Helping to keep you updated and always vigilant to the latest malware/ransomware and cybersecurity attacks, we are relating reports over the past few days from the BBC and ComputerWeek of a new ransomware. Nicknamed "Bad Rabbit," it has been found spreading in Russia, Ukraine and now the US and elsewhere. Bearing similarities to the WannaCry and Petya outbreaks earlier this year, the “wascally wabbit” has affected systems at three Russian websites, an airport in Ukraine and an underground railway in the capital city, Kiev.
Ransomware - Quick Refresher
Ransomware is a type of malware that infects a computer and takes control of either the core operating system using lockout mechanisms or possession of data files by encrypting them. The program then asks the user to make a “ransom” payment to the malicious individual or organization in order to remove the locks and restore the user’s endpoint or files.
As the BBC report states, businesses and their networks are being frozen out. "In some of the companies, the work has been completely paralysed - servers and workstations are encrypted," head of Russian cyber-security firm Group-IB, Ilya Sachkov, told the TASS news agency.
Bad Rabbit encrypts the contents of a computer and asks for a payment - in this case 0.05 bitcoins, or about $280 (£213).
In a later report from the Wall Street Journal, “Bad Rabbit” began spreading to the US,
… according to Czech antivirus vendor Avast Software s.r.o. … the Department of Homeland Security’s Computer Emergency Readiness Team issued an alert saying it had received “multiple reports” of infections in the US
The ransomware masqueraded as an update to Adobe Systems Inc.’s Flash multimedia product, security researchers said, and once downloaded it attempted to spread within victims’ networks.
The attacks “do not utilize any legitimate Flash Player updates nor are they associated with any known Adobe product vulnerabilities”, an Adobe spokeswoman said in an email.
Researcher Kevin Beaumont has posted a screenshot on Twitter that shows Bad Rabbit creating tasks in Windows named after the dragons Drogon and Rhaegal in TV series Game of Thrones.
The reports from news outlets (see links below) state the following conclusions and warnings from security expert Allan Liska, senior solutions architect at Recorded Future:
- Bad Rabbit is focused on pure disruption using the Microsoft Windows server message block (SMB) as well as an algorithm similar to one found in the NotPetya code. It relies on local password dumps and a list of common passwords, to attempt to move from one machine to another, trying to spread through the network.
- The Bad Rabbit code relies heavily on command line script and uses a traditional payment portal for the ransom instead of asking victims to send an email.
- Stay vigilant, as we will continue to see massive attacks with economic, employee and public safety ramifications with evolving methods of attack, including evasive methods to hide activity and intent.
- A better understanding of the human points of the attackers (where they go and interact, permissions accessed), and motivational intent (financial gain, revenge, political or hacktivism) is necessary in order to help shape our security strategies.
SentinalOne, an endpoint security provider, stresses the five key steps to dealing with a ransomware attack:
- Alert law officials. They probably won’t be able to help, but like any ransom activity, they should be informed.
- Isolate the infected machine. It’s important that the system is taken offline, as they essentially own your machine now and can use it to gain access to other systems on the network.
- Don’t pay the ransom. As with any form of ransom, you are not guaranteed to get your data back, and you’re just encouraging attackers to keep up their lucrative game. In addition, if you pay and actually get your keys once, you may be the target of a repeat (and potentially more costly) ransom attack in the future.
- Remediate. Run endpoint security software to discover and remove the ransomware software. If it cannot detect the threat, wipe your machine.
- Restore. Restore your files with the most recent back-up.
Want to know more about preventing ransomware in the first place? We have some suggestions here.
And just to note, a survey conducted by a Cyber Security Research Center at the University of Kent found that over 40% of those infected with CryptoLocker actually agreed to pay the ransom demanded, which is a big incentive for hackers to target more systems. So, let’s all stay safe out there…it’s “wabbit season.”
Allan Liska is a Senior Solutions Architect at Recorded Future, and co-author of the book, Ransomware: Defending Against Digital Extortion. The following are links to information referenced previously mentioning Liska’s comments and opinions: