Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

// // //

Bad Rabbit Breeds Ransomware Fears

A new breed of ransomware has hit Russia and Eastern Europe. Bad Rabbit could hop the Atlantic and wreak havoc on North American systems.

Ransomware is back in the news and this time it's not WannaCry, not Petya, not NotPetya... it's Bad Rabbit and it looks to be a very naughty bunny, indeed.

Bad Rabbit was first seen on October 24 by security firms, including Eset and Kaspersky. Kaspersky researcher Alex Perekalin wrote an early description of the malware noting that it initially enters an organization via a bogus Flash downloader that pops up and requests a manual install.

\r\n(Image: Mark Fosh via Flickr)
\r\n

(Image: Mark Fosh via Flickr)

As with the earlier ransomware outbreaks of 2017, Bad Rabbit gains entry to a network through a single system then begins to spread horizontally by looking for login credentials stored on the original victim's computer. It should be noted that the malware delivery software has a list of the most common passwords, so if you know of systems in your organization that make use of these security chestnuts, now is a good time to remind users to update to the latest style of strong password for their accounts.

Bad Rabbit uses WMI (Windows Management Instrumentation) and Service Control Manager Remote Protocol to spread laterally, then uses the hard-coded list of passwords in conjunction with Mimikatz, an open source credential extraction tool, to breach the new systems.

Trend Micro is one of the companies that has identified Bad Rabbit as a Petya variant. While some researchers question how much of the code is actually taken from Petya, there seems little question that the two are philosophically related.

The hacker or hackers behind Bad Rabbit aren't going after vast sums of money from any infected individual. So far, the ransomware demands payment of 0.05 bitcoin into a Bitcoin wallet located at a Tor address on the dark web. That's about $280 at today's exchange rate, so collecting big dollars quickly isn't the point of this malware exercise.

As for what the point might be, clues can come from the location of the early infestations -- media organizations in Russia and Eastern Europe. Diruption, rather than revenue, seems the primary objective. As of this writing, there are very few infections in North America, with most infected systems remaining in Eastern Europe and Russia. Microsoft has issued a security bulletin on Bad Rabbit and US-CERT has issued an initial advisory, with advice for defense and remediation linking back to advisories on WannaCry and NotPetya.

For now, there are defensive steps to be taken. Some are obvious, and consistent between all ransomware attacks: Make sure malware defenses are updated and remind users not to do silly user things. For those who want to be more proactive, it has been reported that adding a specific file with specific permissions to a Windows system will "vaccinate" it against Bad Rabbit infection.

It is impossible to know just how widely Bad Rabbit will spread or how much damage it will do. Until the full impact is known, it seems appropriate to prepare, defend and assume that this is a very naughty bunny, indeed.

Cover Image courtesy Marit & Toomas Hinnosaar via Flickr

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-3296
PUBLISHED: 2022-09-25
Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0577.
CVE-2022-41340
PUBLISHED: 2022-09-24
The secp256k1-js package before 1.1.0 for Node.js implements ECDSA without required r and s validation, leading to signature forgery.
CVE-2022-23463
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discover is vulnerable to SpEL Injection in discovery-commons. DiscoveryExpressionResolver’s eval method is evaluating expression with a StandardEvaluationContext, allowing the expression to reach and interact with Java classes suc...
CVE-2022-23464
PUBLISHED: 2022-09-24
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potentially resulting in Information...
CVE-2022-23461
PUBLISHED: 2022-09-24
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.