Bad Rabbit Ransomware Makes Victims Hopping Mad

Last week, organizations in several European and Asian countries -- including the Russian Federation, Ukraine, Germany, Turkey, Japan and Bulgaria – were targeted by Bad Rabbit, a new ransomware believed to be a variant of NotPetya. The ransomware (aka Troj/Ransom-ERK and RANSOM_BADRABBIT.A) was directed toward the government, transportation, aerospace and media sectors, with victims including Ukraine’s Odessa Airport, Kiev Subway System and Ministry of Infrastructure, as well as Russian news agency Interfax.

bad rabbit.png

In what is known as a “watering hole” attack, the Bad Rabbit attackers compromised legitimate Russian news websites, making them redirect visitors to a malicious website featuring a fake Adobe Flash update. The malware is then delivered when the user accepts the download.

Following the infection, the malware harvests credentials using the extracting tool Mimikatz, hard coded credentials and a list of widely used weak passwords. It then uses the leaked NSA exploit “EternalRomance” to spread copies of itself across the network, through the Windows SMB protocol or Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. Finally, the encryption is executed through the program “Diskcryptor,” and a ransom letter is displayed demanding that the user transfers a bitcoin payment to a Tor Website.

Bad Rabbit’s rapid spread is a brutal reminder that poor security practices leave organizations highly vulnerable to major attacks. First of all, employees should not be allowed to download exe. files to their computer; that should be an IT function. Secondly, after Petya hit, Windows issued a patch that would’ve prevented Bad Rabbit from getting through, but many organizations postponed their updates and are now literally paying the price. Finally, the ransomware has only been able to spread laterally across so many networks because employees continue to use weak passwords that can be easily exploited (ex. simple number combinations, the word ‘password’).

Recommendations:

  1. Prevent employees from downloading .exe files directly to their system.
  2. If your organization uses a Ukrainian VPN, monitor all of its activity or disconnect it from the external network if possible.
  3. Update your Windows version immediately, but make sure that the updates are made through a legitimate website.
  4. Disable WMI service if possible.
  5. Change passwords on a regular basis, and allow only strong passwords.


Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.