Security news that informs and inspires

Protecting Against Bad Rabbit Ransomware Infection

By

There’s a new ransomware outbreak affecting users primarily located in Russia, Ukraine, Bulgaria, Turkey and Japan - and a small number of U.S. victims, including some of Russia’s banks, as BleepingComputer reported. Urkaine’s Kiev Metro and the Odessa international airport’s systems have failed, causing disruptions in service.

WeLiveSecurity has provided a comprehensive account of how this particular variant of ransomware, named Bad Rabbit and ranked as severe by Microsoft, has infected users. Cylance also provides a more technical overview. The strain is said to be a variant of Not-Petya, the rather destructive malware that spread globally back in June.

Bad Rabbit Ransomware Infection Methods

There are two observed ways of Bad Rabbit infection (though likely not the only methods):

Drive-By Download

JavaScript was injected into the HTML or .js files of popular websites. When a user of interest visits the website, the server adds content to the page, displaying a popup that prompts users to download a Flash Player update.

After the user clicks Install, an executable file is downloaded on their computer, launching the ransomware and locking their machine.

SMB + Stolen Credentials

The ransomware’s executable file scans networks for open SMB shares. Then Mimikatz, a publicly available tool that targets Windows users and can be used to steal passwords extracted from memory, is launched on a compromised computer.

The malware also uses a list of pre-selected hardcoded credentials to authenticate to the host. After finding valid credentials, the ransomware file is uploaded to the Windows directory and executed through the Service Control Manager.

Protecting Against Ransomware

The US-CERT’s advisory from July provides advice for ransomware, patching and phishing, since malware can spread in a number of ways. Here’s some of their tips, plus links to a few other resources:

  • Frequently back up your systems and important files on a device that can’t be accessed from a network; verify backups regularly.
  • Practice caution when clicking on links in emails or opening email attachments; verify web addresses/senders independently.
  • Microsoft has provided some guidelines on protecting against the malicious use of the SMB protocol, while the US-CERT’s SMB Security Best Practices refer to the mitigation of the SMB vulnerability used earlier this year
  • Microsoft’s threat advisory states that Windows Defender Antivirus version 1.255.29.0 and higher detects and removes Bad Rabbit - so be sure to update your systems to the latest versions.