Download Now
Home
/
Resources

What Is Bad Rabbit Ransomware?

Bad Rabbit ransomware is a type of malicious software that encrypts a victim’s files and demands a ransom payment to restore access.

Discovered in 2017, Bad Rabbit primarily targeted media organizations, transportation systems, and businesses. It spread through fake Adobe Flash updates, tricking users into installing malware disguised as legitimate software.

Once executed, the ransomware locks files and displays a ransom message, typically demanding payment in cryptocurrency.

Core idea: Bad Rabbit is a classic example of ransomware that combines social engineering with system exploitation to disrupt operations and extort victims.

Why Bad Rabbit Ransomware Matters

Bad Rabbit is significant because it demonstrates how ransomware can spread without relying on traditional exploits.

Why it matters:

  • User-based infection model
    It relies on users downloading malicious files, highlighting the importance of awareness.
  • Rapid lateral movement
    Once inside a network, it spreads quickly using stolen credentials.
  • Operational disruption
    It has impacted critical sectors like transportation and media.
  • Evolving ransomware tactics
    Bad Rabbit shows how attackers combine social engineering with network propagation.

How Bad Rabbit Ransomware Works

Bad Rabbit follows a structured attack lifecycle:

  1. Infection
    Users download a fake update (e.g., Flash installer) from compromised websites.  
  2. Execution
    The malware installs itself and begins encrypting files.  
  3. Credential Harvesting
    It extracts credentials from infected systems.  
  4. Lateral Movement
    Uses tools like SMB and Windows Admin Shares to spread across the network.  
  5. Encryption and Ransom Demand
    Files are encrypted, and a ransom note is displayed.  

Key Characteristics of Bad Rabbit

  • No exploit-based entry - Relies on social engineering  
  • Fake software updates - Common infection method  
  • Network propagation - Spreads within organizations  
  • Credential-based movement - Uses stolen login details  
  • Disk encryption techniques - Encrypts files and system components  

Real-World Impact of Bad Rabbit

Bad Rabbit caused significant disruptions when it first appeared.

  • Media organizations
    Several news agencies experienced system outages.
  • Transportation systems
    Public transport systems were affected, causing delays.
  • Corporate networks
    Businesses faced downtime and data loss.

Although not as widespread as WannaCry or NotPetya, Bad Rabbit demonstrated the effectiveness of targeted ransomware campaigns.

How to Prevent Bad Rabbit Ransomware

Organizations can reduce the risk of Bad Rabbit attacks through:

1. Avoid untrusted downloads

Do not install software from unknown or unverified sources.

2. Patch and update systems

Keep operating systems and applications up to date.

3. Use strong authentication

Implement multi-factor authentication (MFA).

4. Restrict network access

Limit lateral movement using network segmentation.

5. Security awareness training

Educate users about phishing and fake updates.

6. Endpoint protection

Deploy antivirus and endpoint detection tools.

7. Backup data regularly

Maintain secure backups to recover from ransomware attacks.

Summary

Bad Rabbit ransomware is a socially engineered cyberattack that spreads through fake software updates and encrypts critical data for ransom. While it does not rely heavily on advanced exploits, its ability to move laterally within networks makes it highly disruptive.

Understanding how Bad Rabbit operates helps organizations strengthen defenses against similar ransomware threats. By combining user awareness, strong security controls, and proactive monitoring, businesses can significantly reduce their risk.

FAQ

1. What is Bad Rabbit ransomware?

Bad Rabbit ransomware is malware that encrypts files on a system and demands payment to restore access.

2. How does Bad Rabbit ransomware spread?

It spreads mainly through fake software updates and drive-by downloads from compromised websites.

3. When was Bad Rabbit ransomware discovered?

Bad Rabbit ransomware was first identified in 2017.

4. What systems does Bad Rabbit target?

It primarily targets Windows-based systems within enterprise networks.

5. How can organizations prevent Bad Rabbit ransomware?

Organizations can prevent it by avoiding untrusted downloads, applying patches, using MFA, training users, and implementing strong security controls.

6. Is Bad Rabbit ransomware still active?

While not as active today, its techniques are still used in modern ransomware attacks.

Glossary Terms
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
AI in CybersecurityAPI SecurityAdvanced Endpoint Protection (AEP)Advanced Persistent Threat (APT)Application SecurityApplication VulnerabilityAI Model ValidationAI EngineeringAgentic WorkflowsAI Data SecurityAgentless SecurityAttack Surface ReductionAsset Discovery
Blacklist in CybersecurityBotnet in CybersecurityBrute Force AttackBotnet in CybersecurityBreach and Attack Simulation (BAS) in CybersecurityBlockchain SecurityBusiness Continuity Plan in CybersecurityBuffer OverflowBehavioral Analytics
Cloud Native SecurityCloud SecurityCloud Security Posture Management (CSPM)Cloud Workload ProtectionCodeQLCyber Exposure / Attack Surface ManagementCVE (Common Vulnerabilities and Exposures) in CybersecurityCross Site Request Forgery (CSRF)Credential Theft in CybersecurityCommon Vulnerability Scoring System (CVSS)Continuous Vulnerability MonitoringCross-Site ScriptingCWE (Common Weakness Enumeration)Cyber Threat IntelligenceCyber Threats in CybersecurityCloud Access Security Broker (CASB)Configuration Drift in CybersecurityCryptography in CybersecurityCertificate Authority (CA)Command and Control (C2)Center for Internet Security (CIS)Container Security
Data Breach in CybersecurityData Encryption in CybersecurityData Security in CybersecurityDeep Packet Inspection (DPI) in CybersecurityDenial of ServiceData Exfiltration in CybersecurityData Loss Prevention (DLP) in CybersecurityDevSecOpsDNS SecurityDynamic Application Security Testing (DAST)Digital Forensics in CybersecurityDomain Spoofing in CybersecurityData Governance in Cybersecurity
Endpoint Detection & Response (EDR)Endpoint SecurityExtended Detection and Response (XDR)Encryption Key ManagementExploit in CybersecurityEndpoint Protection Platform (EPP)Exposure Monitoring in CybersecurityException Management
Firewall in CybersecurityFileless Malware in CybersecurityFirmware Security in CybersecurityFuzzing (Fuzz Testing)
Grayware in CybersecurityGovernance, Risk, and Compliance (GRC)
Honeypot in CybersecurityHacktivism in CybersecurityHybrid Cloud SecurityHypervisor Security
Identity and Access Management (IAM)Incident Response (IR)Intrusion Detection System (IDS)Intrusion Prevention System (IPS)Input Validation in CybersecurityInsider Threat in CybersecurityInteractive Application Security Testing (IAST)Insecure Deserialization in CybersecurityIoT Security in CybersecurityIntegrated Risk Management (IRM) in CybersecurityIndicators of Compromise (IOC)
Jamming Attack in Cybersecurity
Key Logger in CybersecurityKill Chain in Cybersecurity
Least Privilege in CybersecurityLog Correlation in CybersecurityLateral Movement in CybersecurityLogic Bomb in Cybersecurity
Malware in CybersecurityManaged Security Service Provider (MSSP)Man-in-the-Middle Attack (MitM)Mitigation Strategy EngineeringMicrosoft PurviewMulti-Factor Authentication (MFA)
Network Firewall in CybersecurityNetwork Security in CybersecurityNetwork Segmentation in CybersecurityNTP Amplification AttackNext-Generation Firewall
Open Source Intelligence (OSINT)OAuth in CybersecurityOpen Vulnerability and Assessment Language (OVAL)Operation Technology (OT) Security
Password Policy in CybersecurityPatch ManagementPenetration TestingPhishing Prevention in CybersecurityPrivileged Access Management (PAM)Privileged Identity Management (PIM)Public Key Infrastructure (PKI)Patch ValidationPredictive Vulnerability MonitoringPurple Teaming in Cybersecurity
Quishing in Cybersecurity
Risk-Based Vulnerability Management (RBVM)Remote Code Execution (RCE)Risk Assessment in CybersecurityRAG PipelinesResidual Risk Calculation in CybersecurityRansomwareRed Teaming in CybersecurityRogue Access Point in CybersecurityRootkit in Cybersecurity
SIEM (Security Information and Event Management)Security MonitoringSecurity Operations Center (SOC)Software Composition Analysis (SCA)Supply Chain CybersecuritySecure Access Service Edge (SASE) in CybersecuritySecure Coding in CybersecuritySpoofing in CybersecuritySynthetic Identity Fraud in CybersecuritySecure Web Gateway (SWG) in CybersecuritySecurity Orchestration Automation and Response (SOAR) in CybersecuritySocial Engineering in CybersecuritySpyware in CybersecuritySecurity AutomationSAST (Static Application Security Testing)Security Assessment in CybersecuritySoftware Supply Chain SecurityServerless Security in CybersecuritySandboxing in Cybersecurity
Threat HuntingThreat IntelligenceThreat Intelligence Platform (TIP)Threat-Aware Vulnerability Prioritization in CybersecurityTrojan Horse in CybersecurityTrusted Platform Module (TDM)
Usage-Based Vulnerability ExposureUser and Entity Behavior Analytics (UEBA)
Vulnerability AssessmentVulnerability ManagementVulnerability Management Platform (VMP)Vulnerability Correlation in CybersecurityVulnerability Threat Enrichment (VTE) in CybersecurityVirus in CybersecurityVulnerability Intelligence
Watering Hole AttackWeaponization PredictionWeb Application Firewall in CybersecurityWorm Virus in Cybersecurity
XCCDF in Cybersecurity
Yellow Hat Hacking
Zero-Day ExploitZero-Day VulnerabilityZero Trust Architecture (ZTA) in CybersecurityZero Trust Network Access (ZTNA) in CybersecurityZero Trust Security Model in Cybersecurity
Recent Blogs
Cloud-Native Services Threat Modeling: STRIDE Framework, Controls & Automation
Cloud-Native Services Threat Modeling: STRIDE Framework, Controls & Automation
Axios NPM Supply Chain Attack: Technical Analysis, IOCs, Detection & Mitigation
Axios NPM Supply Chain Attack: Technical Analysis, IOCs, Detection & Mitigation
MCSB Deep Dive: Securing Azure with Microsoft Cloud Security Benchmark
MCSB Deep Dive: Securing Azure with Microsoft Cloud Security Benchmark
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Accept
Green Plus icon
Cybersecurity Solutions
Vulnerability IntelligenceSecurity & Threat Intelligence IntegrationsVulnerability & Configuration ManagementConnector Development IntegrationOSS - Software Composition AnalysisOSS - Dependancy DefenceOSS - Zero-Day DiscoveryThreat IntelligenceExternal Attack Surface DiscoveryCloud Security Posture ManagementCloud Workload Protection
IT Solutions
Data Science Engineering ServicesSoftware Development  & SupportQA AutomationStaff Augmentation
Platforms
LOVICytellite
Company
About usBlogsReportsCase StudiesWebinarsGlossaryCareers
Research
Research-as-a -ServiceZero-Day Discovery
1-703-956-7410info@loginsoft.com
© 2026 - Copyright
Privacy policy