Ransomware is back in the news and this time it's not WannaCry, not Petya, not NotPetya... it's Bad Rabbit and it looks to be a very naughty bunny, indeed.
Bad Rabbit was first seen on October 24 by security firms, including Eset and Kaspersky. Kaspersky researcher Alex Perekalin wrote an early description of the malware noting that it initially enters an organization via a bogus Flash downloader that pops up and requests a manual install.
As with the earlier ransomware outbreaks of 2017, Bad Rabbit gains entry to a network through a single system then begins to spread horizontally by looking for login credentials stored on the original victim's computer. It should be noted that the malware delivery software has a list of the most common passwords, so if you know of systems in your organization that make use of these security chestnuts, now is a good time to remind users to update to the latest style of strong password for their accounts.
Bad Rabbit uses WMI (Windows Management Instrumentation) and Service Control Manager Remote Protocol to spread laterally, then uses the hard-coded list of passwords in conjunction with Mimikatz, an open source credential extraction tool, to breach the new systems.
Trend Micro is one of the companies that has identified Bad Rabbit as a Petya variant. While some researchers question how much of the code is actually taken from Petya, there seems little question that the two are philosophically related.
The hacker or hackers behind Bad Rabbit aren't going after vast sums of money from any infected individual. So far, the ransomware demands payment of 0.05 bitcoin into a Bitcoin wallet located at a Tor address on the dark web. That's about $280 at today's exchange rate, so collecting big dollars quickly isn't the point of this malware exercise.
As for what the point might be, clues can come from the location of the early infestations -- media organizations in Russia and Eastern Europe. Diruption, rather than revenue, seems the primary objective. As of this writing, there are very few infections in North America, with most infected systems remaining in Eastern Europe and Russia. Microsoft has issued a security bulletin on Bad Rabbit and US-CERT has issued an initial advisory, with advice for defense and remediation linking back to advisories on WannaCry and NotPetya.
For now, there are defensive steps to be taken. Some are obvious, and consistent between all ransomware attacks: Make sure malware defenses are updated and remind users not to do silly user things. For those who want to be more proactive, it has been reported that adding a specific file with specific permissions to a Windows system will "vaccinate" it against Bad Rabbit infection.
It is impossible to know just how widely Bad Rabbit will spread or how much damage it will do. Until the full impact is known, it seems appropriate to prepare, defend and assume that this is a very naughty bunny, indeed.
Cover Image courtesy Marit & Toomas Hinnosaar via Flickr
- WannaCry Was Just the Beginning
- Petya Ransomware Takes the World by Storm
- New Insight on WannaCry's Roots