Story image

Experts weigh in on ‘Bad Rabbit’, the potential next WannaCry​

26 Oct 2017

Ever heard of Bad Rabbit? It’s the newest form of ransomware causing havoc in Eastern Europe.

While it’s not spreading as widely as attacks like NotPetya and WannaCry, reports have indicated that where it has hit, it has caused severe disruption.

According to a report from Palo Alto Networks, Bad Rabbit gains initial entry by posing as an Adobe Flash update and once inside a network it spreads by harvesting credentials with the Mimikatz tool as well as using hard coded credentials.

It then encrypts the entire disk before demanding a ransom in BitCoin.

McAfee asserts the attack originated in Russia and the Ukraine, but reports of infected systems in Germany, Turkey and Bulgaria are now being investigated.

Principal research scientist at Sophos, Chester Wisniewski says it was only a matter of time before someone took the ideas from WannaCry and NotPetya and ran with them for another go at unsuspecting victims.

“What makes this malware more dangerous than your typical ransomware being distributed in a similar manner is its ability to spread across an organisation as a worm and not just through email attachments or vulnerable web plugins,” says Wisniewski.

“Organisations looking to protect themselves from threats like Bad Rabbit need to stay focused on a defense-in-depth approach to security.”

Director of security product management at Mimecast, Steve Malone says ransomware season is open again with the rise of Bad Rabbit.

“As businesses in Russia and Ukraine report infections, global companies must look inward and ask themselves – “Have I done enough? Did we patch our systems after Petya? Have we shored up our perimeter web and email defences?”

“History tells us the answer to these questions is very likely no, so once again, brace for further widespread outbreaks,” says Malone.

VP of intelligence at CrowdStrike, Adam Meyers says it’s likely the malicious actors behind NotPetya are also responsible for Bad Rabbit.

“Intel is that BadRabbit and NotPetya DLL ( dynamic link library) share 67% of the same codebase, which makes it likely that the same threat actor is behind both attacks,” says Meyers.

“Bad Rabbit is likely delivered via the website argumentiru[.]com which is a current affairs, news and celebrity gossip website focusing on Russian and near-abroad topics. CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017.”

One thing that we can discern so far is the hackers behind the attacks seem to be Game of Thrones fans, as at least four scheduled tasks within the ransomware are named after the popular series (Viserion, Drogon, Rhaegal and GrayWorm).

Looking ahead, Palo Alto says because the initial attack vector is through bogus updates, Bad Rabbit attacks can be prevented by just getting Adobe Flash updates from the Adobe website.

In addition, Sophos recommends the following:

  • Keep software up to date with the latest patches.
  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. 
  • Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Defense-in-depth is your friend. Criminals constantly try to outwit security products, having many layers of protection helps bridge the gap when one is evaded.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.
Cloud application attacks in Q1 up by 65% - Proofpoint
Proofpoint found that the education sector was the most targeted of both brute-force and sophisticated phishing attempts.
Singapore firm to launch borderless open data sharing platform
Singapore-based Ocean Protocol, a decentralised data exchange that promotes data sharing, has revealed details of what could be the kickstart to a global and borderless data economy.