Bad Rabbit: A new Petya-like ransomware that's spreading, but beatable

A new Petya variant is spreading through Eastern Europe, but with the proper security precautions it is entirely possible to avoid a serious ransomware outbreak on your network.

A new form of ransomware, dubbed Bad Rabbit, is infecting computers via drive-by attacks masquerading as Flash updates.

This latest form of rapidly spreading ransomware is believed to be a variant of the Petya family; DLLs associated with it share approximately 67% of their code with known Petya variants.

Bad Rabbit has the potential to spread fast, but it isn’t doing so–at least not as fast as 2017’s earlier ransomware outbreaks. That doesn’t mean it isn’t dangerous: It uses serious encryption to lock down infected machines and can use the SMB (Server Message Block) protocol to spread itself to other machines on a network.

But it can be avoided by taking a few simple steps.

What is Bad Rabbit?

The name Bad Rabbit comes from a header on the malware’s ransom site, but the real name of this new strain of malware is Diskcoder.d, a name that will sound familiar to anyone with knowledge of the Petya outbreak from earlier this year, which was caused by Diskcoder.c.

Diskcoder.d/Bad Rabbit is using a nearly identical ransom note to the one used by Petya and has a countdown timer until the ransom fee increases, just like what Petya did.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)

What it doesn’t do is use the EternalBlue exploit Petya used to spread, instead relying on another SMB exploit known as EternalRomance, which was also part of the Shadow Brokers leak from earlier this year.

What makes Bad Rabbit particularly adept at using SMB exploits for lateral movement is a new feature that Petya lacked: a list of common usernames and passwords to brute force its way to other machines.

In short, it’s not Petya (or NotPetya), but it looks, feels, and behaves a lot like it.

Where Bad Rabbit is striking

Cisco’s Talos security research group, and several other threat analyst organizations, report that Bad Rabbit is primarily attacking businesses in Russia and Eastern Europe. Kaspersky Labs reports that Ukraine, Germany, and Turkey have also been affected, with the bulk of targets being in Russia. Avast added Poland and South Korea to the list of affected nations as well.

The infections have hit three media and news organizations in Russia, along with several transportation agencies in Ukraine, leading Kaspersky Labs to assert that it is an attack targeted against corporate networks.

Bad Rabbit droppers have been found on a variety of sites–even one located in the US–according to a tweet from Costin Raiu, director of Global Research and Analysis Team at Kaspersky Labs. Raiu also said that the network of compromised sites had been set up by Bad Rabbit’s distributors since July 2017.

How to avoid a Bad Rabbit outbreak

Those hoping to protect their networks from Bad Rabbit have a few things going for them.

First off, it has to be manually downloaded and installed via a fake Flash update. If antivirus software catches the executable at any stage, or if the user simply doesn’t install it, then it can’t do any harm.

Second, several security products claim to protect against Bad Rabbit, including Kaspersky and ESET. Those running antivirus software should double-check to see if theirs protects against it, and be sure that security definitions are up to date.

SEE: Cyber Security Volume IV: End Point Protection (TechRepublic Academy)

Third, It’s known what files Bad Rabbit uses to execute its code, and they can be blocked. Both are located in the Windows directory of the C: drive and are called infpub.dat and cscc.dat. Those running Windows 10’s Fall Creators Update should also be sure they have enabled Controlled Folder Access, which blocks any application from making changes to specified files and directories.

Lastly, if you’re concerned about Bad Rabbit spreading laterally through your network there’s a simple solution: Be sure that all the latest Windows Security Bulletins have been installed–Bad Rabbit’s propagation method was shut down in June 2017, so if it’s spreading beyond a single infected machine on your network you know who to blame.

The top three takeaways for TechRepublic readers:

A new Petya ransomware variant, called Bad Rabbit, is spreading through Russia and other Eastern European countries. It has already attacked several media organizations and transportation entities in Ukraine.
Bad Rabbit infects machines using a fake Flash update download. It can spread laterally through a network using the EternalRomance SMB exploit released by the Shadow Brokers in mid 2017.
Stopping the spread of Bad Rabbit has already begun, and there are several things IT professionals can do to prevent their networks from being infected: Make sure Windows Security Bulletins are all installed, and be sure to check to see if your antivirus software protects against it, which several have claimed they do.

Also see:

Report: Malicious email attacks jump 85% in Q3, ransomware reigns supreme (TechRepublic)
Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchersTwo (ZDNet)
Ransomware: The smart person’s guide (TechRepublic)
Ransomware is now big business on the dark web and malware developers are cashing in (ZDNet)
Cybersecurity spotlight: The ransomware battle (Tech Pro Research)

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE This policy describes the organization’s employee privacy guidelines and outlines employee privacy expectations. From the policy: POLICY DETAILS The organization’s IT equipment, services and systems are intended for business use only. However, the organization acknowledges that staff, consultants and volunteers occasionally require opportunities to make or receive personal phone calls, access personal email, utilize ...

PURPOSE The purpose of this Security Response Policy from TechRepublic Premium is to outline the security incident response processes which must be followed. This policy will assist to identify and resolve information security incidents quickly and effectively, thus minimizing their business impact and reducing the risk of similar incidents recurring. It includes requirements for both ...

Bad Rabbit: A new Petya-like ransomware that’s spreading, but beatable