reliability. Organizations are increasingly converging these systems to reap the benefits of automation, efficiency, and productivity (1).

Omdia’s research highlights that decision makers are increasingly prioritizing comprehensive security coverage, centralized management, and advanced cybersecurity capabilities when selecting OT security solutions (1).

Rising productivity demands have driven the convergence of OT, IT, and cloud-connected systems, expanding attack surfaces and exposing vulnerabilities. Darktrace / OT provides a comprehensive OT security solution, purpose-built for critical infrastructure, offering visibility across OT, IoT, and IT assets, bespoke risk management, and industry-leading threat detection and response powered by Self-Learning AITM.

Figure 1: Omdia vendor overview for OT cybersecurity platforms
Figure 1: Omdia vendor overview for OT cybersecurity platforms

An AI-first approach to OT security  

Many OT security vendors have integrated AI into their offerings, often leveraging machine learning for anomaly detection and threat response. However, only a few have a deep-rooted history in AI, with longstanding expertise shaping their approach beyond surface-level adoption.

The Omdia Market Radar recognizes that Darktrace has extensive background in the AI space:

“Darktrace has invested extensively in AI research to fuel its capabilities since 2013 with 200-plus patent applications, providing anomaly detection with a significant level of customization, helping with SOC productivity and efficiency, streamlining to show what matters for OT.” (1)

Unlike other security approaches that rely on existing threat data, Darktrace / OT achieves this through Self-Learning AI that understands normal business operations, detecting and containing known and unknown threats autonomously, thereby reducing Sec Ops workload and ensuring minimal downtime

This approach extends to incident investigations where an industry-first Cyber AI AnalystTM automatically investigates all relevant threats across IT and OT, prioritizes critical incidents, and then summarizes findings in an easily understandable view—bringing production engineers and security analysts together to communicate and quickly take appropriate action.

Balancing autonomous response with human oversight

In OT environments where uptime is essential, autonomous response technology can be approached with apprehension. However, Darktrace offers customizable response actions that can be set to “human confirmation mode.”

Omdia recognizes that our approach provides customizable options for autonomous response:

“Darktrace’s autonomous response functionality enforces normal, expected behavior. This can be automated but does not need to be from the beginning, and it can be fine-tuned. Alternative step-by-step mitigations are clearly laid out step-by-step and updated based on organizational risk posture and current level of progress.” (1)

This approach allows security and production to keep humans-in-the-loop with pre-defined actions for potential attacks, enforcing normal to contain a threat, and allowing production to continue without disruption.  

Bespoke vulnerability and risk management

In the realm of OT security, asset management takes precedent as one of the key focus points for organizations. With a large quantity of assets to manage, practitioners are overwhelmed with information with no real way to prioritize or apply them to their unique environment.

Darktrace / OT is recognized by Omdia as having:

“Advanced risk management capabilities that showcase metrics on impact, exploit difficulty, and estimated cost of an attack […] Given the nascency of this capability (April 2024), it is remarkably granular in depth and insight.” (1)

Enabling this is Darktrace’s unique approach to AI extends to risk management capabilities for OT. Darktrace / OT understands customers’ unique risks by building a comprehensive and contextualized picture that goes beyond isolated CVE scoring. It combines attack path modeling with MITRE ATT&CK  techniques to provide hardening recommendations regardless of patching availability and gives you a clearer view of the potential impact of an attack from APT groups.

Modular, scalable security for industrial environments

Organizations need flexibility when it comes to OT security, some want a fully integrated IT-OT security stack, while others prefer a segregated approach due to compliance or operational concerns. The Darktrace ActiveAI Security Platform offers integrated security across multiple domains, allowing flexibility and unification across IT and OT security. The platform combines telemetry from all areas of your digital estate to detect and respond to threats, including OT, network, cloud, email, and user identities.

Omdia recognizes Darktrace’s expansive coverage across multiple domains as a key reason why organizations should consider Darktrace / OT:

“Darktrace’s modular and platform, approach offer’s integrated security across multiple domains. It offers the option of Darktrace / OT as a separate platform product for those that want to segregate IT and OT cybersecurity or are not yet in a position to secure both domains in tandem. The deployment of Darktrace’s platform is flexible—with nine different deployment options, including physical on-premises, virtual, cloud, and hybrid.” (1)

With flexible deployment options, Darktrace offers security teams the ability to choose a model that works best for their organization, ensuring that security doesn’t have to be a “one-size-fits-all” approach.

Conclusion: Why Darktrace / OT stands out in Omdia’s evaluation

Omdia’s 2025 Market Radar for OT Cybersecurity Platforms provides a technical-first, vendor-agnostic evaluation, offering critical insights for organizations looking to strengthen their OT security posture. Darktrace’s recognition as a Market Leader reinforces its unique AI-driven approach, flexible deployment options, and advanced risk management capabilities as key differentiators in an evolving threat landscape.

By leveraging Self-Learning AI, autonomous response, and real-world risk analysis, Darktrace / OT enables organizations to detect, investigate, and mitigate threats before they escalate, without compromising operational uptime.

Read the full report here!

References

  1. www.darktrace.com/resources/darktrace-named-a-market-leader-in-the-2025-omdia-market-radar-for-ot-cybersecurity-platforms
Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance

Blog

/

Cloud

/

April 2, 2025

Fusing Vulnerability and Threat Data: Enhancing the Depth of Attack Analysis

Default blog imageDefault blog image

Cado Security, recently acquired by Darktrace, is excited to announce a significant enhancement to its data collection capabilities, with the addition of a vulnerability discovery feature for Linux-based cloud resources. According to Darktrace’s Annual Threat Report 2024, the most significant campaigns observed in 2024 involved the ongoing exploitation of significant vulnerabilities in internet-facing systems. Cado’s new vulnerability discovery capability further deepens its ability to provide extensive context to security teams, enabling them to make informed decisions about threats, faster than ever.

Deep context to accelerate understanding and remediation

Context is critical when understanding the circumstances surrounding a threat. It can also take many forms – alert data, telemetry, file content, business context (for example asset criticality, core function of the resource), and risk context, such as open vulnerabilities.

When performing an investigation, it is common practice to understand the risk profile of the resource impacted, specifically determining open vulnerabilities and how they may relate to the threat. For example, if an analyst is triaging an alert related to an internet-facing Webserver running Apache, it would greatly benefit the analyst to understand open vulnerabilities in the Apache version that is running, if any of them are exploitable, whether a fix is available, etc. This dataset also serves as an invaluable source when developing a remediation plan, identifying specific vulnerabilities to be prioritised for patching.

Data acquisition in Cado

Cado is the only platform with the ability to perform full forensic captures as well as utilize instant triage collection methods, which is why fusing host-based artifact data with vulnerability data is such an exciting and compelling development.

The vulnerability discovery feature can be run as part of an acquisition – full or triage – as well as independently using a fast ‘Scan only’ mode.

Figure 1: A fast vulnerability scan being performed on the acquired evidence

Once the acquisition has completed, the user will have access to a ‘Vulnerabilities’ table within their investigation, where they are able to view and filter open vulnerabilities (by Severity, CVE ID, Resource, and other properties), as well as pivot to the full Event Timeline. In the Event Timeline, the user will be able to identify whether there is any malicious, suspicious or other interesting activity surrounding the vulnerable package, given the unified timeline presents a complete chronological dataset of all evidence and context collected.

Figure 2: Vulnerabilities discovered on the acquired evidence
Figure 3: Pivot from the Vulnerabilities table to the Event Timeline provides an in-depth view of file and process data associated with the vulnerable package selected. In this example, Apache2.

Future work

In the coming months, we’ll be releasing initial versions of highly anticipated integrations between Cado and Darktrace, including the ability to ingest Darktrace / CLOUD alerts which will automatically trigger a forensic capture (as well as a vulnerability discovery) of the impacted assets.

To learn more about how Cado and Darktrace will combine forces, request a demo today.

Continue reading
About the author
Paul Bottomley
Director of Product Management, Cado
Your data. Our AI.
Elevate your network security with Darktrace AI