The “bad rabbit” strikes

Is BadRabbit, a new ransomware? Here’s what we know about the “bad rabbit” that has claimed the headlines.

What we know so far?

Will you be next?

Bad Rabbit... Another cyber attack has seen computers go down in Russia, Ukraine, Germany and Turkey. So what is Bad Rabbit? Is it related to Petya? A ramsomware or simply a destructive malware? How much has it already spread? Is the threat still alive? How can you protect against the virus? We talked to industry experts to closely understand the "bad rabbit" that this malware is.

Chester Wisniewski, Principal Research Scientist, Sophos

It appears this latest variation, the so-called Bad Rabbit ransomware, is being distributed via a fake Adobe Flash Player installer file. Partners can play key role helping their customers during ransomware attacks. Organizations looking to protect themselves from threats like Bad Rabbit need to stay focused on a defense-in-depth approach to security.

Nick Carr, Sr Manager Detection & Analysis, FireEye

We detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) hosted on attacker infrastructure. Attempts were made from multiple sites simultaneously, indicating widespread strategic web compromise campaign. This allows attackers to select targets and halt operations by hosting malicious code on an unknowing victim’s website to infect the true targets.

Eddie Schwartz, Executive VP Cyber Services, DarkMatter

The malware uses the Microsoft (SMB) network protocol to move laterally and “worm” across the network using weak passwords, and “Mimikatz” to dump additional user credentials. It also changes the master boot record of the computer and installs “Diskcryptor”, which encrypts the victim files until payment is received. Unfortunately, spear phishing and drive-bys continue to be 2 primary entry vectors for malware of this type.

Shahnawaz Sheikh, Sales & Channel Director, SonicWall

Bad Rabbit propagates itself via SMB but does not seem to use any exploits. The good news is that in order to proceed it requires explicit action from the user. SonicWall Capture Labs released signatures to protect against this malware for anyone with an active Gateway Security subscription (GAV/IPS). SonicWall Advanced Threat Protection (ATP) sandboxing service provides real-time protection against new strains of malware even before signatures are available on firewall.

Steven Malone, Dir. Security Product Management, Mimecast

Initial analysis shows this to be another variant of ExPetr/Petya and uses the same SMB flaws to spread laterally once inside a network. Global companies must look inward and ask themselves – ‘Have I done enough? Did we patch our systems after Petya? Have we shored up our perimeter web and email defences?’ History tells us the answer to these questions is very likely no, so once again, brace for further widespread outbreaks.

Morey Haber, VP Technology, BeyondTrust

Unfortunately there is nothing special about Bad Rabbit. It is another form of ransomware based on NotPetya that will wipe a system rather than provide a real option to recover your data. It is a purely destructive malware. The only difference is that it targets Adobe products to propagate verses typical phishing scams or exploits like WannaCry.

Vyacheslav Zakorzhevsky, Head Anti-Malware Research Team, Kaspersky Lab

According to our data, most of the victims targeted by these attacks are located in Russia. We have also seen similar but fewer attacks in Ukraine, Turkey and Germany. This ransomware infects devices through a number of hacked Russian media websites. Based on our investigation, this has been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack. However we cannot confirm it is related to ExPetr.
Raj Samani, Head of Strategic Intel, McAfee

Raj Samani, Head of Strategic Intel, McAfee

Bad Rabbit ransomware is currently charging 0.05 Bitcoin. There is no confirmation that paying the ransom will result in a decryption key being provided. We created a graph of the events occurring during an infection by one of the BadRabbit samples. The initial binary loads itself into memory and kills the initial process. Further processes drop configuration, services files, and other artifacts used in the attacks. The graph ends with the creation of the preceding scheduled tasks.
Gregg Petersen, Regional Sales VP MEA, Veeam Software

Gregg Petersen, Regional Sales VP MEA, Veeam Software

Businesses shouldn’t strive to make themselves hack-proof – it’s an impossible state to achieve due to the ever-evolving threats. Rather, updates should be maintained, processes to support IT securities policies adhered to, and robust IT defences in place – plus, backups located off the live IT network. Remember, there is no obligation for criminals to supply decryption keys following the payment of a ransom. Veeam strongly urges organisations not to pay ransom as it encourages new breeds of attack.

Kalle Bjorn, Director Systems Engineering, Fortinet

The attack appears to be spreading to other regions with reports from South Korea and US. Unlike previous malwares, Bad Rabbit does not target Eternal Blue or DoublePulsar vulnerability. This attack infected several news media agencies in Russia, knocking the Russian news agency Interfax offline and a number of public transportation organizations (Odessa International Airport & Kiev Metro in Ukraine). It is not yet clear who is responsible for this attack.