Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //

Bad Rabbit Breeds Ransomware Fears

A new breed of ransomware has hit Russia and Eastern Europe. Bad Rabbit could hop the Atlantic and wreak havoc on North American systems.

Ransomware is back in the news and this time it's not WannaCry, not Petya, not NotPetya... it's Bad Rabbit and it looks to be a very naughty bunny, indeed.

Bad Rabbit was first seen on October 24 by security firms, including Eset and Kaspersky. Kaspersky researcher Alex Perekalin wrote an early description of the malware noting that it initially enters an organization via a bogus Flash downloader that pops up and requests a manual install.

\r\n(Image: Mark Fosh via Flickr)
\r\n

(Image: Mark Fosh via Flickr)

As with the earlier ransomware outbreaks of 2017, Bad Rabbit gains entry to a network through a single system then begins to spread horizontally by looking for login credentials stored on the original victim's computer. It should be noted that the malware delivery software has a list of the most common passwords, so if you know of systems in your organization that make use of these security chestnuts, now is a good time to remind users to update to the latest style of strong password for their accounts.

Bad Rabbit uses WMI (Windows Management Instrumentation) and Service Control Manager Remote Protocol to spread laterally, then uses the hard-coded list of passwords in conjunction with Mimikatz, an open source credential extraction tool, to breach the new systems.

Trend Micro is one of the companies that has identified Bad Rabbit as a Petya variant. While some researchers question how much of the code is actually taken from Petya, there seems little question that the two are philosophically related.

The hacker or hackers behind Bad Rabbit aren't going after vast sums of money from any infected individual. So far, the ransomware demands payment of 0.05 bitcoin into a Bitcoin wallet located at a Tor address on the dark web. That's about $280 at today's exchange rate, so collecting big dollars quickly isn't the point of this malware exercise.

As for what the point might be, clues can come from the location of the early infestations -- media organizations in Russia and Eastern Europe. Diruption, rather than revenue, seems the primary objective. As of this writing, there are very few infections in North America, with most infected systems remaining in Eastern Europe and Russia. Microsoft has issued a security bulletin on Bad Rabbit and US-CERT has issued an initial advisory, with advice for defense and remediation linking back to advisories on WannaCry and NotPetya.

For now, there are defensive steps to be taken. Some are obvious, and consistent between all ransomware attacks: Make sure malware defenses are updated and remind users not to do silly user things. For those who want to be more proactive, it has been reported that adding a specific file with specific permissions to a Windows system will "vaccinate" it against Bad Rabbit infection.

It is impossible to know just how widely Bad Rabbit will spread or how much damage it will do. Until the full impact is known, it seems appropriate to prepare, defend and assume that this is a very naughty bunny, indeed.

Cover Image courtesy Marit & Toomas Hinnosaar via Flickr

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-28200
PUBLISHED: 2022-07-02
NVIDIA DGX A100 contains a vulnerability in SBIOS in the BiosCfgTool, where a local user with elevated privileges can read and write beyond intended bounds in SMRAM, which may lead to code execution, escalation of privileges, denial of service, and information disclosure. The scope of impact can ext...
CVE-2022-32551
PUBLISHED: 2022-07-02
Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).
CVE-2022-32411
PUBLISHED: 2022-07-01
An issue in the languages config file of HongCMS v3.0 allows attackers to getshell.
CVE-2022-32412
PUBLISHED: 2022-07-01
An issue in the /template/edit component of HongCMS v3.0 allows attackers to getshell.
CVE-2022-34903
PUBLISHED: 2022-07-01
GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.