SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Experts weigh in on ‘Bad Rabbit’, the potential next WannaCry​
Thu, 26th Oct 2017
FYI, this story is more than a year old

Ever heard of Bad Rabbit? It's the newest form of ransomware causing havoc in Eastern Europe.

While it's not spreading as widely as attacks like NotPetya and WannaCry, reports have indicated that where it has hit, it has caused severe disruption.

According to a report from Palo Alto Networks, Bad Rabbit gains initial entry by posing as an Adobe Flash update and once inside a network it spreads by harvesting credentials with the Mimikatz tool as well as using hard coded credentials.

It then encrypts the entire disk before demanding a ransom in BitCoin.

McAfee asserts the attack originated in Russia and the Ukraine, but reports of infected systems in Germany, Turkey and Bulgaria are now being investigated.

Principal research scientist at Sophos, Chester Wisniewski says it was only a matter of time before someone took the ideas from WannaCry and NotPetya and ran with them for another go at unsuspecting victims.

“What makes this malware more dangerous than your typical ransomware being distributed in a similar manner is its ability to spread across an organisation as a worm and not just through email attachments or vulnerable web plugins,” says Wisniewski.

“Organisations looking to protect themselves from threats like Bad Rabbit need to stay focused on a defense-in-depth approach to security.

Director of security product management at Mimecast, Steve Malone says ransomware season is open again with the rise of Bad Rabbit.

“As businesses in Russia and Ukraine report infections, global companies must look inward and ask themselves – “Have I done enough? Did we patch our systems after Petya? Have we shored up our perimeter web and email defences?

“History tells us the answer to these questions is very likely no, so once again, brace for further widespread outbreaks,” says Malone.

VP of intelligence at CrowdStrike, Adam Meyers says it's likely the malicious actors behind NotPetya are also responsible for Bad Rabbit.

“Intel is that BadRabbit and NotPetya DLL ( dynamic link library) share 67% of the same codebase, which makes it likely that the same threat actor is behind both attacks,” says Meyers.

“Bad Rabbit is likely delivered via the website argumentiru[.]com which is a current affairs, news and celebrity gossip website focusing on Russian and near-abroad topics. CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017.

One thing that we can discern so far is the hackers behind the attacks seem to be Game of Thrones fans, as at least four scheduled tasks within the ransomware are named after the popular series (Viserion, Drogon, Rhaegal and GrayWorm).

Looking ahead, Palo Alto says because the initial attack vector is through bogus updates, Bad Rabbit attacks can be prevented by just getting Adobe Flash updates from the Adobe website.

In addition, Sophos recommends the following:

  • Keep software up to date with the latest patches.
  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. 
  • Encrypt your backup and you won't have to worry about the backup device falling into the wrong hands.
  • Defense-in-depth is your friend. Criminals constantly try to outwit security products, having many layers of protection helps bridge the gap when one is evaded.