Story image

Experts weigh in on ‘Bad Rabbit’, the potential next WannaCry​

26 Oct 2017

Ever heard of Bad Rabbit? It’s the newest form of ransomware causing havoc in Eastern Europe.

While it’s not spreading as widely as attacks like NotPetya and WannaCry, reports have indicated that where it has hit, it has caused severe disruption.

According to a report from Palo Alto Networks, Bad Rabbit gains initial entry by posing as an Adobe Flash update and once inside a network it spreads by harvesting credentials with the Mimikatz tool as well as using hard coded credentials.

It then encrypts the entire disk before demanding a ransom in BitCoin.

McAfee asserts the attack originated in Russia and the Ukraine, but reports of infected systems in Germany, Turkey and Bulgaria are now being investigated.

Principal research scientist at Sophos, Chester Wisniewski says it was only a matter of time before someone took the ideas from WannaCry and NotPetya and ran with them for another go at unsuspecting victims.

“What makes this malware more dangerous than your typical ransomware being distributed in a similar manner is its ability to spread across an organisation as a worm and not just through email attachments or vulnerable web plugins,” says Wisniewski.

“Organisations looking to protect themselves from threats like Bad Rabbit need to stay focused on a defense-in-depth approach to security.”

Director of security product management at Mimecast, Steve Malone says ransomware season is open again with the rise of Bad Rabbit.

“As businesses in Russia and Ukraine report infections, global companies must look inward and ask themselves – “Have I done enough? Did we patch our systems after Petya? Have we shored up our perimeter web and email defences?”

“History tells us the answer to these questions is very likely no, so once again, brace for further widespread outbreaks,” says Malone.

VP of intelligence at CrowdStrike, Adam Meyers says it’s likely the malicious actors behind NotPetya are also responsible for Bad Rabbit.

“Intel is that BadRabbit and NotPetya DLL ( dynamic link library) share 67% of the same codebase, which makes it likely that the same threat actor is behind both attacks,” says Meyers.

“Bad Rabbit is likely delivered via the website argumentiru[.]com which is a current affairs, news and celebrity gossip website focusing on Russian and near-abroad topics. CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017.”

One thing that we can discern so far is the hackers behind the attacks seem to be Game of Thrones fans, as at least four scheduled tasks within the ransomware are named after the popular series (Viserion, Drogon, Rhaegal and GrayWorm).

Looking ahead, Palo Alto says because the initial attack vector is through bogus updates, Bad Rabbit attacks can be prevented by just getting Adobe Flash updates from the Adobe website.

In addition, Sophos recommends the following:

  • Keep software up to date with the latest patches.
  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. 
  • Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Defense-in-depth is your friend. Criminals constantly try to outwit security products, having many layers of protection helps bridge the gap when one is evaded.
Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.