Thought Leadership

Oct 24, 2017

Hacker’s Playbook Updated with Methods for Petya.A (Bad Rabbit) Ransomware Attack


SafeBreach Labs has updated the Hacker’s Playbook™ with simulations for a new ransomware attack, based on Petya.A and dubbed Bad Rabbit.

Additionally, thanks to the depth of the Hacker’s Playbook™, a portion of this multi-stage attack campaign has already been simulated. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations as necessary.

This attack has targeted businesses and infrastructure in Russia and Ukraine according to CERT-UA, and shows early signs in Turkey and Germany, encrypting machines and demanding payment in bitcoin for decryption. However, SafeBreach recommends all industries and businesses simulate this attack to identify whether or not they can be compromised, and then take action to prevent this ransomware campaign from spreading outside the currently affected regions.

To assess security control effectiveness against techniques involved in this ransomware attack, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Newly Added Playbook Methods

Playbook #1401: Local installation of ransomware

  • Endpoint controls – Are controls in place that prevent the local installation of Petya.A ransomware?

Playbook #1402 – Network transfer of ransomware

  • Network controls – Are controls in place that prevent the download and transfer of the Petya.A ransomware used in the Bad Rabbit campaign?

Already Existing Playbook Method

Playbook #794: Run MimiKatz on Host

  • Endpoint controls – Endpoint controls – Are controls in place that prevent harvesting of Windows passwords from memory?

Playbook #1220: Fileless (using PowerShell) MimiKatz Injection

  • Endpoint controls – Are controls in place harvesting of Windows passwords from memory using PowerShell?

The SafeBreach Hacker’s Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.

Get the latest
research and news