Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Bad Rabbit Ransomware: What to Know and How to Prevent It
You are here: Home \ Ransomware \ Bad Rabbit Ransomware: What to Know and How to Prevent It
Bad Rabbit Ransomware
Posted on Friday, October 27th, 2017 by
Email this to someoneShare on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

 

The new strain of ransomware known as Bad Rabbit, was first spotted on October 24th, 2017. The ransomware is the third major spread of malware this year as it follows the wider-reaching WannaCry and NotPetya strains of malicious code.  So far, security firms such as Kaspersky and ESET have both noticed ties to the malware known as NotPetya or ExPetr.

 

Infection Method and Impact

The initial infection of Bad Rabbit occurs via a fake Adobe Flash installer offered up for download, which carries the malware that is triggered upon firing up the EXE file.

 

The files contained in the malware are:

  • Dropper (install_flash_player.exe)
  • Main payload DLL (infpub.dat)
  • Ransomware component (dispci.exe)
  • Mimikatz for x86 and x64
  • Legitimate DiskCryptor drivers for x86 and x64 (C:\Windows\cscc.dat)

After being executed, it drops and deploys the main module in the C:\Windows directory, which will encrypt all files with a specific extension and execute a bootlocker with a ransom note similar to the Petya/NotPetya ransomware. It is to be noted that the malware must run with Administration privileges.

Bad Rabbit has an infector allowing lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn’t use EternalBlue and is more widely spread.

Computers infected with the malware redirect the user to a “.onion” Tor domain where they are asked to pay .05 Bitcoin or roughly $276 USD in exchange for their data. A countdown on the site shows the amount of time before the ransom price goes up.

 

Who is affected by this ransomware so far?

Security firm Kaspersky’s research suggests this is an attack on corporate networks, and has affected the Interfax news agency and other publishers over in Russia. In Ukraine, Kiev’s public transport system was also reportedly hit, as well as the Ministry of Infrastructure. Odessa airport has apparently been affected, too.

Additionally, several organizations in US, Turkey, Germany, and many other countries are also affected. As this is an ongoing event, more organizations are expected to be impacted by this ransomware.

 

Preventive measures that can be taken against Bad Rabbit

  • Block the execution of the c: \ windows \ infpub.dat and c: \ Windows \ cscc.dat files.
  • If unused, disable the WMI service to prevent the malware from spreading through your network.
  • If a proxy solution is available, filter requests to/from domains infected by the malware.
  • Microsoft has issued a security advisory to check event logs for the following IDs: 1102 and 106 and run a defender offline scan to prevent the ransomware from rebooting the affected system.

 

Ransomware Prevention Tips

To avoid Bad Rabbit ransomware and other file-encrypting infections in the future, make sure that the following simple recommendations are implemented in your security strategy:

  • Be sure that all software is updated
  • Use a web filtering solution to monitor and block infection vectors
  • Have an updated antivirus solution
  • Have an updated IPS with the latest rules definition
  • Back up your data regularly
  • Double check all emails with attachments before opening them
  • Do not click on suspicious URLs
  • Install browser plug-ins to block pop-ups and JavaScript
  • Regularly scan your computer and apply the latest updates

 

These techniques are certainly not a cure-all, but they will add an extra layer of protection to your security setup.

About author:
Hassane is Director of Information Security Services at Hitachi Systems Security, in charge of the Montreal, Switzerland and Mexico SOCs’ teams. He has accumulated over 12 years of experience in the IT Industry, including the past 8 years in IT security. Throughout his career Hassane held several positions such as R&D Engineer, IT System Engineer, Information Security Advisor, Principal Information Security Advisor etc. Hassane graduated in Computer Engineering from École nationale Supérieure d'Informatique (ESI ex: INI) in Algeria, then post-graduated in Computer Science from University de Versailles in France and in Computer Engineering from École Polytechnique Montreal in Canada. Specialties include Managed Security Service, Incident Handling, Penetration testing, Vulnerability management, Log Management, Threat Management, IDS/IPS, Computer and Network Security Forensics, Network Design and Hardening, Security configuration review, Information Security Governance, Social Engineering, …

Leave a Reply

Subscribe

Categories

Articles by Month