Bad Rabbit Ransomware Makes Victims Hopping Mad
November 2nd, 2017
Subscribe to our blog and stay up to date
Last week, organizations in several European and Asian countries -- including the Russian Federation, Ukraine, Germany, Turkey, Japan and Bulgaria – were targeted by Bad Rabbit, a new ransomware believed to be a variant of NotPetya. The ransomware (aka Troj/Ransom-ERK and RANSOM_BADRABBIT.A) was directed toward the government, transportation, aerospace and media sectors, with victims including Ukraine’s Odessa Airport, Kiev Subway System and Ministry of Infrastructure, as well as Russian news agency Interfax.
In what is known as a “watering hole” attack, the Bad Rabbit attackers compromised legitimate Russian news websites, making them redirect visitors to a malicious website featuring a fake Adobe Flash update. The malware is then delivered when the user accepts the download.
Following the infection, the malware harvests credentials using the extracting tool Mimikatz, hard-coded credentials and a list of widely used weak passwords. It then uses the leaked NSA exploit “EternalRomance” to spread copies of itself across the network, through the Windows SMB protocol or Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. Finally, the encryption is executed through the program “Diskcryptor,” and a ransom letter is displayed demanding that the user transfers a bitcoin payment to a Tor Website.
Bad Rabbit’s rapid spread is a brutal reminder that poor security practices leave organizations highly vulnerable to major attacks. First of all, employees should not be allowed to download exe. files to their computer; that should be an IT function. Secondly, after Petya hit, Windows issued a patch that would’ve prevented Bad Rabbit from getting through, but many organizations postponed their updates and are now literally paying the price. Finally, the ransomware has only been able to spread laterally across so many networks because employees continue to use weak passwords that can be easily exploited (ex. simple number combinations, the word ‘password’).
- Prevent employees from downloading .exe files directly to their system.
- If your organization uses a Ukrainian VPN, monitor all of its activity or disconnect it from the external network if possible.
- Update your Windows version immediately, but make sure that the updates are made through a legitimate website.
- Disable WMI service if possible.
- Change passwords on a regular basis, and allow only strong passwords.
Alon Arvatz is Sr. Director of Threat Intelligence Product Management for Rapid7. He joined Rapid7 in July 2021 following its acquisition of IntSights, which he co-founded and led as Chief Product Officer. As the visionary leading IntSights’ product and service strategy — including product development, threat research and intelligence gathering operations — Alon is now a key contributor to the Rapid7 product roadmap. Prior to founding IntSights, Alon was co-founder and CEO of Cyber-School, an educational program offering several cybersecurity related courses to teenagers. Alon is also a veteran of an elite cybersecurity intelligence unit within the Israel Defense Forces (IDF), where he led and coordinated global cyber intelligence campaigns, gaining vast experience and knowledge working in one of the most innovative operational settings in the world.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.