Bad Rabbit: Everything You Need to Know About This GoT-Referencing Ransomware Epidemic [How to Protect Yourself]
In the third major ransomware outbreak of the year, Bad Rabbit has infected a number of high profile targets in various countries. A new ransomware, BadRabbit locks up files and demands ransom but experts warn victims not to pay the ransom as they probably won't get access to the data anyway.
After WannaCry and Petya, the new Bad Rabbit ransomware appears to be another variant of Petya, hitting a number of high profile organizations in Russia, Ukraine and Europe. At least three media organizations and several financial institutes have been reportedly hit by Bad Rabbit so far. The ransomware first started infecting systems on Tuesday 24, hitting multiple organizations simultaneously in the fashion of WannaCry and Petya outbreaks earlier this year.
Who is affected by BadRabbit?
The self-titled Bad Rabbit encrypts data before demanding a payment of 0.05 bitcoin ($275 at the time of writing). The ransom note also carries a timer counting down from just over 41 hours, warning the user to pay within that time or have the ransom go up. The high profile organizations affected by this outbreak include:
- Russian media organisation Interfax
- Odessa International Airport
- Payment systems on the Kiev Metro
- Ministry of Infrastructure of Ukraine
So far, reports have mentioned over 200 victim organizations in the following countries:
- South Korea
- United States
"ESET's telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected," ESET, one of the security firms monitoring the outbreak has said.
In their report, Kaspersky Lab researchers said that the latest attack is similar to Petya. "Based on our investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack," Kaspersky said.
Shocker (or not) - spreads via fake Flash Player updates
While this kind of outbreak may suggest attackers have exploited a security vulnerability, that is actually not true. Bad Rabbit primarily spreads via drive-by downloads through infected websites. Visitors on these websites that have been compromised since June are told to install a Flash Player update, and then instead of a Flash Player update, the malware is dropped on the victim devices.
— Costin Raiu (@craiu) October 24, 2017
In its report, Cisco Talos wrote that it "assesses with high confidence that a fake Flash Player update is being delivered via a drive-by-download and compromising systems". It added that "the sites that were seen redirecting to Bad Rabbit were a variety of sites that are based in Russia, Bulgaria, and Turkey".
This is yet another example of how effective ransomware can be delivered leveraging secondary propagation methods such as SMB to proliferate. In this example the initial vector wasn't a sophisticated supply chain attack. Instead it was a basic drive-by-download leveraging compromised websites. This is quickly becoming the new normal for the threat landscape. Threats spreading quickly, for a short window, to inflict maximum damage.
Once in, BadRabbit can spread laterally through the network, propagating further without user interaction. Researchers have noted that the ransomware also easily spreads thanks to simple username and password combinations, brute forcing its way across entire networks.
Nope, doesn't carry EternalBlue
While Bad Rabbit being able to spread across the networks may remind some readers of the infamous EternalBlue exploit that was dropped by the Shadow Brokers earlier this year from their exclusive NSA kit and has been used in multiple ransomware and malware strains, Bad Rabbit does not use this particular exploit. "We currently have no evidence that the EternalBlue exploit is being utilized to spread the infection," Cisco Talos researchers have said.
At the moment it is unclear who is behind this latest ransomware outbreak. Researchers monitoring the situation have said that the similarity between Petya and Bad Rabbit may mean that the same group is behind both campaigns, but it doesn't help anyway since no one could identify those behind Petya, either. Carrying Game of Thrones references (all three dragon names are used in the code somewhere) doesn't help the case either, since the television series is popular worldwide.
Vaccine for Bad Rabbit arrives...
Kaspersky and other security researchers have suggested corporate users block the execution of file "c:\windows\infpub.dat" and "C:\Windows\cscc.dat" to prevent infection.
I can confirm - Vaccination for #badrabbit:
Create the following files c:windowsinfpub.dat && c:windowscscc.dat - remove ALL PERMISSIONS (inheritance) and you are now vaccinated. 🙂 pic.twitter.com/5sXIyX3QJl
— Amit Serper (@0xAmit) October 24, 2017
The United States Computer Emergency Readiness Team (US-CERT) has advised victims not to pay the ransom if they fall for BadRabbit. "US-CERT discourages individuals and organizations from paying the ransom, as this does not guarantee that access will be restored," it said in an advisory. "Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware."