Story image

Experts weigh in on ‘Bad Rabbit’, the potential next WannaCry​

26 Oct 17

Ever heard of Bad Rabbit? It’s the newest form of ransomware causing havoc in Eastern Europe.

While it’s not spreading as widely as attacks like NotPetya and WannaCry, reports have indicated that where it has hit, it has caused severe disruption.

According to a report from Palo Alto Networks, Bad Rabbit gains initial entry by posing as an Adobe Flash update and once inside a network it spreads by harvesting credentials with the Mimikatz tool as well as using hard coded credentials.

It then encrypts the entire disk before demanding a ransom in BitCoin.

McAfee asserts the attack originated in Russia and the Ukraine, but reports of infected systems in Germany, Turkey and Bulgaria are now being investigated.

Principal research scientist at Sophos, Chester Wisniewski says it was only a matter of time before someone took the ideas from WannaCry and NotPetya and ran with them for another go at unsuspecting victims.

“What makes this malware more dangerous than your typical ransomware being distributed in a similar manner is its ability to spread across an organisation as a worm and not just through email attachments or vulnerable web plugins,” says Wisniewski.

“Organisations looking to protect themselves from threats like Bad Rabbit need to stay focused on a defense-in-depth approach to security.”

Director of security product management at Mimecast, Steve Malone says ransomware season is open again with the rise of Bad Rabbit.

“As businesses in Russia and Ukraine report infections, global companies must look inward and ask themselves – “Have I done enough? Did we patch our systems after Petya? Have we shored up our perimeter web and email defences?”

“History tells us the answer to these questions is very likely no, so once again, brace for further widespread outbreaks,” says Malone.

VP of intelligence at CrowdStrike, Adam Meyers says it’s likely the malicious actors behind NotPetya are also responsible for Bad Rabbit.

“Intel is that BadRabbit and NotPetya DLL ( dynamic link library) share 67% of the same codebase, which makes it likely that the same threat actor is behind both attacks,” says Meyers.

“Bad Rabbit is likely delivered via the website argumentiru[.]com which is a current affairs, news and celebrity gossip website focusing on Russian and near-abroad topics. CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017.”

One thing that we can discern so far is the hackers behind the attacks seem to be Game of Thrones fans, as at least four scheduled tasks within the ransomware are named after the popular series (Viserion, Drogon, Rhaegal and GrayWorm).

Looking ahead, Palo Alto says because the initial attack vector is through bogus updates, Bad Rabbit attacks can be prevented by just getting Adobe Flash updates from the Adobe website.

In addition, Sophos recommends the following:

  • Keep software up to date with the latest patches.
  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. 
  • Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Defense-in-depth is your friend. Criminals constantly try to outwit security products, having many layers of protection helps bridge the gap when one is evaded.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.