Cisco Blogs

Threat Spotlight: Follow the Bad Rabbit

October 24, 2017 - 4 Comments

Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape.

There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. ๊Update latest signature on NGIPS is Necessary ?
    i see on web cisco have rule update Sourcefire Rule Update 2017-10-25-001

    • The primary research post on is consistently being updated as further analysis is completed. Please continue checking back on that post (using the “Read More” link) for updates and in-depth details.

  2. Is there any signatures related to IPS which we need to update in firepower ?

    • Please see the coverage and IOC sections of the research post for details. That post is being updated as more and more analysis is completed.