What we know so far about “Bad Rabbit”
Bad Rabbit is a new strain of ransomware, disguised as an Adobe Flash installer, which is downloaded by unsuspecting victims from compromised websites. Experts claim that it is likely to be linked to the “ExPetr” attack, as much of the same code was used. Both strains also used the same list of domains for the attack and both used the Windows Management Instrumentation Command-line (WMIC) to spread the malware.
Unlike ExPetr, bad Rabbit doesn’t use the EternalBlue vulnerability – a Microsoft Windows security vulnerability which allows an attacker to exploit a network file sharing protocol to read and write to files and request services. Instead, it uses a similar type of vulnerability called “EternalRomance”, which exploits the same network file sharing protocol, but uses remote code execution (RCE).
Most of the attacks targeted Russian news and media websites, although attacks have been reported in Ukraine, Turkey and Germany. The requested ransom is 0.05 bitcoin, which is $307 at the current exchange rate. However, evidence has yet to be accumulated regarding whether or not the attackers will decrypt the files once the ransom has been paid.
How can organisations protect themselves from Bad Rabbit?
There are a number of things you can do to help prevent the spread of Bat Rabbit in your IT infrastructure. Many of these apply to all (or at least most) strains of ransomware, so it’s worth noting them down and referring to it the next time you see something like this pop up in your news feed.
Here we go:
- Creating two files and ensuring that you remove all permissions (inheritance) from them seems to have worked for some. Step by step instructions to do this can be found here. The following files you need to add are:
- c:\windows\infpub.dat
- c:\Windows\cscc.dat.
- If possible, disable WMI service to prevent the malware spreading across your network.
- Only download software updates from a reliable source – i.e. directly from the software vendor.
- Make sure that your Anti-virus/malware software is kept up-to-date.
- Make sure that security patches are installed in a timely manner.
- Introduce network segmentation in order to help prevent the ransomware from spreading. For example, you may want to segregate assets such as databases, applications and POS systems.
- Ensure that you have email content scanning and filtering enabled on your mail servers. All attachment types that could pose a threat should be blocked.
- Always remember to keep backups!
- Only pay the ransom if you really must. Paying the ransom will only encourage further attacks, and there’s no guarantee you will get your files back. In fact, security experts always advise against paying the ransom so only do this as a last resort.