The latest major ransomworm campaign, Bad Rabbit, could have also been called "it could've been a lot worse rabbit".
But Bad Rabbit is catchier.
Bad Rabbit is the third major ransomware campaign of 2017 to take advantage of leaked US National Security Agency hacking tools. The tools, which exploited a critical vulnerability in Microsoft Windows, was mostly confined to the Ukraine and Russia, with limited impacts elsewhere.
Not another NotPetya
Unlike NotPetya, which was an attack that started in the Ukraine and spread globally hitting major firms such as Maersk, Merck, FedEx and more causing more than US $1 billion in damages, Bad Rabbit hasn't spread nor had that same impact. This is likely due to patches (finally) being applied and networks hardened following the two other major ransomware outbreaks.
Bad Rabbit began its infections within organizations with users with unpatched Adobe Flash browser plug-ins visited Russian media sites that had been compromised with malware. The malware used the vulnerabilities to gain access to the users' computers and then spread from there within vulnerable organizations.
People, process and culture
Bad Rabbit, NotPetya and WannaCry all have something else in common besides their roots in NSA hacking tools - they all are perfect examples of why cybersecurity isn't just about technology.
It's about people, process, culture and technology.
People - It's important to educate your users to help them understand if their devices are properly patched. If the users are responsible for patching, educating them on how to fix it or who to contact within your organization if they discover their devices need to be patched and they're not able to do so on their own.
Process - Large organizations struggle to keep their systems patched and prioritizing key systems. Improving patching processes - even things as basic as teaching users how to do this themselves if the organization doesn't have automated tools to do so, can save organizations from a major incident.
Culture - The organizations that are falling victim to these ransomware outbreaks aren't taking cybersecurity seriously enough at the highest levels. Demonstrating management commitment to these issues results in the establishment of the proper policies, policies and resources to begin to reduce risk.
Technology - Keeping end user computers patched isn't easy to do manually, even for small and medium-size organizations. Finding and deploying the right tool to patch not only the operating system, but also key software such as browser plug ins, is key.
David Shipley is the CEO and co-founder of Beauceron Security Inc.