It’s Bad Rabbit Season


It’s Bad Rabbit Season

“Look, that rabbit’s got a vicious streak a mile wide! It’s a killer!” – Tim the Enchanter

Like rabbits, ransomware seems to multiply at a prodigious rate.  The newest strain causing widespread damage dubbed Bad Rabbit, due to the TOR hidden service it directs victims to visit, appears to be based on the Petya ransomware and its’ variants, according to Cisco Talos.  The campaign seems to have largely targeted Russia and Eastern Europe.

What is Bad Rabbit?

Bad Rabbit is a ransomware campaign which takes advantage of the EternalRomance exploit to spread in a network.  This exploit relies on known vulnerabilities in the Server Message Block (SMB) protocol included by default on windows systems.  Microsoft patched this vulnerability in Microsoft Security Bulletin MS17-010.

How does Bad Rabbit work?

Bad Rabbit begins as a fake flash update displayed on compromised websites. Users have to run the downloaded file and accept the windows prompt giving permission for the ransomware to install. Once installed, Bad Rabbit will attempt to propagate using several methods including EternalRomance, perform full disk encryption, and encrypt individual files. Bad Rabbit modifies the Master Boot Record (MBR) redirecting the normal startup process so the author’s ransom note is displayed anytime the infected machine is restarted. It will add a scheduled task forcing the infected machine to reboot, this ensures the ransom note is seen by the victim.

Prevention and Mitigation

Since the patch for this vulnerability has been out since March and Bad Rabbit uses the some of the same/similar propagation vectors, we can reiterate the same suggestions we prepared with WannaCry and Petya.

  • Patch all of your systems on an automated basis. Check that your systems have been configured to download and install patches as soon as they are released. Although this is the default for Windows 10 systems, be sure to confirm automated updates on XP, Windows 7 and Windows 8.1, and Apple Mac systems. A robust patching system should make a malware campaign based on known vulnerabilities like Petya a non-issue for your organization. Ensure that the MS17-010 patch has been applied.
  • Backup your systems. If you have a tested working backup scheme, combating ransomware can be easy. You simply restore to a known good, working system from an earlier point in time after fully patching to avoid re-infection. A backup is the cheapest and easiest “insurance” you can buy for your critical systems, but requires some work on your behalf to implement and validate. If you become infected with Petya, a solid backup schema will allow you to restore service without paying a ransom.
  • Ensure that the rest of the software installed on your system is up to date. While Windows Update takes care of the operating system when correctly enabled, other critical software needs to be updated as well. Include in your list to update: your internet browser and any plugins needed to use the web such as Firefox, Chrome, Acrobat Reader and Adobe Flash, etc. It is a very good idea uninstall things you aren’t actually using so that you don’t have to be sure that they are updated. While Bad Rabbit is focused on a Microsoft Operating System vulnerability, there is no guarantee that the next popular malware outbreak won’t target one of these popular programs. Also be sure to only download updates directly from the vendor. You should never install any Adobe Flash updates from third party sources.
  • Block SMB inbound/outbound on your firewall at the Internet edge. Unfortunately, this is a more complex remedy in which you may need to consult with your firewall administrator prior to implementing. However it is very worth the effort since many types of ransomware are spread via the Windows SMB service, this action can keep infected systems from spreading this specific vulnerability to other unpatched systems. The US-CERT organization has even recommended you disable SMBv1 system wide.

Additionally, zvelo recommends the following to increase the protection for your customers:
Use real-time feeds which enable you to block traffic to known malicious and bad sites. Services such as the zevloDB (for web filtering applications) or zvelo’s Malicious Dataset feed (for ingestion into IPS applications) are designed to provide continuous updates of IPs/URLs which are compromised, malicious, part of a botnet, or in any way bad.

Wrap Up

While there is still money to be made, ransomware campaigns will continue to threaten the data of both individuals and organizations. Since there are no divine weapons to combat this particular rabbit, following best practices and being prepared can sharply minimize your risk. We encourage everyone to plan ahead for attacks such as Bad Rabbit and develop comprehensive defences.