Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10/25/2017
05:45 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Bad Rabbit Breeds Ransomware Fears

A new breed of ransomware has hit Russia and Eastern Europe. Bad Rabbit could hop the Atlantic and wreak havoc on North American systems.

Ransomware is back in the news and this time it's not WannaCry, not Petya, not NotPetya... it's Bad Rabbit and it looks to be a very naughty bunny, indeed.

Bad Rabbit was first seen on October 24 by security firms, including Eset and Kaspersky. Kaspersky researcher Alex Perekalin wrote an early description of the malware noting that it initially enters an organization via a bogus Flash downloader that pops up and requests a manual install.

As with the earlier ransomware outbreaks of 2017, Bad Rabbit gains entry to a network through a single system then begins to spread horizontally by looking for login credentials stored on the original victim's computer. It should be noted that the malware delivery software has a list of the most common passwords, so if you know of systems in your organization that make use of these security chestnuts, now is a good time to remind users to update to the latest style of strong password for their accounts.

Bad Rabbit uses WMI (Windows Management Instrumentation) and Service Control Manager Remote Protocol to spread laterally, then uses the hard-coded list of passwords in conjunction with Mimikatz, an open source credential extraction tool, to breach the new systems.

Trend Micro is one of the companies that has identified Bad Rabbit as a Petya variant. While some researchers question how much of the code is actually taken from Petya, there seems little question that the two are philosophically related.

The hacker or hackers behind Bad Rabbit aren't going after vast sums of money from any infected individual. So far, the ransomware demands payment of 0.05 bitcoin into a Bitcoin wallet located at a Tor address on the dark web. That's about $280 at today's exchange rate, so collecting big dollars quickly isn't the point of this malware exercise.

As for what the point might be, clues can come from the location of the early infestations -- media organizations in Russia and Eastern Europe. Diruption, rather than revenue, seems the primary objective. As of this writing, there are very few infections in North America, with most infected systems remaining in Eastern Europe and Russia. Microsoft has issued a security bulletin on Bad Rabbit and US-CERT has issued an initial advisory, with advice for defense and remediation linking back to advisories on WannaCry and NotPetya.

For now, there are defensive steps to be taken. Some are obvious, and consistent between all ransomware attacks: Make sure malware defenses are updated and remind users not to do silly user things. For those who want to be more proactive, it has been reported that adding a specific file with specific permissions to a Windows system will "vaccinate" it against Bad Rabbit infection.

It is impossible to know just how widely Bad Rabbit will spread or how much damage it will do. Until the full impact is known, it seems appropriate to prepare, defend and assume that this is a very naughty bunny, indeed.

Cover Image courtesy Marit & Toomas Hinnosaar via Flickr

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.