A new strain of ransomware has recently hit organisations in Russia and Ukraine known as ‘Bad Rabbit.’
Bad Rabbit, according to reports, differs from other recent ransomware attacks in that the exploit is user based, not the computer.
The ransomware prompts users to download an Adobe Flash update when visiting an infected website instead of attacking a weakness in the computer’s security. Once the virus settles on a single computer in a network it will then attempt to ‘hack’ other computers within the network.
The malware has infected Russian as well as an airport in Ukraine and a metro system in Kiev. It also impacted a small number in Germany and Turkey. Researchers at Avast say they’ve also detected the malware in Poland and South Korea.
Paul Dignan, senior systems engineer, F5 Networks, says, “The Bad Rabbit infection is not captured by most common anti-virus solutions, which means users could be infected without knowing.”
Dignan added that initial analysis indicates that the malware script identifies target users and presents them with a bogus Adobe Flash update prompt. “When the user accepts this, malware is downloaded and the encryption attack takes place. In the absence of stringent controls and appropriate security solutions, businesses are left in the hands of their users,” he explains.
Ransomware season is open again as yet another new strain, dubbed Bad Rabbit, is reported to be spreading fast, says Steven Malone, director, Security Product Management, Mimecast. “As businesses in Russia and Ukraine report infections, global companies must look inward and ask themselves – ‘Have I done enough? Did we patch our systems after Petya? Have we shored up our perimeter web and email defences?’ History tells us the answer to these questions is very likely no, so once again, brace for further widespread outbreaks.”
Industry experts highlight that the Bad Rabbit is an improved variant of the Petya virus that hit multiple organisations in June this year. The virus used in the June cyber-attack turned out to be a wiper, whereas Bad Rabbit functions as a data-encrypting ransomware.
“The malware masqueraded as a Flash Update (install_flash_player.exe), hosted on attacker infrastructure 1dnscontrol[.]com,” says Nick Carr, senior manager, Detection and Analysis. “The infection attempts were referred from multiple sites simultaneously, indicating a widespread strategic web compromise campaign. FireEye has observed this malicious JavaScript framework in use since at least February 2017, including its usage of several of the sites from today’s attacks. The framework acts as a “profiler” that gathers information from those viewing the compromised pages – including host and IP address info, browser info, referring site, a cookie from referring site. Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the BADRABBIT dropper “flash update”).
The payload may be a variant of Petya, and once executed it begins to encrypt data files on the computer and network shares before displaying the ransom note. The ransomware demands the payment of 0.05 Bitcoins, or about $275, to unlock the encrypted files. “The malware then attempts to steal Windows cached user credentials (username and passwords) and encrypt user files,” explains Kalle Bjorn, director, Systems Engineering, Fortinet. “Unlike other known ransomware, this malware does not rename or change the filename of the files it encrypts.”
Bjorn adds, “During tests in our FortiGuard Labs facilities, we also observed this malware attempt to enumerate various IPs within the same subnet. One possible reason for this behavior is that the malware may be searching for an internal IP that is a valid web server. In addition, the payload also attempted to move laterally across the network to find and infect other vulnerable devices.”
Protecting against Bad Rabbit
For those who want to be sure they don’t potentially fall victim to the attack, Kaspersky Lab says users can block the execution of file ‘c: \ windows \ infpub.dat, C: \ Windows \ cscc.dat.’ in order to prevent infection.
Security pundits advise organisations to enable easily available and free protections on your system: at the very least have Windows Defender running and enabled. Paid antivirus products should be able to inoculate a machine against infection for this type of unevolved malware at this stage.
“Businesses shouldn’t strive to make themselves hack-proof,” said Gregg Petersen, regional sales vice president, MEA, Veeam Software. “It’s an impossible state to achieve due to the ever-evolving threats. Rather, updates should be maintained, processes to support IT securities policies adhered to, and robust IT defences in place – plus, backups located off the live IT network should be a key part of your data management strategy. We have seen so many businesses overcome ransomware attacks, by being able to backup from a high-quality copy of data located off-site.
In addition, Sophos principal research scientist Chester Wisniewski recommends that organisations should keep software up to date with the latest patches and back up regularly and keep a recent backup copy off-site. “It would also be ideal for organisations encrypt their backup data so they won’t have to worry about the backup device falling into the wrong hands,” he says. “Furthermore, having many layers of protection helps reduce security gaps. They should also integrate systems such as Sophos Intercept X that can help fend of ransomware by blocking the unauthorised encryption of files and sectors on your hard disk.”
Dignan from F5 Networks says, “As with many aspects of information security, prevention is better than cure. Unfortunately, ransomware is difficult to totally prevent and there is no silver bullet for protecting against this type of attack. The best methods currently available include reliable backups hosted outside of the network and maintaining an up-to-date response plan. In addition, organisations need systems such as SSL to inspect devices. It is also important to filter and monitor emails for phishing attacks, clean encrypted traffic that may be hiding malicious software, as well as reduce and restrict full administrative privileges to contain damage from a compromised account. As ever, all organisations need to ensure that substantive user training and education takes place on a regular basis.”
