Where and how did it hit? Is your business at risk?
A new strain of ransomware is currently making waves across Russia and Ukraine, with many fearful that we will see a repeat of the destruction wrought by WannaCry. Here, CBR rounds up the experts to bring you everything you need to know about Bad Rabbit and if you should run, run, run!
Carl Leonard, principal analyst, Forcepoint said:
“Cyber attacks using malware called “Bad Rabbit” were reported in Ukraine and Russia beginning Tuesday, October 24th, causing disruptions to Ukraine’s transportation infrastructure, Russian media outlets, and several other organizations.
“This appears to be one of the biggest attacks since the Petya/NotPetya cyber attack in June 2017 that first hit Ukraine and spread around the world.”
Where did it come from?
Patrice Puichard, Senior Director – EMEA, SentinelOne said:
“From our analysis, Bad Rabbit was a new and unknown ransomware as of yesterday, but contains code from Petya ransomware. The dropper is downloaded by users when they visit infected websites and appears as a Flash Player installer (install_flash_player.exe). Once executed, it behaves like a traditional ransomware, encrypting files and asking for a ransom to decrypt them. It is also modifying the boot loader like Petya/notPetya.
“The ransomware started in Russia and Ukraine: according to ESET, 65% of the victims are from Russia, 12.2% in the Ukraine and has targeted countries in Eastern Europe, Turkey and Japan. As Russia was the origin of the attack, by the time it takes to reach the US it’s a known and blocked attack by signature-based antivirus, as well as already having been detected by solutions which are not signature-dependent.”
How does it work?
Andrew Clarke, EMEA Director, One Identity said:
“Take 2 and Action! – Winter is Coming – In the Game of Thrones, the meaning behind these words is one of warning and constant vigilance – and in the world today, a real-life Game of Threats continues and companies really do need to up their game in being more vigilant.
“With a new improved variant, Win32/Diskcoder.D a modified version of Win32/Diskcoder.C emerges with a new name “Bad Rabbit”. Source code analysis contains references to Game of Thrones dragon characters, Drogon; Rhaegal and Viserion. Bugs in file encryption have now been fixed and use DiskCryptor, an open source legitimate software used to do full drive encryption. Keys are generated using CryptGenRandom and then protected by hardcoded RSA 2048 public key.
“A powerful upgrade now being unleashed with organisations in Russia, Ukraine, Bulgaria and Turkey at the top of the hit list. This time a fake “flash” update appears to be implicated but it seems that as the organisations were hit around the same time that the attackers likely had a foot in their network already.
“Once hit; their data gets encrypted and for a bitcoin fee of 0.05 — approximately $280 – the affected company has the chance to acquire the decryption keys but only before a count-down of 41 hours expires! Despite industry warnings issued after the Petya, and not-Petya outbreaks earlier this year, this variant which spreads laterally using SMB shares – could be blocked by denying this communication channel [ports 137, 138, 139 and 445] on their firewalls. But organisations appear not to have followed this advice.”
How bad is Bad Rabbit?
Dr Jamie Graves, CEO, ZoneFox said:
“Currently, it’s unclear as to whether or not Bad Rabbit will be able to reap the same damage as WannaCry, but undoubtedly businesses will be holding their breath. The ransomware relies on people downloading a commonly used programme update in order to infect themselves, plus early indications showed many anti-virus systems can’t detect it. This highlights the need for a robust security posture, based on both technology and education.
“These days, companies have to assume that the padlocks they put on the corporate network won’t withstand hacker determination and cunning. They need to adopt the mindset of a stealthy threat hunter in order put themselves on the front foot. WannaCry set the bar for how devastating ransomware can be; Bad Rabbit won’t be the last iteration of malware to try and emulate its ‘success’.”
What should your business do?
Matthias Maier, security evangelist, Splunk said:
“As best practice, businesses should be monitoring activity from across their IT estate to baseline normal and enable them to quickly detect any irregular patterns that could indicate compromise by a malicious actor.
“However, as news about the latest threats spread online, they should also carefully monitor for the latest insights coming up every minute from security researchers around the world to understand what the infection vectors are, how the ransomware works and what vulnerabilities allows the ransomware to quickly spread in a network. Security teams need to be able to analyse if their environment is potentially vulnerable and if they see any indicators of an infection starting in order to take appropriate countermeasures quickly.
“For example it appears that Bad Rabbit creates three new scheduled tasks on a system, including a forced restart – by searching for this specific occurrence in monitored log data from endpoints, an organisation will be able to identify patient zero earlier, and act to isolate the impact. The current situation with Bad Rabbit is once more a reminder of how important it has become for organisations in the digital age to have a skilled security team on standby, with the right technology in place to access the right information and take the right decisions quickly to avoid any business impact. A robust security strategy has become a competitive advantage.”