A new form of ransomware, dubbed Bad Rabbit, is infecting computers via drive-by attacks masquerading as Flash updates.
This latest form of rapidly spreading ransomware is believed to be a variant of the Petya family; DLLs associated with it share approximately 67% of their code with known Petya variants.
Bad Rabbit has the potential to spread fast, but it isn’t doing so–at least not as fast as 2017’s earlier ransomware outbreaks. That doesn’t mean it isn’t dangerous: It uses serious encryption to lock down infected machines and can use the SMB (Server Message Block) protocol to spread itself to other machines on a network.
But it can be avoided by taking a few simple steps.
What is Bad Rabbit?
The name Bad Rabbit comes from a header on the malware’s ransom site, but the real name of this new strain of malware is Diskcoder.d, a name that will sound familiar to anyone with knowledge of the Petya outbreak from earlier this year, which was caused by Diskcoder.c.
Diskcoder.d/Bad Rabbit is using a nearly identical ransom note to the one used by Petya and has a countdown timer until the ransom fee increases, just like what Petya did.
SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)
What it doesn’t do is use the EternalBlue exploit Petya used to spread, instead relying on another SMB exploit known as EternalRomance, which was also part of the Shadow Brokers leak from earlier this year.
What makes Bad Rabbit particularly adept at using SMB exploits for lateral movement is a new feature that Petya lacked: a list of common usernames and passwords to brute force its way to other machines.
In short, it’s not Petya (or NotPetya), but it looks, feels, and behaves a lot like it.
Where Bad Rabbit is striking
Cisco’s Talos security research group, and several other threat analyst organizations, report that Bad Rabbit is primarily attacking businesses in Russia and Eastern Europe. Kaspersky Labs reports that Ukraine, Germany, and Turkey have also been affected, with the bulk of targets being in Russia. Avast added Poland and South Korea to the list of affected nations as well.
The infections have hit three media and news organizations in Russia, along with several transportation agencies in Ukraine, leading Kaspersky Labs to assert that it is an attack targeted against corporate networks.
Bad Rabbit droppers have been found on a variety of sites–even one located in the US–according to a tweet from Costin Raiu, director of Global Research and Analysis Team at Kaspersky Labs. Raiu also said that the network of compromised sites had been set up by Bad Rabbit’s distributors since July 2017.
How to avoid a Bad Rabbit outbreak
Those hoping to protect their networks from Bad Rabbit have a few things going for them.
First off, it has to be manually downloaded and installed via a fake Flash update. If antivirus software catches the executable at any stage, or if the user simply doesn’t install it, then it can’t do any harm.
Second, several security products claim to protect against Bad Rabbit, including Kaspersky and ESET. Those running antivirus software should double-check to see if theirs protects against it, and be sure that security definitions are up to date.
SEE: Cyber Security Volume IV: End Point Protection (TechRepublic Academy)
Third, It’s known what files Bad Rabbit uses to execute its code, and they can be blocked. Both are located in the Windows directory of the C: drive and are called infpub.dat and cscc.dat. Those running Windows 10’s Fall Creators Update should also be sure they have enabled Controlled Folder Access, which blocks any application from making changes to specified files and directories.
Lastly, if you’re concerned about Bad Rabbit spreading laterally through your network there’s a simple solution: Be sure that all the latest Windows Security Bulletins have been installed–Bad Rabbit’s propagation method was shut down in June 2017, so if it’s spreading beyond a single infected machine on your network you know who to blame.
The top three takeaways for TechRepublic readers:
- A new Petya ransomware variant, called Bad Rabbit, is spreading through Russia and other Eastern European countries. It has already attacked several media organizations and transportation entities in Ukraine.
- Bad Rabbit infects machines using a fake Flash update download. It can spread laterally through a network using the EternalRomance SMB exploit released by the Shadow Brokers in mid 2017.
- Stopping the spread of Bad Rabbit has already begun, and there are several things IT professionals can do to prevent their networks from being infected: Make sure Windows Security Bulletins are all installed, and be sure to check to see if your antivirus software protects against it, which several have claimed they do.
- Report: Malicious email attacks jump 85% in Q3, ransomware reigns supreme (TechRepublic)
- Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchersTwo (ZDNet)
- Ransomware: The smart person’s guide (TechRepublic)
- Ransomware is now big business on the dark web and malware developers are cashing in (ZDNet)
- Cybersecurity spotlight: The ransomware battle (Tech Pro Research)