Anatomy of a Breach

Anatomy of a Breach: Bad Rabbit and KRACK — Ransomware Returns and Wi-Fi Trust Shatters

> series: anatomy_of_a_breach —— part: 106 —— threats: bad_rabbit_ransomware + krack_wpa2 —— scope: ransomware_returns_wifi_breaks<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2017 12 min read
bad-rabbit krack ransomware wpa2 wi-fi vulnerability wireless-security series
Breach #106

Ransomware returns. Wi-Fi trust shatters. October 2017 brought both.

On 24 October 2017, Bad Rabbit ransomware struck media organisations and transportation systems in Russia and Ukraine, spreading through fake Adobe Flash Player update prompts on compromised websites. Bad Rabbit shared code with NotPetya and used a combination of EternalRomance (another NSA exploit leaked by the Shadow Brokers) and credential-harvesting tools for lateral movement. While its impact was smaller than WannaCry or NotPetya, Bad Rabbit demonstrated that the ransomware threat emanating from the Russia-Ukraine conflict continued to evolve.

Eight days earlier, on 16 October, researchers had disclosed KRACK (Key Reinstallation Attacks) — a set of vulnerabilities in the WPA2 protocol that protects virtually every modern Wi-Fi network. KRACK allowed attackers within Wi-Fi range to intercept, decrypt, and in some cases manipulate traffic on WPA2-protected networks — the protocol universally regarded as 'secure Wi-Fi.' Like Heartbleed and Shellshock, KRACK was a vulnerability in foundational infrastructure that affected billions of devices simultaneously.

KRACK
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Every Wi-Fi network. Every device. Vulnerable.

WPA2: The Standard, Broken
WPA2 had been the universally recommended Wi-Fi security protocol since 2004. KRACK demonstrated a design flaw in its four-way handshake that allowed key reinstallation — enabling decryption of traffic on any WPA2 network. Every device using Wi-Fi — laptops, phones, IoT devices, access points — was potentially affected. Our <a href="/penetration-testing/wireless">wireless penetration testing</a> assesses Wi-Fi security including KRACK vulnerability.
Android and Linux Most Exposed
Android 6.0 and Linux were particularly vulnerable because their Wi-Fi implementations could be tricked into installing an all-zero encryption key — enabling complete decryption of traffic. Patches were required for every device — a challenge for IoT devices that may never receive updates. <a href="/cyber-essentials">Cyber Essentials</a> mandates prompt patching.
HTTPS Remained Protective
KRACK compromised the Wi-Fi encryption layer, but application-layer encryption (HTTPS) remained intact. Users connecting to HTTPS websites were still protected even on KRACK-vulnerable networks. This defence-in-depth principle — multiple encryption layers — is why our <a href="/penetration-testing/web-application">web application testing</a> verifies HTTPS deployment and HSTS configuration.
Patching Billions of Devices
KRACK patches were released by major vendors within weeks, but patching billions of Wi-Fi devices — especially IoT devices with no update mechanism — was a multi-year challenge. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies devices that remain unpatched.
Defence

Wireless security and ransomware resilience — both essential.

October 2017's twin threats required two parallel defence strategies: wireless security (patching KRACK, deploying WPA3 where available, using HTTPS everywhere, and segmenting Wi-Fi networks) and ransomware resilience (patching, backups, segmentation, monitoring, and incident response). Our wireless penetration testing assesses Wi-Fi security. Infrastructure testing validates ransomware resilience. Cyber Essentials mandates patching and baseline controls. SOC in a Box monitors for both wireless attacks and ransomware deployment. And UK Cyber Defence provides incident response for both threat categories.

Wireless + Ransomware Defence

KRACK broke Wi-Fi. Bad Rabbit encrypted systems. Are both your wireless and ransomware defences tested?

<a href="/penetration-testing/wireless">Wireless testing</a> assesses Wi-Fi security. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates ransomware resilience. <a href="/cyber-essentials">Cyber Essentials</a> mandates patching.

Commission a Security Assessment Next: Uber
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
Anatomy of a Breach 31 August 2025

Anatomy of a Breach: Collins Aerospace — Ransomware Grounds Passenger Processing at Heathrow, Brussels, and Berlin Airports

Breach #200. In August 2025, a ransomware attack on Collins Aerospace's MUSE passenger processing system disrupted operations at several major European airports including Heathrow, Brussels, and Berlin. The MUSE system handles check-in, boarding, and flight management functions. The attack, claimed by the Everest cybercrime group, forced airports to resort to manual check-in processes — creating long queues and flight delays. The incident demonstrated that aviation's dependency on shared technology platforms creates concentration risk where a single vendor compromise can disrupt airports across multiple countries simultaneously.

collins-aerospace muse
13 min read
All Posts Get in Touch